Detecting Malware with Purple Team Collaboration

Cybersecurity abstract image

When it comes to new malware written in esoteric programming languages, Blue Team defenders have very little chance to ensure that all endpoints in their…

When it comes to new malware written in esoteric programming languages, Blue Team defenders have very little chance to ensure that all endpoints in their organization are able to detect and/or mitigate this malware.

Security professionals have quickly recognized this issue and have built an effective pipeline to identify new releases of unique malware and develop detections for them. This defender pipeline has thwarted threat actors from easily deploying harmful and destructive malware into networks around the world. 

Many large companies help contribute to the information security community by publicly releasing these detections as soon as they notice newly released malware or exploits. This not only showcases the companies’ security posture, but also commits to the greater good of helping fellow defenders.

NVIDIA has positioned its security posture so that it can contribute to the broader security community to help against threats like this. This post explains how the NVIDIA Security Team worked with an open source developer within the information security field to help bolster the defensive capabilities of the broader community.

NVIDIA Security Team open source collaboration

The NVIDIA Security Team consists of individuals with a wide variety of backgrounds and talents, such as SOC analysts, Red Teamers, Threat Hunters, Capability Developers, and many more. With such a wide array of talents, the NVIDIA Security Team is constantly on the lookout for new threats, research, or capabilities released to the public.

To provide an example, a member of the NVIDIA Security Team noticed a Tweet from notable Red Team open source developer Cas van Cooten. The Tweet called for assistance from the broader community to help develop detections for a new Command and Control framework. This framework was written in a fairly new programming language called Nim. Because Nim is unique and under the radar of many security companies, van Cooten knew that his framework would more than likely be undetected, by even the most advanced security products on first release. 

As a member of the overall information security community, van Cooten understood that real, maliciously aligned threat actors would use his project to cause harm to networks around the world. Noting this mission, a member of the NVIDIA Security Team reached out to van Cooten to further understand how the team could help.

NVIDIA Security Team hackathon and YARA rule development

The NVIDIA Security Team dedicated a full work day to look at source code provided by the open source developer prior to release. The intent was to help provide generalized detections to arm defenders against this tool.

The first step was to attempt to compile and run this malware in an isolated environment to understand its full functionalities and basic behaviors. Basic functionality understanding can help the NVIDIA Security Team start to dig into particular behaviors, strings, and, most importantly, reveal unique aspects to key on for developing detections. 

During the hackathon, the NVIDIA Security Team developed a robust and encompassing ‘in-memory’ YARA rule. It includes string-based detections that are found in multiple different configurations of the malware, including:

  • static strings found embedded for particular capabilities
  • HTTP-based strings for default configuration and regex-based rules to detect any variants that might be implemented
  • Nim-specific strings/imports found uniquely together within the malware

Alongside these string-based detections, the NVIDIA Security Team also built a more complex set of rules that:

  • detect the raw offset of the executable’s entry point based on other strings
  • import a detection library to help identify executables specifically, which helps with scanning
  • detect not just the .exe but the .dll and .bin files

The rule set can be ingested by the security operations center of any organization. Built in the YARA language, the rule set is ubiquitously implemented in many modern security solutions.

Summary

The detections developed by the NVIDIA Security Team will be released alongside the open source project. These detections will have a significant impact on ensuring organizations around the world (including NVIDIA) are properly armed to defend against this framework as it is launched. Traditionally, these types of detections are developed only after an attack framework is released and is already causing damage. 

Interested in learning more from the NVIDIA cybersecurity team? Register for GTC 2023 for free and join us March 20–23 for Connect with the Experts: Using AI to Modernize Cybersecurity and many more related sessions.

Source:: NVIDIA