CHAVECLOAK malware detection and response with Wazuh
CHAVECLOAK malware is a Windows-based banking trojan that targets South American financial sector individuals to steal sensitive financial information. The malware is distributed through phishing emails with embedded malicious PDF attachments. CHAVECLOAK blocks user device screens, logs keystrokes, and shows fake pop-up windows. The malware monitors the victim’s endpoint and becomes active when it detects banking-related activities.
CHAVECLOAK executes on the compromised endpoint using a DLL side-loading technique. This technique involves placing a legitimate-looking but malicious DLL file in a location where Windows automatically loads it. The malware connects to a command and control center to receive commands or exfiltrate captured banking credentials.
This blog post explores how to use Wazuh to detect and respond to CHAVECLOAK malware on Windows endpoints.
Behavioral analysis of CHAVECLOAK
- CHAVECLOAK adds itself to a hidden system location on the
%AppData%\Skillbrains\lightshot\5.5.0.7folder. - It uses DLL side-loading technique to execute its main component
Lightshot.dll. - The malware maintains persistence by creating a registry key
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lightshot. This ensures the malware is executed after a system reboot. - It attempts to connect with a command and control server for commands and exfiltration of stolen sensitive data.
Analyzed IoC file
| Hash type | Value |
| MD5 | c371047910a709f65fd85d10cde0ca4f |
| SHA256 | 4ab3024e7660892ce6e8ba2c6366193752f9c0b26beedca05c57dcb684703006 |
Infrastructure
We use the following infrastructure to demonstrate the detection of CHAVECLOAK malware with Wazuh.
- A pre-built, ready-to-use Wazuh OVA 4.7.4. Follow this guide to download the virtual machine. This endpoint hosts the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard).
- A Windows 11 victim endpoint with Wazuh agent 4.7.4 installed and enrolled to the Wazuh server. Refer to the installation guide to install the Wazuh agent.
Detection with Wazuh
We use the following techniques to detect the CHAVECLOAK malware on an infected Windows endpoint:
- Using detection rules to detect the CHAVECLOAK malware activities.
- Using the Wazuh incident response capability to scan and remove files with malicious patterns.
Detection rules
We use Sysmon to monitor several system events on the Windows endpoint and create rules on the Wazuh server to detect the malicious activities of CHAVECLOAK.
Windows endpoint
Perform the following steps to configure the Wazuh agent to collect and forward Sysmon logs to the Wazuh server for analysis.
1. Download Sysmon from the Microsoft Sysinternals page.
2. Using PowerShell with administrator privilege, create a Sysmon folder in the C:\ folder:
> New-Item -ItemType Directory -Path C:\Sysmon
3. Extract the compressed Sysmon file to the C:\Sysmon folder:
> Expand-Archive -Path "<PATH>\Sysmon.zip" -DestinationPath "C:\Sysmon"
Replace <PATH> with the path where Sysmon.zip was downloaded.
4. Download the Sysmon configuration file – sysmonconfig.xml to C:\Sysmon folder using the PowerShell command below:
> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile C:\Sysmon\sysmonconfig.xml
5. Switch to the directory with the Sysmon executable and run the command below to install and start Sysmon using PowerShell with administrator privileges:
> cd C:\Sysmon > .\Sysmon64.exe -accepteula -i sysmonconfig.xml
6. Add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file of the Wazuh agent:
<localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile>
7. Restart the Wazuh agent to apply the configuration changes by running the following PowerShell command as an administrator:
> Restart-Service -Name wazuh
Wazuh server
We create custom rules to generate alerts when CHAVECLOAK malware activities are detected on the Windows endpoint. Perform the following steps to create detection rules on the Wazuh server.
