29 December 2021

How To Scan Network Traffic With Brim For Malicious Activity.

By Rahul Garg

Malware analysis is a difficult and complex task. For this, it is essential to have various tools that allow processing and interpreting large volumes of data to simplify the analysis work. Fortunately, when it comes to analyzing network traffic for malicious activity, there are very good tools available, such as Wireshark or NetworkMiner , which are well known and for which there is a lot of documentation available. However, this time we want to introduce Brim, a powerful free tool for network traffic analysis that was launched in mid-2018 and is still not so popular.

Brim: a tool to analyze network traffic

Brim is an open source tool designed for network security specialists that facilitates the search and analysis of data through the following sources:

  • Network traffic traps created by Wireshark or TCPdump
  • Structured records, such as those from the Zeek framework

This is particularly useful for those who need to process large volumes of network traffic, especially those that are cumbersome to analyze with Wireshark , tshark, or other packet data analyzers.

Among the most outstanding features of this tool we can mention that it has multiplatform support (the application is compatible with Windows, macOS and GNU / Linux systems), and that it is developed and integrated with other open source tools such as Zed , Zeek , Suricata and the draft rules for IDS / IPS known as Emerging Threats .

Analyzing the network activity of the Vidar Trojan with Brim

For practical purposes, we analyzed a network trace captured while the Vidar malware was running on a compromised computer.

Note: It is important to remember that when analyzing a traffic capture in which there is evidence or suspicion of the presence of malware, we must use an isolated and dedicated system for this purpose (in this case, a virtual machine on Linux is recommended, since malware in question affects Windows systems). Incorrect manipulation of the network capture and the files contained in it can lead to the compromise of our own team.

General characteristics of the malware to be analyzed

The Vidar Trojan is an improved version of the Arkei malware and is mainly focused on stealing information from compromised hosts, browser credentials, browsing history, session cookies, taking screenshots of victim user activity, and theft. of data used by 2FA solutions and cryptocurrencywallets, among others. Once this information is collected, the malware sends it to the C2 server controlled by the attackers.

Its method of spread or initial vector is mostly through malspam campaigns that contain malicious attachments and URLs, or through trojanizedkeygens that contain the malware.

Step 1: Opening the network traffic capture using Brim

Step 2: Using Brim’s default queries

Although the tool has a complete query syntax language , one of the most valued functionalities in Brim is the queries that are configured by default in the GUI. Using these queries is an excellent starting point when you begin to investigate captured network traffic.

Among the many queries available, some of the most prominent are:

  • Suricata Alerts (IDS), by categories
  • Suricata Alerts (IDS), by origin and destination
  • Summary of activities
  • Unique DNS queries
  • HTTP queries
  • File Activities

Step 3: Discovering malicious activity with Brim

If we select the Suricata query category and locate the so-called “Suricata alerts by category”, we verify that it is possible to quickly find indicators of malware activity and analyze the logs in search of more details.

It was easy, right? 😉

Step 4: Discovering the information exfiltrated by the malware

Then, if we select the query “File activity”, we can recognize that there is a file called “b9a69c67-9046-4571-a9af-0f60a1fcee8d8375730518.zip”

Taking into account the characteristics of this malware, we see that it is a compressed file with the computer’s information, which was exfiltrated by Vidar. To find out, we rely on another network traffic analysis tool such as NetworkMiner.

Indicators of Compromise of the Sample Executed in the Net Capture

Filename  a2ef57bbe3a8af95196a419a7962bfaa.exe  
Sha1Sha1 Detection  
1a0c42723cd1e2e947f904619de7fcea5ca4a183    A Variant Of Win32 / Kryptik.HMZJ

Downloaded binaries

Sha256File path  
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090baFile path: C: \ Users \ admin \ AppData \ Local \ Microsoft \ Windows \ Temporary Internet Files \ Content.IE5 \ B6QGX7LP \ freebl3 [1] .dll  
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cdC: \ Users \ admin \ AppData \ Local \ Microsoft \ Windows \ Temporary Internet Files \ Content.IE5 \ 6Z2BCOUL \ mozglue [1] .dll  
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4C: \ Users \ admin \ AppData \ Local \ Microsoft \ Windows \ Temporary Internet Files \ Content.IE5 \ PO2HN1X2 \ msvcp140 [1] .dll
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78C: \ Users \ admin \ AppData \ Local \ Microsoft \ Windows \ Temporary Internet Files \ Content.IE5 \ 78RFYB7Z \ nss3 [1] .dll  
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083C: \ Users \ admin \ AppData \ Local \ Microsoft \ Windows \ Temporary Internet Files \ Content.IE5 \ B6QGX7LP \ softokn3 [1] .dll
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14dC: \ Users \ admin \ AppData \ Local \ Microsoft \ Windows \ Temporary Internet Files \ Content.IE5 \ 6Z2BCOUL \ vcruntime140 [1] .dll

DNS queries

  • r3.o.lencr.org
  • more.to

IP connections

  • 45,105,185
  • 248,139,254
  • 32,238,178
  • 99.75.82
  • 108.80.190

HTTP / HTTPS requests

  • http: 65.108.80 [.] 190/517
  • http://65.108.80.190/freebl3[.íritudll
  • http://65.108.80.190/mozglue[.íritudll
  • http://65.108.80.190/msvcp140[.íritudll
  • http://65.108.80.190/softokn3[.íritudll
  • http://65.108.80.190/nss3[.íritudll
  • http: //r3.o.lencr [.] org / MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg% 2ByvTLU% 2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5hF7dYVsuuUAlA5h% 2Bvh7YsUdows 3DCE% 2Bvh7YsW7WG% 2Bvh7YsW7
  • http://65.108.80.190/vcruntime140[.íritudll
  • http: //65.108.80 [.] 190 /
Please follow and like us:
Pin Share