We proudly announce that today we open-source a large part of our analysis framework and pipeline!
If you want to try it – check out Karton project on GitHub.
What is karton?
Karton is a robust framework for lightweight and flexible analysis backends. It can be used to connect malware analysis systems into a robust pipeline with very little effort.
We’re in the automation business since a long time. We’re dealing with more and more threats, and we have to automate everything to keep up with incidents. Because of this, we often end up with many scripts stuck together with duct tape and WD-40. These scripts are written by analysts in the heat of the moment, fragile and ugly – but they work, and produce intel that must be stored, processed further, sent to other systems or shared with other organisations.
We needed a way to take our PoC scripts and easily insert them into our analysis pipeline. We also wanted to monitor their execution, centralise logging, improve robustness, reduce development inertia… For this exact purpose, we created Karton.
Projects to check out
This is not a single system, but rather a collection of microservices. There are many small utilities, that may not be groundbreaking on their own, but compose nicely. They include:
karton – The main repository. It contains the karton.system service – main service, responsible for dispatching tasks within the system. It also contains the karton.core module, that is used as a library by other systems.
karton-dashboard – A small Flask dashboard for task and queue management and monitoring.
karton-classifier – The “router”. It recognises samples/files and produces various task types depending on the file format. Thanks to this, other systems may only listen for tasks with a specific format (for example, only zip archives).
karton-archive-extractor – Generic archive unpacker. Archives uploaded into the system will be extracted, and every file will be processed individually.
karton-config-extractor – Malware extractor. It uses Yara rules and Python modules to extract static configuration from malware samples and analyses. It’s a fishing rod, not a fish – we don’t share the modules themselves. But it’s easy to write your own!
karton-mwdb-reporter – A very important part of the pipeline. Reporter submits all files, tags, comments and other intel produced during the analysis to MWDB. If you don’t use MWDB yet or just prefer other backends, it’s easy to write your own reporter.
karton-yaramatcher – Automatically runs Yara rules on all files in the pipeline, and tags samples appropriately. Rules not included ;).
karton-asciimagic – Karton system that decodes files encoded with common methods, like hex, base64, etc. (You wouldn’t believe how common it is).
karton-autoit-ripper – A small wrapper around AutoIt-Ripper that extracts embedded AutoIt scripts and resources from compiled AutoIt executables.
karton-drakvuf (coming soon) – Uploads incoming samples to drakvuf-sandbox for dynamic analysis.
karton-misp-pusher (coming soon) – A reporter, that submits observed events to MISP.
MWDB Core is a malware repository for automated malware collection and analysis systems, developed by CERT Polska. You can set it up as a part of a malware analysis lab or use it for collaborative malware analysis in your organization.
Emotet is one of the most widespread and havoc-wreaking malware families currently out there. Due to its modular structure, it’s able to easily evolve over time and gain new features without having to modify the core.
Its first version dates back to 2014. Back then it was primarily a banking trojan. These days Emotet is known mostly for its spamming capabilities and as a delivery mechanism of other malware strains.
Yo dawg, I heard you like droppers so I put a dropper in your dropper
On 2019-11-18 we received a report that some of Polish users have began receiving malspam imitating DHL:
In this short article, we’ll take a look at the xls document that has been used as a (1st stage) dropper distributing another well-known (2nd stage) dropper – brushaloader.
Call for Speakers for SECURE 2019 is now open. If you have an interesting topic and would like to share your ideas with a crowd of Polish and international IT security specialists, please consider submitting your proposal. You will find all applicable information below.
SECURE 2019 will be held on October 22-23, 2019 in Warsaw, Poland. This annual conference is dedicated entirely to IT security and addressed to administrators, security team members and practitioners in this field. SECURE’s unique feature is the organisers’ commitment to providing participants with reliable information about everything that is current and meaningful in IT security. A high professional level of the talks is ensured by CERT Polska during the paper selection process. Particular emphasis is on practical solutions, analysis of the current threats, latest trends in countering threats as well as important legal issues. Participants have an opportunity to gain the latest knowledge, improve their qualifications and exchange experience with experts.
Impersonating online payment service providers was the most popular attack scenario used for targeting e-banking users over the last year. The evolution of malware (increasingly affecting mobile devices and Internet of Things) still remains a challenge for IT security professionals. Another observed trend is usage of previously unknown 0-day vulnerabilities by APT groups. The VPNFilter case shows that advanced attacks can also affect an ordinary user. The question arises, how to take care of privacy and security in the face of above? We will try to find the answer to these and many more questions during SECURE 2019.
If you want to share your experience in these topics, or if you are an expert in one of the areas below, this Call for Speakers is for you.