1. Create a custom rule file chavecloak_rules.xml in the /var/ossec/etc/rules/ directory of the Wazuh server:
# touch /var/ossec/etc/rules/chavecloak_rules.xml
2. Add the custom rules for CHAVECLOAK malware below to the /var/ossec/etc/rules/chavecloak_rules.xml file:
<group name="chavecloak,">
<!-- Suspicious file creation -->
<rule id="100201" level="12">
<if_sid>61613</if_sid>
<field name="win.eventdata.image" type="pcre2">msiexec.exe</field>
<field name="win.eventdata.targetFilename" type="pcre2">Lightshot.exe</field>
<description>$(win.eventdata.image) created the executable $(win.eventdata.targetFilename). Possible CHAVECLOAK malware activity.</description>
<mitre>
<id>T1204.002</id>
</mitre>
</rule>
<!-- Lightshot executable loaded -->
<rule id="100202" level="12">
<if_sid>61609</if_sid>
<field name="win.eventdata.image" type="pcre2">Lightshot.exe</field>
<field name="win.eventdata.imageLoaded" type="pcre2">Lightshot.exe</field>
<description>$(win.eventdata.originalFileName) executable loaded. CHAVECLOAK malware detected.</description>
<mitre>
<id>T1073</id>
</mitre>
</rule>
<!-- DLL Sideloading -->
<rule id="100203" level="12">
<if_sid>61609</if_sid>
<field name="win.eventdata.image" type="pcre2">Lightshot.exe</field>
<field name="win.eventdata.imageLoaded" type="pcre2">Lightshot.dll</field>
<description>$(win.eventdata.imageLoaded) loaded by $(win.eventdata.image). CHAVECLOAK malware detected.</description>
<mitre>
<id>T1073</id>
</mitre>
</rule>
<!-- Persistence detection -->
<rule id="100204" level="12">
<if_sid>92300</if_sid>
<field name="win.eventdata.image" type="pcre2">Lightshot.exe</field>
<field name="win.eventdata.eventType" type="pcre2">(?i)SetValue</field>
<field name="win.eventdata.targetObject" type="pcre2">(?i)\\\\CurrentVersion\\\\Run\\\\Lightshot</field>
<description>New run key added to registry by $(win.eventdata.image). CHAVECLOAK malware detected.</description>
<mitre>
<id>T1547.001</id>
</mitre>
</rule>
<!-- Outbound network connection -->
<rule id="100205" level="12">
<if_sid>61605</if_sid>
<field name="win.eventdata.image" type="pcre2">Lightshot.exe</field>
<field name="win.eventdata.destinationIp" type="pcre2">\d+.\d+.\d+.\d+</field>
<description>Possible CHAVECLOAK malware activity: Network connection to $(win.eventdata.destinationIp):$(win.eventdata.destinationPort) detected.</description>
<mitre>
<id>T1036</id>
</mitre>
</rule>
</group>
Below is the list of rule IDs that are triggered when any activity associated with CHAVECLOAK malware is detected:
- Rule ID
100201is triggered whenmsiexec.execreates an executable namedLightshot.exein the%APPDATA%directory. - Rule ID
100202is triggered whenLightshot.exeis self-executed. - Rule ID
100203is triggered whenLightshot.exeloaded similarly namedLightshot.dll. - Rule ID
100204is triggered when a new run key, Lightshot, is added to the Windows Registry for persistence. - Rule ID
100205is triggered whenLightshot.exeattempts a connection to the C2 server.
3. Restart the Wazuh server for the changes to take effect:
# systemctl restart wazuh-manager
Detection results
From the Modules tab on your Wazuh dashboard, click on Agents to select the Windows endpoint, then select Security events tab to view the generated alerts.
The screenshot below shows the alerts generated on the Wazuh dashboard when the malware is executed on the victim’s Windows endpoint.
Detecting and removing CHAVECLOAK malware with VirusTotal and active response
VirusTotal is a security platform that aggregates antivirus products and online scan engines, offering an API that can be queried using URLs, IP addresses, domains, or file hashes to detect security threats. You can configure Wazuh to automatically send requests to the VirusTotal API with the hashes of files created or modified on monitored endpoints.
