Lucy Awareness
Visit our WebsiteContact Support
  • Wiki Overview
  • Guides
    • Quick Guides
      • Create Your First Campaign
        • Adding a New Client
        • Register an Attack Domain
        • Campaign Setup
          • Selecting an Attack
          • Attack Settings
          • Awareness Settings
          • Recipients
          • Review
        • Whitelisting
    • Installing Lucy
      • On-Premise vs Cloud Installation
      • Architecture
      • Hardware Requirements
      • Network Communication
      • Installing Lucy
      • Post Installation
    • Manage Blacklisted Domains
      • Managing Google SafeBrowsing Alerts
    • Whitelisting a Lucy Server
      • Google Workspace Whitelisting
      • Microsoft O365 Whitelisting
      • File Attack Whitelisting
    • Attack Simulations
      • Attack Types
        • Data Entry Attack
        • Hyperlink Attack
        • File Attack
        • Portable Media
        • Smishing
        • Lures
        • QR Codes
        • Ransomware Emulation
        • Technical Malware Test
          • Malware Toolkit Test Suite
        • Mail & Web Filter Test
        • Email Spoofing Test
      • Attack Template Customization
      • Firewall Protection Interval
      • Email Tracking Technologies
      • Advanced Information Gathering
      • Regular Expressions in Login Fields
      • Copy a Website
      • Redirecting Users
    • Awareness Training
      • Awareness Template Customization
      • Awareness Only Campaigns
        • Using Multiple Awareness Trainings
      • Use extended method of tracking the end of the quiz
    • Reporting Plugin
      • Deploying Office 365
      • Deploying Outlook Native
      • Deploying Gmail
  • Application Screens Reference
    • Statistics Dashboard
    • Campaigns Dashboards
    • Campaigns
      • New Campaign
        • Wizard Mode
          • Selecting an Attack
          • Attack Settings
          • Awareness Settings
          • Recipients
          • Review
        • Expert Mode
      • Campaign Settings
        • Configuration
          • Base Settings
          • Awareness Settings
          • Attack Settings
          • Schedule
            • Schedule Plan
          • Recipients
        • Advanced Settings
          • User Settings
          • Filters
          • Custom Fields
          • Reminders
        • Campaign Checks
        • Logs
        • Results
          • Summary
          • Statistics
          • Reports
          • Exports
    • Templates
      • Attack Templates
      • Awareness Templates
      • File Templates
      • Report Templates
      • Campaign Templates
      • Training Diploma
      • Download templates
      • Variables in Lucy
    • Users
      • Recipient Groups
      • End Users
      • End User Portal Settings
      • Administrative Users
      • Reputation Levels
    • Settings
      • Common System Settings
        • Domains
          • Supported TLDs
        • Firewall
        • Web Proxy
        • Mail Settings
        • SMTP Servers
        • SSL Settings
          • SSL for Campaigns
        • SMS Settings
        • Filter Settings
        • API Whitelist
          • API Routes
        • LDAP Servers
          • LDAP Sync Tool
        • LDAP Settings
        • Azure Applications
        • Azure AD Settings
        • SSO Configuration
      • Advanced System Settings
        • Advanced Settings
        • SSH Password
      • Submitted Email Settings
        • Custom Rules & Score Factors
        • Abuse Reports
        • Incident Autoresponder
        • Plugin Settings
      • Clients
        • Client Invoices
        • Client Invoice Settings
      • Backup and Restore
        • Backup Settings
      • Benchmark Sectors
      • Whitelabeling
      • File Browser
    • Incidents
    • Support
      • Status
        • Status
        • System Monitoring
        • System Health Check
        • Notifications
      • System Tests
        • Test Email
        • Performance Test
        • Spam Test
        • Mail Spoofing Test
        • Mail and Web Filter Test
      • System Logs
      • Manual
      • Update
      • Reboot
      • Mail Manager
      • Terms & Conditions
    • Account Settings
      • Two Factor Authentication
      • License
      • Invoices
    • Notifications
  • Release Notes
    • 5.4
    • 5.3.5
    • 5.3.4
    • 5.3.3
    • 5.3.2
    • 5.3.1
    • 5.3
    • 5.2.1
    • 5.2
    • 5.1
    • 5.0
    • Version 4
      • 4.14
      • 4.13
      • 4.12.1
      • 4.11
      • 4.10.1
      • 4.9.5
      • 4.9.2
      • 4.9.1
  • Legal
    • EULA
    • Privacy Policy
    • DPA, Customer and Partner Info
    • Service Level Agreement
    • Confidentiality of Campaign Data
  • When to Contact Us
    • Contact Technical Support
Powered by GitBook
On this page
  • Overview
  • Checklist
  • Configure the Toolkit
  • Running the test
  • AV problems and security warnings

Was this helpful?

  1. Guides
  2. Attack Simulations
  3. Attack Types

Technical Malware Test

PreviousRansomware EmulationNextMalware Toolkit Test Suite

Last updated 6 months ago

Was this helpful?

Overview

The Malware Simulation Toolkit is a powerful tool designed to mimic various types of malware behavior on your computer. However, using this tool without appropriate precautions can raise concerns within your organization's Information Security (InfoSec) team.