SECURE 2019 will be held on October 22-23, 2019 in Warsaw, Poland. The conference topics will be roughly grouped in the following tracks:
technical – practical aspects of implementation and integration of security solutions
organisational – new trends in attacks, threats and their mitigation
legal
Presentation topics
We are looking for speakers willing to deliver a talk covering one or more of the following subjects:
malware evolution and analysis, including viruses, worms and botnets
network monitoring and intrusion detection
innovatory honeypot and sandbox applications
APTs
security of SCADA/ICS
security of smartphones and other mobile systems
security events visualisation
early warning against network threats
incident handling
standards for security incident data exchange
DDoS attacks and their mitigation
efficiency of methods for mitigation of new attack vectors
open source security tools
protection of online identity
IoT security
hardware security
privacy, confidentiality and anonymity
hardware security
chain-supply security
securing the human
Polish and European law in regards to computer and information security
law enforcement actions in regards to cybercrime mitigation
research projects in the area of computer and information security
proposals should include at least a title, short abstract, name and bio of the speaker
any questions regarding the submission and selection process should be directed to [email protected]
time for presentation: 45 minutes, including Q&A
commercial presentations will not be accepted
all materials should be submitted in one of the following formats: OpenOffice, Microsoft Office, PDF
slides of presentations will be made available to all participants in an electronic version as well as video recordings where possible, unless strictly prohibited by the speaker
authors of accepted proposals will receive full conference package (workshops not inclusive), but they are responsible for their travel and accommodation
Important dates
proposals submission until: July 22, 2019
acceptance notice by: August 12, 2019
presentation submission by: October 14, 2019
Lightning talks
We encourage participants of SECURE to share their thoughts. One of the conference blocks will include lightning talks, allowing everyone to talk briefly about their projects, works, ideas or problems. Everything goes, as long as it touches IT security.
Important facts about lightning talks
maximum time for a talk is 5 minutes and total time for all talks will be limited
application for a lightning talk can be submitted at any time after you have registered for the conference or during the conference
the organisers reserve the right to accept or refuse any lightning talk application
Publication of our annual report is coming soon. Editing is moving forward at full speed, but in the meantime we’d like to share some statistics concerning 2018. This statistics provide a big bicture of an IT security landscape in Poland and as well conclusions about major trends in this area. For many years already CERT Polska has incorporated eCSIRT.net incident classification (now, the sixth version marked as mkVI)1, which defines pretty well different incident categories.
In 2018 operators of CERT Polska received 19439 incident reports. We carefully analyzed and categorized all of them. Among these reports, 5675 were the reason to register incident. Our team created 3739 security incidents, what gives on the average over 10 incidents created daily. The remaining a dozen or so reports not assigned to any incident were irrelevant or can be considered as automatic alerts sent from several alerting systems. In case of the latter our activities were connected with supplying our n6 platform2 and other analytic tools as well.
Often, one incident can be connected with many incident reports, e.g. three different entities report the same phishing site.
In the table below we present incidents handled by our team, divided into categories according to eCSIRT.net classification.
Category
Incidents
%
Abusive Content
431
11,53
Spam
419
11,21
Harmful Speech
5
0,13
Child/Sexual/Violence/…
0
0
Unclassified
7
0,19
Malicious Code
862
23,05
Virus
4
0,11
Worm
0
0
Trojan
117
3,13
Spyware
0
0
Dialer
1
0,03
Rootkit
1
0,03
Unclassified
739
19,76
Information Gathering
101
2,7
Scanning
80
2,14
Sniffing
1
0,03
Social Engineering
7
0,19
Unclassified
13
0,35
Intrusion Attempts
153
4,09
Exploiting of known Vulnerabilities
30
0,8
Login attempts
37
0,99
New attack signature
0
0
Unclassified
86
2,3
Intrusions
125
3,34
Privileged Account Compromise
11
0,29
Unprivileged Account Compromise
21
0,56
Application Compromise
35
0,94
Bot
4
0,11
Unclassified
54
1,44
Availability
49
1,31
DoS
7
0,19
DDoS
35
0,94
Sabotage
0
0
Outage (no malice)
1
0,03
Unclassified
6
0,16
Information Content Security
46
1,23
Unauthorised access to information
21
0,56
Unauthorised modification of information
13
0,35
Unclassified
12
0,32
Fraud
1878
50,23
Unauthorized use of resources
1
0,03
Copyright
8
0,21
Masquerade
43
1,15
Phishing
1655
44,26
Unclassified
171
4,57
Vulnerable
69
1,85
Open for abuse
14
0,37
Unclassified
55
1,47
Other
25
0,67
Table 1. Incidents handled by CERT Polska, divided into eCSIRT.net categories
In 2018 CERT Polska created 17,5% more incidents comparing to 2017. Most of them were categorized as phishing, malware or spam. According to the data from 2017 we observed slight change on the podium in that infamous ranking, because then the first three places went as follows: phishing, malware, intrusions. Proportion of phishing incidents remained on similar level comparing to 2017 and reached 44%, which was firmly dominant result above remaining categories. Most popular scenarios were connected with phishings on foreign servers targeting Polish financial institutions (mostly banks). Another popular scenarios were related to phishings targeting services like Netflix or PayPal served from compromised Polish servers. Leading theme behind those attacks was premium users’ credentials theft or simply stealing money from internet bank account. Many scenarios concerned also selling goods on advertisement websites at the attractive prices. Main objective of these operations was to persuade users to enter sensitive data on fake websites, impersonating online payment platforms like Dotpay or PayU.
