ThreatMapper, The open source Cloud Native Application Protection Platform (CNAPP) is now natively integrated with YaraHunter. Yarra Hunter A powerful malware scanner for cloud natives including containers, images and hosts.previous PositionNow we have seen how to use YaraHunter to scan cloud-native assets for malware. It is for identifying and reporting possible signs of malware across various cloud resources, pods, virtual machines, file systems, image registries, and build artifacts. This post shows how ThreatMapper can be used to classify different cloud-native malware, how to harden Yara rulesets to identify cryptographically signed malware risks, and how runtime context can be used to prioritize those risks. Learn how to build a better security posture.
Cryptomalware attacks are becoming more and more popular among cybercriminals due to the increasing value of the currency and its widespread adoption. Once executed on a victim’s device, crypto-malware can typically run independently indefinitely.As Estimate According to Google, the majority of Google Cloud instances (around 86%) have been compromised due to cryptomining. Although not as devastating as ransomware, crypto malware still causes severe losses in terms of computing resources, leading to direct and indirect damage.
ThreatMapper is supported by various Yara rule sets for classifying malware. A Yara rule set is a description of a malware family based on text or binary patterns. In particular, ThreatMapper has hundreds of rules covering a wide range of classifications, including cryptomining, DDOS, information theft, spambots, rootkits, keyloggers, and more. Additionally, host-based indicators such as filenames, registry keys, exposed passwords, and private keys also form an important part of the ruleset.
In an effort to keep ThreatMapper abreast of the current set of challenges, we recently added rules for Cobalt Strike Malware. A brief background on Cobalt Strike – Malicious actors leveraged the critical severity vulnerability CVE-2019-18935 to execute remote code on the Telerik UI library and install Cobalt Strike beacons. Once the beacon is installed, it successfully mines Monero tokens by hijacking system resources.
ThreatMapper comes with hundreds of pre-existing rules that detect cryptocurrency miners, plus: rule Recently released by Google detection Cobalt Strike malware. This helps detect malware at all stages of the development and deployment lifecycle, as part of CI/CD scanning, from image repositories, or when running containers, pods, and hosts in your infrastructure.
Below are sample results from scanning an image containing the Cobalt Strike malware.
Additionally, if the XmRig crypto miner malware is present in images, scanning those images will produce results of the form:
ThreatMapper can also classify different malware types –
In addition to malware classification, sensors deployed as part of ThreatMapper provide valuable runtime context used to automatically prioritize malware that requires immediate attention. In the near future, we will be adding malware scanning controls, rules, and insights from different malware taxonomies. For more information on technical integrations, visit ThreatMapper. repositoryWe welcome all forms of contributions, including documentation, feature requests, technical bugs, and source code patches.
post Identifying and Classifying Crypto Malware with ThreatMapper first appeared deep fence.