Email protection with GLIMPS Malware

Published by GLIMPS on

Email protection with GLIMPS Malware

In the last few weeks, following the covid-19 crisis and the generalization of teleworking, there has been a very strong resurgence of phishing attacks.

Concerning Coronavirus, there is little we can do except stay quietly at home behind our PC screens. Computer attacks on the other hand, it’s our job :-).

GLIMPS had until then left phishing aside: these attacks are mostly not very complex, and there are already many solutions to protect against them.

But we are forced to note in the news that phishing is currently doing a lot of damage, and that their detection can / should be improved.

GLIMPS-Malware adaptation to phishing

We took advantage of the Easter weekend to build a platform that adapts GLIMPS-Malware for the detection of phishing attacks.

The idea is to adapt and integrate GLIMPS-Malware in an environment like this one:

CSE-Assemblyline is a malware detection and analysis platform developed by the Canadian Cybersecurity Centre and released in late 2017. The strengths of CSE-Assemblyline are :

  • A high-performance orchestrator that allows to adjust the load and distribute it on several servers in a transparent way,
  • Many plugins present by default: antivirus, yaras modules, extractors…
  • The ability to add your own plugins easily, while integrating them with existing plugins, which we will discuss here.

It’s a really powerful tool, that’s why at GLIMPS, we use it a lot! The platform is integrated in GLIMPS-Malware, but another instance has also allowed us to analyze and categorize millions of malwares to build our datasets. We have also derived a version of it to mass-build our library concept code bases for the GLIMPS-Audit product.

Version 4 (currently in Beta) also brings many indispensable changes. In particular, each plugin now runs in a docker, and the old Riak database that was causing us some problems has been replaced by Elasticsearch, much easier to use.

So once again we decided to use AssemblyLine as the basis of an anti-phishing platform.

The concept: a connector in the mail server submits each received mail to AssemblyLine. The mail is analyzed, and in particular are extracted :

  • the attached documents,
  • URIs.

works like a Russian doll’s game: everything is recursive. Attachments are analyzed themselves: they are transmitted to GLIMPS-Malware, but also to Assemblyline’s standard modules (antivirus, frankenstrings, etc.). So if someone transmits in an e-mail an attachment in the form of a zip containing e-mails containing malicious URIs themselves… These URIs will be detected and analyzed. In the same way if an attachment is an Excel file containing links…


AssemblyLinev4 Beta was missing 2 plugins to build such a platform:

  1. A new mail parsing plugin for ALv4. Godfried Meesters (Github link) proposed one on the AssemblyLine forum just before I made mine, I was able to reuse it with minor modifications (insertion of URIs in tags)A plugin that checks all detected URIs against a regularly updated blacklist.

On the tested examples, it works perfectly! The platform detects e-mails containing phishing links, either in the body of the e-mail or in Excel attachments for example. All executables are also scanned for potential malware.

In our example, each file is screened by the modules below:

NameType of filesDetails
emlParserfiles/email|code/html|textAnalyzes emails, extracts URIs and attachments, and shapes the output for a nice visualization.
Extract*Extracts files from a large number of container types (zip...)
Yara*Applies the yara rules...
GLIMPS-MalwareexecutableGLIMPS-Malware generates concept-code from an executable and compares it to a classified malware database to identify and characterize malware.
Url-checkertagsscans all URIs identified during the scan for phishing links
ClamAV*Antivirus ClamAV
PDFIdfiles/pdfExtract metadata from PDFs
Characterize*Calculates the file entropy per partition.
Beaver*compares hashes to the CCIRC database
ViperMonkey(files/email|code/html|text)Analyzes VBA macros

Of course, GLIMPS-Malware can also be used much more extensively within your company, including :

  • connected to the web proxy to scan downloaded files,
  • as a centralized gateway for file analysis,
  • as a tool for the company’s SOC to carry out doubt resolution.

The diagram below shows these possibilities for your company:

To conclude, the code of the url-checker plugin will be available by the end of April on the Github GLIMPS.

Categories: Uses-case