We configure the Wazuh File Integrity Monitoring (FIM) module and VirusTotal to detect and scan files added or modified in specific directories on the Windows endpoint. Furthermore, we configure the Wazuh active response module to remove any files identified as malicious by VirusTotal.
Windows endpoint
Configure the Wazuh FIM module and create an active response script using the steps below.
Configuring the FIM module
1. To monitor the intrusion of the CHAVECLOAK malware file, append the following configuration to the C:\Program Files (x86)\ossec-agent\ossec.conf file of the Wazuh agent. In our case, we configure the FIM module to monitor the Downloads folder:
<ossec_config>
<syscheck>
<directories check_all="yes" realtime="yes">C:\Users\*\Downloads</directories>
</syscheck>
</ossec_config>
2. Restart the Wazuh agent to apply the changes by running the following PowerShell command as an administrator:
> Restart-Service -Name wazuh
Active response Python script configuration
We create an active response script to remove the CHAVECLOAK malware when VirusTotal identifies it as a threat.
1. Download Python 3.11 and run the installer. Select the following checkboxes on the installer dialog box:
- Use admin privileges when installing py.exe.
- Add Python.exe to PATH.
2. Run the following command with administrative privilege to install Pyinstaller via PowerShell:
> pip install -U pyinstaller
3. Create an active response script remove-threat.py on the Windows endpoint with the following content:
#!/usr/bin/python3
# Copyright (C) 2015-2022, Wazuh Inc.
# All rights reserved.
import os
import sys
import json
import datetime
if os.name == 'nt':
LOG_FILE = "C:\\Program Files (x86)\\ossec-agent\\active-response\\active-responses.log"
else:
LOG_FILE = "/var/ossec/logs/active-responses.log"
ADD_COMMAND = 0
DELETE_COMMAND = 1
CONTINUE_COMMAND = 2
ABORT_COMMAND = 3
OS_SUCCESS = 0
OS_INVALID = -1
class message:
def __init__(self):
self.alert = ""
self.command = 0
def write_debug_file(ar_name, msg):
with open(LOG_FILE, mode="a") as log_file:
log_file.write(str(datetime.datetime.now().strftime('%Y/%m/%d %H:%M:%S')) + " " + ar_name + ": " + msg +"\n")
def setup_and_check_message(argv):
# get alert from stdin
input_str = ""
for line in sys.stdin:
input_str = line
break
try:
data = json.loads(input_str)
except ValueError:
write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
message.command = OS_INVALID
return message
message.alert = data
command = data.get("command")
if command == "add":
message.command = ADD_COMMAND
elif command == "delete":
message.command = DELETE_COMMAND
else:
message.command = OS_INVALID
write_debug_file(argv[0], 'Not valid command: ' + command)
return message
def send_keys_and_check_message(argv, keys):
# build and send message with keys
keys_msg = json.dumps({"version": 1,"origin":{"name": argv[0],"module":"active-response"},"command":"check_keys","parameters":{"keys":keys}})
write_debug_file(argv[0], keys_msg)
print(keys_msg)
sys.stdout.flush()
# read the response of previous message
input_str = ""
while True:
line = sys.stdin.readline()
if line:
input_str = line
break
# write_debug_file(argv[0], input_str)
try:
data = json.loads(input_str)
except ValueError:
write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
return message
action = data.get("command")
if "continue" == action:
ret = CONTINUE_COMMAND
elif "abort" == action:
ret = ABORT_COMMAND
else:
ret = OS_INVALID
write_debug_file(argv[0], "Invalid value of 'command'")
return ret
def main(argv):
write_debug_file(argv[0], "Started")
# validate json and get command
msg = setup_and_check_message(argv)
if msg.command < 0:
sys.exit(OS_INVALID)
if msg.command == ADD_COMMAND:
alert = msg.alert["parameters"]["alert"]
keys = [alert["rule"]["id"]]
action = send_keys_and_check_message(argv, keys)
# if necessary, abort execution
if action != CONTINUE_COMMAND:
if action == ABORT_COMMAND:
write_debug_file(argv[0], "Aborted")
sys.exit(OS_SUCCESS)
else:
write_debug_file(argv[0], "Invalid command")
sys.exit(OS_INVALID)
try:
os.remove(msg.alert["parameters"]["alert"]["data"]["virustotal"]["source"]["file"])
write_debug_file(argv[0], json.dumps(msg.alert) + " Successfully removed threat")
except OSError as error:
write_debug_file(argv[0], json.dumps(msg.alert) + "Error removing threat")
else:
write_debug_file(argv[0], "Invalid command")
write_debug_file(argv[0], "Ended")
sys.exit(OS_SUCCESS)
if __name__ == "__main__":
main(sys.argv)
The os.remove() function in the active response Python script handles the removal of the malicious file:
os.remove(msg.alert["parameters"]["alert"]["data"]["virustotal"]["source"]["file"])
4. Convert the Python script remove-threat.py to an executable file by running the command below:
> pyinstaller -F remove-threat.py
5. Move the executable file remove-threat.exe from the \dist folder under your current working directory to C:\Program Files (x86)\ossec-agent\active-response\bin.
