Tuesday, August 21, 2018

CrowdStrike donates Falcon MalQuery for rapid YARA hunts to the HA Community

We all know that YARA rules are the pattern matching swiss knife in many ways and have become the de-facto standard when it comes to detection and attributing new malware variants to previously known threats. One great example of this is WannaCry. Within days of that outbreak last year, Google’s Neel Mehta [1] was able to find code similarities between WannaCry code and previously attributed North Korean malware.

Over the past year, the HA community platform has not only been growing at an incredible rate, but also accumulated an amazing collective knowledge (on a side note: thank you, everyone!) due to Falcon Sandbox and many integrations extracting more IOCs than any other community service. Futhermore, to make it easier to help grow the collective community database, we published a new APIv2 with a modern tooling page that acknowledges privacy concerns and is state of the art.

With a growing set of data, having a technology to quickly and accurately search through this data turns a swiss knife to life. Let's imagine we could take any YARA rule or string/binary pattern and scan through petabytes of data within minutes vs. having to wait multiple hours on a batch job to complete? Let's imagine the search results could be downloaded, shared and used to easily determine efficacy and attribution? All within an open and transparent environment that benefits the whole community? Wait, what? This seems too good to be true.

Sometimes dreams come true. ;) Today, we are announcing a revoluationary new search capability to our Hybrid Analysis community platform, which has been implemented as part of a powerful new YARA hunt and binary pattern search capability. Including custom search filters (e.g. date ranges) and efficacy evaluation over petabytes of data. In order to facilitate this type of research by the security community, CrowdStrike has donated Falcon MalQuery, its rapid malware search engine technology, to the community.

Real World YARA Hunting

Let's take a look at how we can utilize the new feature. Let's take a look at the new front page of HA, which contains two new tabs "YARA Search" and "String Search" (for string/binary patterns):-

At this point, you can either navigate directly to the "Advanced Search" form (using the button), drag & drop a YARA rule (from a text file) or paste (CTRL-V) clipboard text containing a YARA rule.

Providing a valid YARA rule takes the user to the following search form/page:-

At this page, it is possible to "refine" the search through a variety of criterias, e.g. the file type(s) to require (in the search result set), as well as date and file size ranges.

After performing the hunt (in this case a RAT of the Lazarus Group), a list of matched HA Community Files is presented, including links to the respective reports and a collective IOC download (via CSV):-

Happy hunting!

Source: https://www.hybrid-analysis.com/string-search/results/3530edadd82a867e3a35f4b26d8f85b5e82eb67d4b759cc1f77d2f499571cf59

[1] https://twitter.com/neelmehta/status/864164081116225536?s=21