The year of September is finally over, and it’s time for a new month and new Triage Thursday blog!
This week we release our new API library/client. Available in Python and Go it includes full libraries you can use in your own programs to interact with Triage, as well as a pre-made commandline client for manual use. Read on below for more information.
As usual we also have a bunch of family detection updates which have been deployed over the course of the week:
Remember you can always give feedback or report any issues through the Feedback button in any analysis report. You can also reach us directly through the website or on Twitter.
Not signed up yet? Head over to tria.ge to register for a free account!
API Library and Client
The Triage API is a REST-like interface which provides a way to interact with Triage via the commandline or scripts. We will not be going in-depth with the API itself here - you can find full documentation here if you want to know more about that aspect.
Today we are publishing libraries for use with the API, to simplify the process of creating custom scripts. We have also created pre-made clients for manual use on the commandline. These are all implemented in both Python 3 and Go, and are cross-compatible with Windows and Linux.
Below we will take a quick look at these clients and some basic usage.
Installation
The full library is available on Github - github.com/hatching/triage.
Clone the repository to a local directory. You will see directories for Python and Go inside it.
Go
In the triage/go directory, simply run the make command to compile and install the client. The binary will be written to your configured Gobin path as triage. Any version of Go 1.13 or later will support the client, although it’s always advisable to use the latest version (currently 1.15).
$ cd go
$ make
go build -o "~/work/bin/triage" github.com/hatching/triage/go/cmd/triage
$ triage --help
Usage of triage:
authenticate [token] [flags]
Stores credentials for Triage.
submit [url/file] [flags]
Submit a new sample file or URL.
select-profile [sample]
Interactively lets you select profiles for samples that have been submitted
in interactive mode. If an archive file was submitted, you will also be
promted to select the files to analyze from the archive.
list [flags]
Show the latest samples that have been submitted.
file [sample] [task] [file] [flags]
Download task related files.
archive [sample] [flags]
Download all task related files as an archive.
delete [sample]
Delete a sample.
report [sample] [flags]
Query reports for a (finished) analysis.
create-profile [flags]
delete-profile [flags]
list-profiles [flags]
Python 3
While the Python library is located in the triage/python directory, one can
easily install the library through pip. Note that it requires Python 3.
$ pip install hatching-triage
[...]
Successfully installed hatching-triage-0.1
$ triage --help
Usage: triage [OPTIONS] COMMAND [ARGS]...
Options:
--help Show this message and exit.
Commands:
archive
authenticate
create-profile
delete
delete-profile
file
list
list-profiles
report
select-profile
submit
Basic Usage
Now that it is installed, you can start using the client just by the triage command.
First, you can always access help for any command by running triage [command] --help, which will list the available options. A full list of commands can be seen with just triage --help.
To get started you first need to register your API token with the client. This allows it to handle requests and access your account without you needing to supply the API key every request, or type it on the commandline regularly.
triage authenticate [API_KEY]
By default the client is configured to use the public Triage API endpoints. If you wish to use it with a private instance, you can also register that using the authenticate command:
triage authenticate [API_KEY] -u [API_URL]
The URL used here should be the root API without any endpoint paths. For example https://api.tria.ge for the public server. Note that the client currently can only be logged in with one instance at a time, and cannot store multiple sets of credentials.
You can now access all the client’s functionality. Here is a brief description of each command’s purpose:
- submit: submit a sample file or URL
- select-profile: Lets you select profiles for samples that have been submitted in interactive mode. If an archive file was submitted, you will also be prompted to select the files to analyze from the archive.
- list: view a list of recent analyses on Triage
- file: download a task related file from an analysis, such as a Dumped File.
- archive: fetch the full archive containing all of the analysis data, including dropped files, PCAPs, JSON reports and raw logs.
- delete: delete an analysis you own from Triage
- report: fetch the JSON report for a completed analysis
- create-profile: create an analysis profile with specific attributes (not available to all account types)
- delete-profile: delete an analysis profile you own (not available to all account types)
- list-profiles: show all analysis profiles useable by your account (not available to all account types)
Exorcist 2.0 Ransomware
At the end of September it was reported that the Exorcist ransomware was distributing a new version in fake software cracks that were available online. We already had detection for the original Exorcist, and we have now updated this to cover the new 2.0 variant as well.
The family drops a note in the .hta format which directs victims towards a .onion site for payment instructions.
Analysis:
BazarLoader
Bazar is a well known loader and backdoor which has been reported to have potential links to the Trickbot developers. It uses EmerDNS to communicate with C2 via the .bazar domains which gave the family its name. A detailed writeup of the family by CyberReason can be found here.
We recently observed that some Bazar samples were not being caught by our existing signatures, so we reviewed a number of samples and updated our detection. Triage’s coverage of the family is now much more robust, and we will continue to update as required by new variants.
Analyses:
Crypt32 Ransomware
Crypt32 is an unusual type of ransomware which is sometimes referred to as fan-extortion malware. It does not demand any financial payment in return for decrypting an infected system, but simply requires that the victim install the game Heroes of the Storm.
It drops a .txt ransomnote which has the instructions in both English and Korean. Thanks to @Amigo_A_ for the sample.
Analysis:
Dusk Ransomware
Dusk was observed at the end of September by @GrujaRS. It is a straightforward ransomware with very distinctive naming and ransomnote contents. We have added family classification for it, and will keep an eye on future versions.
Analysis:
Sekhmet Ransomware
Sekhmet was mainly active in early and mid 2020, but was brought to our attention recently by @Amigo_A_, who reported a potential new variant of the family calling itself Egregor.
Sekhmet is distributed as a DLL file intended to be launched using regsvr32.exe. It drops .txt ransomnotes and includes communication with a C2 server.
Analyses: