The Malware Simulation Toolkit is a powerful tool designed to mimic various types of malware behavior on your computer. However, using this tool without appropriate precautions can raise concerns within your organization's Information Security (InfoSec) team.
Checklist
You should only use this tool inside of a VM - never in your real environment. While the files are ultimately harmless, they mimic the behavior of many types of malware and could raise false alarms for your security team(s).
Configure the Toolkit
The Malware Testing Toolkit comes with three different modes to choose from; Full, Advanced Dropper, and Ransomware. Each mode has its own set of configuration options:
The full toolkit performs an extensive test of the system using a large number of operations. By default the full suite of tests is active, and each test can be configured in the message template.
This template simulates certain aspects of malware behavior similar to FinFisher, but without making any modifications to the system (e.g., no hooks, MBR changes, etc.). All activities will be executed with standard user rights.
Setup
The tool creates a subfolder in the TEMP directory, named something like TMP6BCF227D (details will be provided in the report).
A file named malware.jpeg is placed in this subfolder.
Execution
The image is decrypted and launched from its current location.
The contained file is a standard LUCY dropper that establishes a reverse HTTP/HTTPS connection using the browser to make base64 POST requests.
The new process will be named malware.jpeg.
Logging
The dropper generates a log file named log.txt, which is stored in the TMP* folder.
Information Harvesting
A hidden folder is created in the TEMP directory, named something like ADVDROP81227C11 (details will be recorded in log.txt).
The dropper begins to gather information and, for each session, creates a subfolder within the hidden folder, named similarly to 82C89047. The resulting structure will look like ADVDROP81227C11\82C89047 in the TEMP directory.
Harvested files are placed in this subfolder and are later encrypted.
Data Transmission
After encryption, the LUCY URL is called, and the dropper sends the files back to LUCY via POST (using HTTP or HTTPS, depending on your campaign settings).
If you have SSL configured for the domain, Lucy uses HTTPs by default.
Variables
Several LUCY variables can be defined for this template:
Working Hours: Currently set from 10:00 to 00:00. If the template is launched at 9:00, the dropper will wait until 10:00 to begin execution.
Session Count: Currently set to 3, meaning the dropper will create 3 subfolders within ADVDROP81227C11, each containing its dataset.
Session Intervals: Currently set to 5 minutes, allowing the dropper to operate for approximately 15 minutes in total (number of sessions X minutes per session).
Maximum File Size: This defines the maximum size of files the tool will send or encode within the POST requests (in kB).
Overview
Ransomware is a type of malware that restricts users from accessing their systems or files. Victims are typically coerced into paying a ransom through various online payment methods to regain access to their systems or recover their data. Some ransomware, such as Cryptolocker, encrypts files, while others, like CTB Locker, utilize TOR to conceal command and control (C&C) communications.
Simulation Tool
Our template simulates a form of ransomware that locks files such as documents, spreadsheets, and other important data. It then creates an encrypted copy on either a shared drive with write access or locally. The primary goal of this template is to determine if the information-gathering activities or the significant number of read/write operations on a drive from a single PC trigger any alerts in your monitoring system.
Settings
Within the tool, you can specify several settings:
File Location: Where the tool will install itself.
0 = Current directory, 1 = Desktop, 2 = Temp folder, 3 = User folder
Start/Stop Hours: When the tool will execute and when it will automatically unlock.
Operation Mode: Choose whether to work with dummy data or real data discovered on the network. Mode 0 = Data Discovery, Mode 1 = Dummy Data.
File Extensions: Specify which file types to search (default: doc, ppt, xls, pdf, txt).
Maximum File Size: Set the maximum size of files to process (default: 512 KB).
Number of Files: Specify the maximum number of files to copy (default: 100).
Crawl Time (minutes): The maximum amount of time the tool will spend searching for files.
Data Retention: Decide whether to leave a copy of the data on the PC/share or delete it after execution.
Number of fake file operations: If using dummy data, this setting controls the maximum number of files the tool will create.
Running the test
Start your campaign, then either download the toolkit to your VM from your Lucy server or from the campaign email attachment.
A test like this is likely to raise a lot of red flags for your InfoSec team. While this is a good sign that your policies are working to protect you, it's best to give them a heads up before executing this test and setting off alarms.
AV problems and security warnings
Some antivirus solutions may flag the tool as a virus or suspicious file, especially behavior-based antivirus programs. This indicates that your antivirus can detect certain methods used by the tool that are commonly associated with malware. It is a positive sign that your antivirus can identify malicious code without relying solely on signatures. Since the toolkit mimics malware activities, these alerts are not inherently incorrect. You can either ignore them or, if necessary, disable your antivirus if it prevents you from completing the malware assessment test.
You may encounter multiple security warnings when opening or executing the file. If you open the file as an email attachment or download it, a warning window will inform you that executables can be dangerous and may harm your computer. This warning occurs because the executable is not code-signed. We cannot code-sign the executable because parts of it are dynamically generated at runtime; however, it is safe to execute.