6. Restart the Wazuh agent to apply the changes by running the following PowerShell command as an administrator:
> Restart-Service -Name wazuh
Wazuh server
We configure VirusTotal to scan the files monitored by the Windows endpoint against public malware engines for malicious behavior. Consequently, we configure the Wazuh active response module to automatically run the Python executable when VirusTotal flags the scanned files as malicious.
VirusTotal configuration
1. Append the configuration below to the /var/ossec/etc/ossec.conf file to scan the files with VirusTotal:
<ossec_config>
<integration>
<name>virustotal</name>
<api_key><API_KEY></api_key> <!-- Replace with your VirusTotal API key -->
<rule_id>554,550</rule_id>
<alert_format>json</alert_format>
</integration>
</ossec_config>
Note: Replace the <API_KEY> with your VirusTotal API key.
Active response configuration
1. Append the following configuration to the /var/ossec/etc/ossec.conf file:
<ossec_config>
<command>
<name>remove-threat</name>
<executable>remove-threat.exe</executable>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>remove-threat</command>
<location>local</location>
<rules_id>87105</rules_id>
</active-response>
</ossec_config>
2. Add the following rules to the /var/ossec/etc/rules/local_rules.xml file to generate alerts when the active response module successfully removes the malicious files.
<group name="virustotal,">
<!-- VirusTotal detection rules -->
<rule id="100206" level="12">
<if_sid>657</if_sid>
<match>Successfully removed threat</match>
<description>$(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file)</description>
<mitre>
<id>T1107</id>
<id>T1485</id>
</mitre>
</rule>
<rule id="100207" level="12">
<if_sid>657</if_sid>
<match>Error removing threat</match>
<description>Error removing threat located at $(parameters.alert.data.virustotal.source.file)</description>
</rule>
</group>
Where:
- Rule ID
100206is triggered when the active response module successfully removes the threat. - Rule ID
100207is triggered when the active response module fails to remove the threat.
3. Restart the Wazuh manager to apply configuration changes:
# systemctl restart wazuh-manager
Active response result
To test the configuration, a sample of the CHAVECLOAK malware is added to the Downloads folder on the Windows endpoint. The screenshot below shows the file integrity monitoring and active response alerts on the Wazuh dashboard.
Conclusion
This blog post shows how to detect and respond to CHAVECLOAK malware on a Windows endpoint with Wazuh. We utilize Sysmon integration to enrich Windows event logs from the victim endpoint and then create rules to detect malicious activities associated with CHAVECLOAK malware. We also combine VirusTotal with the Wazuh Active response to scan and remove the malware file from the victim endpoint.
Wazuh is a free and open source enterprise-ready security platform for threat detection, incident response, and compliance. Wazuh integrates with third-party platforms. Wazuh also has a growing community where users are supported. To learn more about Wazuh, please check out our documentation and blog posts.
References