The year of September is finally over, and it’s time for a new month and new Triage Thursday blog!
This week we release our new API library/client. Available in Python and Go it includes full libraries you can use in your own programs to interact with Triage, as well as a pre-made commandline client for manual use. Read on below for more information.
As usual we also have a bunch of family detection updates which have been deployed over the course of the week:
Remember you can always give feedback or report any issues through the Feedback button in any analysis report. You can also reach us directly through the website or on Twitter.
Not signed up yet? Head over to tria.ge to register for a free account!
API Library and Client
The Triage API is a REST-like interface which provides a way to interact with Triage via the commandline or scripts. We will not be going in-depth with the API itself here - you can find full documentation here if you want to know more about that aspect.
Today we are publishing libraries for use with the API, to simplify the process of creating custom scripts. We have also created pre-made clients for manual use on the commandline. These are all implemented in both Python 3 and Go, and are cross-compatible with Windows and Linux.
Below we will take a quick look at these clients and some basic usage.
The full library is available on Github - github.com/hatching/triage.
Clone the repository to a local directory. You will see directories for Python and Go inside it.
triage/go directory, simply run the
make command to compile and install the client. The binary will be written to your configured Gobin path as
triage. Any version of Go 1.13 or later will support the client, although it’s always advisable to use the latest version (currently 1.15).
$ cd go $ make go build -o "~/work/bin/triage" github.com/hatching/triage/go/cmd/triage $ triage --help Usage of triage: authenticate [token] [flags] Stores credentials for Triage. submit [url/file] [flags] Submit a new sample file or URL. select-profile [sample] Interactively lets you select profiles for samples that have been submitted in interactive mode. If an archive file was submitted, you will also be promted to select the files to analyze from the archive. list [flags] Show the latest samples that have been submitted. file [sample] [task] [file] [flags] Download task related files. archive [sample] [flags] Download all task related files as an archive. delete [sample] Delete a sample. report [sample] [flags] Query reports for a (finished) analysis. create-profile [flags] delete-profile [flags] list-profiles [flags]
While the Python library is located in the
triage/python directory, one can
easily install the library through pip. Note that it requires Python 3.
$ pip install hatching-triage [...] Successfully installed hatching-triage-0.1 $ triage --help Usage: triage [OPTIONS] COMMAND [ARGS]... Options: --help Show this message and exit. Commands: archive authenticate create-profile delete delete-profile file list list-profiles report select-profile submit
Now that it is installed, you can start using the client just by the
First, you can always access help for any command by running
triage [command] --help, which will list the available options. A full list of commands can be seen with just
To get started you first need to register your API token with the client. This allows it to handle requests and access your account without you needing to supply the API key every request, or type it on the commandline regularly.
triage authenticate [API_KEY]
By default the client is configured to use the public Triage API endpoints. If you wish to use it with a private instance, you can also register that using the
triage authenticate [API_KEY] -u [API_URL]
The URL used here should be the root API without any endpoint paths. For example
https://api.tria.ge for the public server. Note that the client currently can only be logged in with one instance at a time, and cannot store multiple sets of credentials.
You can now access all the client’s functionality. Here is a brief description of each command’s purpose:
- submit: submit a sample file or URL
- select-profile: Lets you select profiles for samples that have been submitted in interactive mode. If an archive file was submitted, you will also be prompted to select the files to analyze from the archive.
- list: view a list of recent analyses on Triage
- file: download a task related file from an analysis, such as a Dumped File.
- archive: fetch the full archive containing all of the analysis data, including dropped files, PCAPs, JSON reports and raw logs.
- delete: delete an analysis you own from Triage
- report: fetch the JSON report for a completed analysis
- create-profile: create an analysis profile with specific attributes (not available to all account types)
- delete-profile: delete an analysis profile you own (not available to all account types)
- list-profiles: show all analysis profiles useable by your account (not available to all account types)
Exorcist 2.0 Ransomware
At the end of September it was reported that the Exorcist ransomware was distributing a new version in fake software cracks that were available online. We already had detection for the original Exorcist, and we have now updated this to cover the new 2.0 variant as well.
The family drops a note in the .hta format which directs victims towards a .onion site for payment instructions.
Bazar is a well known loader and backdoor which has been reported to have potential links to the Trickbot developers. It uses EmerDNS to communicate with C2 via the .bazar domains which gave the family its name. A detailed writeup of the family by CyberReason can be found here.
We recently observed that some Bazar samples were not being caught by our existing signatures, so we reviewed a number of samples and updated our detection. Triage’s coverage of the family is now much more robust, and we will continue to update as required by new variants.
We've just updated our detection for #BazarLoader on https://t.co/TjG0lRsiXA!— Hatching (@hatching_io) September 25, 2020
Also improved signatures for the backdoor module it normally deploys
Check out examples here:
Crypt32 is an unusual type of ransomware which is sometimes referred to as fan-extortion malware. It does not demand any financial payment in return for decrypting an infected system, but simply requires that the victim install the game Heroes of the Storm.
It drops a .txt ransomnote which has the instructions in both English and Korean. Thanks to @Amigo_A_ for the sample.
Dusk was observed at the end of September by @GrujaRS. It is a straightforward ransomware with very distinctive naming and ransomnote contents. We have added family classification for it, and will keep an eye on future versions.
Sekhmet was mainly active in early and mid 2020, but was brought to our attention recently by @Amigo_A_, who reported a potential new variant of the family calling itself Egregor.
Sekhmet is distributed as a DLL file intended to be launched using
regsvr32.exe. It drops .txt ransomnotes and includes communication with a C2 server.