For most security researchers, Yara, a tool that allows them to create their own set of rules for malware tracking, is an invaluable resource that helps automate many processes. However, despite Yara’s reliability, it shouldn’t be the only tool used to monitor new versions of malware. This article will show why.
There are many resources for Yara rules, ranging from the Yara Rules Project repository to blogs and articles that release Yara rules as part of a malware’s Indicators of Compromise (IOCs). In addition, security researches can create their own set of rules to identify specific threats they are looking for. In some cases, they are able to match public rules.
When a Yara rule is triggered, an alert is created, which prompts the researcher to perform more actions. These actions include processes that are a standard part of launching Virtual Machines (VMs), as well as Debuggers and Disassemblers to get to the root of what the sample is attempting to do. This is a common practice for many in the security field.
In the process of monitoring for threats, a specific malware sample (Detected by Trend Micro as JOKE_CYBERAVI) triggered multiple rules. This file was first observed at 2017-05-11 14:33:49 UTC. When looking at the timestamp of the PE Header of the exe, the file was created at 12:57:16 UTC. This means that the file was observed roughly 90 minutes after it was created. All in all, we were able to find 26 detections of this file.
Figure 1: File Properties of JOKE_CYBERAVI
Initially, this file looked quite interesting, as there appeared to be anti-debugging methods built into the sample. This technique is used to prevent malware analysts from reverse-engineering malware.
Figure 2: Portion of the malware code
When looking at the PE resources, we noticed something strange about this file. There were three resources RT_MANIFEST, CYB and LOL. Yes, that’s right; LOL was within the PE resources.
Figure 3: PE Resources within the malware sample
The 101 section is the file that is dropped and executed. Looking at the pseudocode of the file itself, you can see that this is an .AVI file that is being played.
Figure 4: Portion of the malware code
While executing the file on a windows system, it was hard to tell what this file was since there appeared to be a likely codec problem or some other issues with the player the code was launching.
Figure 5: The .AVI file dropped by the sample
Because the launched player couldn’t play the AVI file, we just extracted the file and played it. To our surprise, it was the music video for Rick Astley’s “Never Gonna Give You Up”, which is often used to “troll” people who got tricked into watching a video. It’s a common internet prank called “RickRolling”.
Figure 6: “Rickrolling” security researchers
We were unsure if this was just a way of telling security researchers to stay away. We tried to find where the CYB within the PE resources was utilized. This was never called at any point, which led us to give the file a closer look. It quickly became apparent that the file contained most of the strings of the Yara rules from the repository mentioned earlier, along with some other popular ones. This appears to be created to catch a bunch of rules people are monitoring, which includes things such as Indetectables RAT and Havex.
Our theory is that this could be some kind of test created to test Yara rules within an organization—or it could be just someone playing a practical joke. Either way, we enjoyed the throwback to the time when Rickrolling was popular.
While it was a pretty interesting exercise—and we do appreciate occasional self-deprecating humor at the expense of the industry—this is a good reminder to not blindly trust these hits. It would be a good idea to refrain from processing and adding detections without more advanced checking such as the Predictive Machine Learning, which is included in security solutions such as Trend Micro XGen™ Security.
The following hash was used in this article:
• SHA256: 827b2f0f5664271ab98aa00dbca85d387ce6d96234608e301007ed5a46d88001
Appendix A shows the output from Yara running the rules provided within the Yara-Rules projet github repo. At least 260 hits on various rulesets were flagged.