Detection and characterization of an unknown malware thanks to GLIMPS Malware

Published by GLIMPS on

Detection and characterization of an unknown malware thanks to GLIMPS Malware

As for the Threat-Intel use case, we have taken back our mirai source code, this time with some modifications :

  1. In order to be detected with more difficulty, we have removed the most obvious strings,
  2. We did not use the compilation script provided on Github, based on gcc. Instead, we rewrote our own script using clang.

The whole operation did not take more than 30 minutes.

We submitted the resulting binary to VirusTotal. No antivirus software detected this new sample of mirai.

We then submitted it to GLIMPS-Malware. The file was immediately detected as malware, with a good probability that it was from the mirai family.

At the time this test was conducted, we had never put clang compiled binaries in our learning base (this is an ongoing effort). Nevertheless, our conceptualization technology was able to extract the meaning accurately. We can see from the results that the closest sample identified is for an ARM architecture, while we had pushed a binary of type amd_64.  Our technology is abstracted from the target architecture

What we’ve done with mirai is exactly what large groups of attackers do before launching a new campaign or targeted attack: they adjust the malware production chain to, by reusing the maximum amount of source code among their Intellectual Property (in order to minimize the cost of the attack), generate compiled code that is new enough to bypass current antivirus and detection chains.

Thanks to GLIMPS-Malware, you will be able to detect and stop these new attacks. You protect not only your traditional Information System, but also your Industrial System, your Production Systems or the Embedded Systems that you design.

Categories: Uses-case