Checklist

You should only use this tool inside of a VM - never in your real environment. While the files are ultimately harmless, they mimic the behavior of many types of malware and could raise false alarms for your security team(s).

Configure the Toolkit

The Malware Testing Toolkit comes with three different modes to choose from; Full, Advanced Dropper, and Ransomware. Each mode has its own set of configuration options:

The full toolkit performs an extensive test of the system using a large number of operations. By default the full suite of tests is active, and each test can be configured in the message template.

Setup

  • The tool creates a subfolder in the TEMP directory, named something like TMP6BCF227D (details will be provided in the report).

  • A file named malware.jpeg is placed in this subfolder.

Execution

  • The image is decrypted and launched from its current location.

  • The contained file is a standard LUCY dropper that establishes a reverse HTTP/HTTPS connection using the browser to make base64 POST requests.

  • The new process will be named malware.jpeg.

Logging

  • The dropper generates a log file named log.txt, which is stored in the TMP* folder.

Information Harvesting

  • A hidden folder is created in the TEMP directory, named something like ADVDROP81227C11 (details will be recorded in log.txt).

  • The dropper begins to gather information and, for each session, creates a subfolder within the hidden folder, named similarly to 82C89047. The resulting structure will look like ADVDROP81227C11\82C89047 in the TEMP directory.

  • Harvested files are placed in this subfolder and are later encrypted.

Data Transmission

  • After encryption, the LUCY URL is called, and the dropper sends the files back to LUCY via POST (using HTTP or HTTPS, depending on your campaign settings).

If you have SSL configured for the domain, Lucy uses HTTPs by default.

Variables

Several LUCY variables can be defined for this template:

  • Working Hours: Currently set from 10:00 to 00:00. If the template is launched at 9:00, the dropper will wait until 10:00 to begin execution.

  • Session Count: Currently set to 3, meaning the dropper will create 3 subfolders within ADVDROP81227C11, each containing its dataset.

  • Session Intervals: Currently set to 5 minutes, allowing the dropper to operate for approximately 15 minutes in total (number of sessions X minutes per session).

  • Maximum File Size: This defines the maximum size of files the tool will send or encode within the POST requests (in kB).

Overview

Ransomware is a type of malware that restricts users from accessing their systems or files. Victims are typically coerced into paying a ransom through various online payment methods to regain access to their systems or recover their data. Some ransomware, such as Cryptolocker, encrypts files, while others, like CTB Locker, utilize TOR to conceal command and control (C&C) communications.

Simulation Tool

Our template simulates a form of ransomware that locks files such as documents, spreadsheets, and other important data. It then creates an encrypted copy on either a shared drive with write access or locally. The primary goal of this template is to determine if the information-gathering activities or the significant number of read/write operations on a drive from a single PC trigger any alerts in your monitoring system.

Settings

Within the tool, you can specify several settings:

  • File Location: Where the tool will install itself. 0 = Current directory, 1 = Desktop, 2 = Temp folder, 3 = User folder

  • Start/Stop Hours: When the tool will execute and when it will automatically unlock.

  • Operation Mode: Choose whether to work with dummy data or real data discovered on the network. Mode 0 = Data Discovery, Mode 1 = Dummy Data.

  • File Extensions: Specify which file types to search (default: doc, ppt, xls, pdf, txt).

  • Maximum File Size: Set the maximum size of files to process (default: 512 KB).

  • Number of Files: Specify the maximum number of files to copy (default: 100).

  • Crawl Time (minutes): The maximum amount of time the tool will spend searching for files.

  • Data Retention: Decide whether to leave a copy of the data on the PC/share or delete it after execution.

  • Number of fake file operations: If using dummy data, this setting controls the maximum number of files the tool will create.

Running the test

Start your campaign, then either download the toolkit to your VM from your Lucy server or from the campaign email attachment.

A test like this is likely to raise a lot of red flags for your InfoSec team. While this is a good sign that your policies are working to protect you, it's best to give them a heads up before executing this test and setting off alarms.

AV problems and security warnings

Some antivirus solutions may flag the tool as a virus or suspicious file, especially behavior-based antivirus programs. This indicates that your antivirus can detect certain methods used by the tool that are commonly associated with malware. It is a positive sign that your antivirus can identify malicious code without relying solely on signatures. Since the toolkit mimics malware activities, these alerts are not inherently incorrect. You can either ignore them or, if necessary, disable your antivirus if it prevents you from completing the malware assessment test.

You may encounter multiple security warnings when opening or executing the file. If you open the file as an email attachment or download it, a warning window will inform you that executables can be dangerous and may harm your computer. This warning occurs because the executable is not code-signed. We cannot code-sign the executable because parts of it are dynamically generated at runtime; however, it is safe to execute.

This template simulates certain aspects of malware behavior similar to , but without making any modifications to the system (e.g., no hooks, MBR changes, etc.). All activities will be executed with standard user rights.

Click here to view the full list of tests.
FinFisher
Download the LHFC email template
Download the Malware Testing Toolkit file template
Create a Malware Test campaign using the wizard