Website impersonating online payment platform
In 2018 we also observed fake online shops business, which has been visibly developed by some actors. In last year number of incidents related to fake online shops tripled, comparing to 2017. At this point, we’d like to thank all users aware of this kind of threat, who report about such activities more often and more eagerly every year. Attackers tried to find as many victims as possible, e.g. by advertising their shops in social media and popular search engines, where they were optimizing their shops’ position on the list of search results.
An example of a fake shop “offering” electronics at the attractive prices
The second most popular category of incidents was malware. It’s a broad category with many subcategories, but usually we marked incidents related to malware as “unclassified”. Firstly, because in many scenarios more than one malware family was used, incorporating variety of methods and attack techniques. Secondly, we registered significant number of incidents concerning ransomware, which unfortunately don’t have its own category in eCSIRT.net classification. In that aspect the classification isn’t perfect yet, but we hope that in the next revision it will be updated.
A vast number of malware incident reports was related to attacks on Polish users. Popular scenarios concerning emails with fake invoice, delivery details or claim for payment (or additional payment) continued spreading in different versions. These emails usually contained malicious attachment as a script, document with macros or link leading to some website distributing malware (e.g. banker or mobile banker app, depending on User-Agent HTTP header).
Email with malicious attachment pretending to be an invoice
This year for the first time we publish classification of incidents divided into Polish economy sectors. You can find detailed information in the table below. At a glance significant number of incidents is marked as Other (3 out of 4 incidents were classified to this category). These were mostly incidents concerning individuals or private entities. Next places in the classification belong to banking sector and public administration. Total number of the latter was little, comparing to the Other category. We are aware that presented classification is far from ideal. However, we had created this classification before CERT Polska has been designated as one of the three national-level CSIRTs under National Cybersecurity System law. Now, when the law is in force, we’ll be able to specify categories of this classification to reflect security of different economy sectors in a better way.
Sector
Incidents
%
IT infrastructure
29
0,78
Public health care
13
0,35
Banking
643
17,2
Other financial institutions
62
1,66
Energy industry
20
0,53
Transport
51
1,36
Public administration
85
2,27
Water supply
2
0,05
Other
2834
75,8
Total
3739
100
Table 2. Incidents handled by CERT Polska divided into Polish economy sectors
More conclusions you’ll find in our annual report (coming soon). You’re warmly welcomed to follow CERT Polska’s blog and our profiles in social media to be up-to-date with latest news concerning publication of our report.
During last year we have collaborated with Hatching.io on improving the open source Cuckoo Sandbox. The main works were focused on porting advanced mechanisms for memory analysis which were developed internally by our team in the previous years. The public release of the onemon marks the last stage of this collaboration. We are proud that results of this work are now available to the security community. Read more
TrickBot (TrickLoader) is a modular financial malware that first surfaced in October in 20161. Almost immediately researchers have noticed similarities with a credential-stealer called Dyre. It is still believed that those two families might’ve been developed by the same actor.
But in this article we will not focus on the core itself but rather the loader whose job is to decrypt the payload and execute it. Read more
By clicking the link “I agree” and proceeding to the site, you consent to our processing of your personal data.
COOKIES POLICY
Cookies
When you use our sites, we collect information about your visit and your
navigation on our sites. To this end, we use cookies. A cookie contains IT
data, which is placed in your terminational equipment - Internet browser,
which you are using.
Cookies used on our sites serve, among others, day-to-day site optimisation
and facilitiation of your use of those sites. Some functionalities
available on our sites may not operate, if you do not agree for cookies to
be installed.
Installation or access to cookies does not cause any changes in your
equipment or any software installed on this equipment.
We use two type of cookies: session-based and permanent. Session cookies
expire after the session ends, with the session’s duration and precise
expiry parameters being set by the Internet browser, which you are using,
and our analytical systems. Permanent cookies are not deleted when you
close the browser window, mainly so that information about the choices you
made is not lost. Long-term active cookies are used to help us support
comfortable use of our sites, depending whether you visit us for the first
time or you are re-visiting.
What do we use cookies for?
Cookies are used for statistical purposes and to improve sites’ operation
and make the use of sites more comfortable, inter alia:
let us check how often the specific pages on sites are visited - we
use this data to optimise sites for the visitors;
help us recognise your type of device, and this way to adjust
better how and in what format the content is presented, and sites’
functionalities;
improve effectiveness and efficiency of sites for the users.
How you can refuse your consent for installation of cookies, using your
browser settings?
If you do not want cookies to be installed on your device, you change your
browser’s settings with respect to installation of cookies. You can also
remove cookies stored when viewing our sites, at any time. Remember,
however, that restrictions on use of cookies can make the use of those
sites difficult or impossible.
Use of third parties’ tools
Some cookies are created by n entity whose services we employ, e.g.
Google Inc.
On our sites, we use Google Analystics tool to analyse traffic on WWW pages
and browsing activities. We use it in particular for statistical purposes,
to check how often the respective sites are visited. We also use this data
to optimise and develop services. You can find out more about Google
Analytics here:
https://policies.google.com/technologies/cookies