How To Scan Network Traffic With Brim For Malicious Activity.
Malware analysis is a difficult and complex task. For this, it is essential to have various tools that allow processing and interpreting large volumes of data to simplify the analysis work. Fortunately, when it comes to analyzing network traffic for malicious activity, there are very good tools available, such as Wireshark or NetworkMiner , which are well known and for which there is a lot of documentation available. However, this time we want to introduce Brim, a powerful free tool for network traffic analysis that was launched in mid-2018 and is still not so popular.
Brim: a tool to analyze network traffic
Brim is an open source tool designed for network security specialists that facilitates the search and analysis of data through the following sources:
- Network traffic traps created by Wireshark or TCPdump
- Structured records, such as those from the Zeek framework
This is particularly useful for those who need to process large volumes of network traffic, especially those that are cumbersome to analyze with Wireshark , tshark, or other packet data analyzers.
Among the most outstanding features of this tool we can mention that it has multiplatform support (the application is compatible with Windows, macOS and GNU / Linux systems), and that it is developed and integrated with other open source tools such as Zed , Zeek , Suricata and the draft rules for IDS / IPS known as Emerging Threats .
Table of Contents
Analyzing the network activity of the Vidar Trojan with Brim
For practical purposes, we analyzed a network trace captured while the Vidar malware was running on a compromised computer.
Note: It is important to remember that when analyzing a traffic capture in which there is evidence or suspicion of the presence of malware, we must use an isolated and dedicated system for this purpose (in this case, a virtual machine on Linux is recommended, since malware in question affects Windows systems). Incorrect manipulation of the network capture and the files contained in it can lead to the compromise of our own team.
General characteristics of the malware to be analyzed
The Vidar Trojan is an improved version of the Arkei malware and is mainly focused on stealing information from compromised hosts, browser credentials, browsing history, session cookies, taking screenshots of victim user activity, and theft. of data used by 2FA solutions and cryptocurrencywallets, among others. Once this information is collected, the malware sends it to the C2 server controlled by the attackers.
Its method of spread or initial vector is mostly through malspam campaigns that contain malicious attachments and URLs, or through trojanizedkeygens that contain the malware.
Step 1: Opening the network traffic capture using Brim
Step 2: Using Brim’s default queries
Although the tool has a complete query syntax language , one of the most valued functionalities in Brim is the queries that are configured by default in the GUI. Using these queries is an excellent starting point when you begin to investigate captured network traffic.
Among the many queries available, some of the most prominent are:
- Suricata Alerts (IDS), by categories
- Suricata Alerts (IDS), by origin and destination
- Summary of activities
- Unique DNS queries
- HTTP queries
- File Activities
Step 3: Discovering malicious activity with Brim
If we select the Suricata query category and locate the so-called “Suricata alerts by category”, we verify that it is possible to quickly find indicators of malware activity and analyze the logs in search of more details.
It was easy, right? 😉
Step 4: Discovering the information exfiltrated by the malware
Then, if we select the query “File activity”, we can recognize that there is a file called “b9a69c67-9046-4571-a9af-0f60a1fcee8d8375730518.zip”
Taking into account the characteristics of this malware, we see that it is a compressed file with the computer’s information, which was exfiltrated by Vidar. To find out, we rely on another network traffic analysis tool such as NetworkMiner.
Indicators of Compromise of the Sample Executed in the Net Capture
| Filename | a2ef57bbe3a8af95196a419a7962bfaa.exe |
| Sha1 | Sha1 Detection |
| 1a0c42723cd1e2e947f904619de7fcea5ca4a183 | A Variant Of Win32 / Kryptik.HMZJ |
Downloaded binaries
| Sha256 | File path |
| a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba | File path: C: \ Users \ admin \ AppData \ Local \ Microsoft \ Windows \ Temporary Internet Files \ Content.IE5 \ B6QGX7LP \ freebl3 [1] .dll |
| 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd | C: \ Users \ admin \ AppData \ Local \ Microsoft \ Windows \ Temporary Internet Files \ Content.IE5 \ 6Z2BCOUL \ mozglue [1] .dll |
| 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4 | C: \ Users \ admin \ AppData \ Local \ Microsoft \ Windows \ Temporary Internet Files \ Content.IE5 \ PO2HN1X2 \ msvcp140 [1] .dll |
| e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 | C: \ Users \ admin \ AppData \ Local \ Microsoft \ Windows \ Temporary Internet Files \ Content.IE5 \ 78RFYB7Z \ nss3 [1] .dll |
| 43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083 | C: \ Users \ admin \ AppData \ Local \ Microsoft \ Windows \ Temporary Internet Files \ Content.IE5 \ B6QGX7LP \ softokn3 [1] .dll |
| c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d | C: \ Users \ admin \ AppData \ Local \ Microsoft \ Windows \ Temporary Internet Files \ Content.IE5 \ 6Z2BCOUL \ vcruntime140 [1] .dll |
DNS queries
- r3.o.lencr.org
- more.to
IP connections
- 45,105,185
- 248,139,254
- 32,238,178
- 99.75.82
- 108.80.190
HTTP / HTTPS requests
- http: 65.108.80 [.] 190/517
- http://65.108.80.190/freebl3[.íritudll
- http://65.108.80.190/mozglue[.íritudll
- http://65.108.80.190/msvcp140[.íritudll
- http://65.108.80.190/softokn3[.íritudll
- http://65.108.80.190/nss3[.íritudll
- http: //r3.o.lencr [.] org / MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg% 2ByvTLU% 2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5hF7dYVsuuUAlA5h% 2Bvh7YsUdows 3DCE% 2Bvh7YsW7WG% 2Bvh7YsW7
- http://65.108.80.190/vcruntime140[.íritudll
- http: //65.108.80 [.] 190 /
