CHAVECLOAK malware detection and response with Wazuh

| by | Wazuh 4.7.4
Post icon

CHAVECLOAK malware is a Windows-based banking trojan that targets South American financial sector individuals to steal sensitive financial information. The malware is distributed through phishing emails with embedded malicious PDF attachments. CHAVECLOAK blocks user device screens, logs keystrokes, and shows fake pop-up windows. The malware monitors the victim’s endpoint and becomes active when it detects banking-related activities.

CHAVECLOAK executes on the compromised endpoint using a DLL side-loading technique. This technique involves placing a legitimate-looking but malicious DLL file in a location where Windows automatically loads it. The malware connects to a command and control center to receive commands or exfiltrate captured banking credentials.

This blog post explores how to use Wazuh to detect and respond to CHAVECLOAK malware on Windows endpoints.

Behavioral analysis of CHAVECLOAK

  • CHAVECLOAK adds itself to a hidden system location on the %AppData%\Skillbrains\lightshot\5.5.0.7 folder.
  • It uses DLL side-loading technique to execute its main component Lightshot.dll.
  • The malware maintains persistence by creating a registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lightshot. This ensures the malware is executed after a system reboot.
  • It attempts to connect with a command and control server for commands and exfiltration of stolen sensitive data.

Analyzed IoC file

Hash typeValue
MD5c371047910a709f65fd85d10cde0ca4f
SHA2564ab3024e7660892ce6e8ba2c6366193752f9c0b26beedca05c57dcb684703006

Infrastructure

We use the following infrastructure to demonstrate the detection of CHAVECLOAK malware with Wazuh.

  • A pre-built, ready-to-use Wazuh OVA 4.7.4. Follow this guide to download the virtual machine. This endpoint hosts the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard).
  • A Windows 11 victim endpoint with Wazuh agent 4.7.4 installed and enrolled to the Wazuh server. Refer to the installation guide to install the Wazuh agent. 

Detection with Wazuh

We use the following techniques to detect the CHAVECLOAK malware on an infected Windows endpoint:

  • Using detection rules to detect the CHAVECLOAK malware activities.
  • Using the Wazuh incident response capability to scan and remove files with malicious patterns.

Detection rules

We use Sysmon to monitor several system events on the Windows endpoint and create rules on the Wazuh server to detect the malicious activities of CHAVECLOAK.

Windows endpoint

Perform the following steps to configure the Wazuh agent to collect and forward Sysmon logs to the Wazuh server for analysis.

1. Download Sysmon from the Microsoft Sysinternals page.

2. Using PowerShell with administrator privilege, create a Sysmon folder in the C:\ folder:

> New-Item -ItemType Directory -Path C:\Sysmon

3. Extract the compressed Sysmon file to the  C:\Sysmon folder:

> Expand-Archive -Path "<PATH>\Sysmon.zip" -DestinationPath "C:\Sysmon"

Replace <PATH> with the path where Sysmon.zip was downloaded.

4. Download the Sysmon configuration file – sysmonconfig.xml to C:\Sysmon folder using the PowerShell command below:

> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile C:\Sysmon\sysmonconfig.xml

5. Switch to the directory with the Sysmon executable and run the command below to install and start Sysmon using PowerShell with administrator privileges:

> cd C:\Sysmon 
> .\Sysmon64.exe -accepteula -i sysmonconfig.xml

6. Add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file of the Wazuh agent:

<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

7. Restart the Wazuh agent to apply the configuration changes by running the following PowerShell command as an administrator:

> Restart-Service -Name wazuh

Wazuh server

We create custom rules to generate alerts when CHAVECLOAK malware activities are detected on the Windows endpoint. Perform the following steps to create detection rules on the Wazuh server.

1. Create a custom rule file chavecloak_rules.xml in the /var/ossec/etc/rules/ directory of the Wazuh server:

# touch /var/ossec/etc/rules/chavecloak_rules.xml

2. Add the custom rules for CHAVECLOAK malware below to the /var/ossec/etc/rules/chavecloak_rules.xml file:

<group name="chavecloak,">

<!-- Suspicious file creation -->
  <rule id="100201" level="12">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">msiexec.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">Lightshot.exe</field>
    <description>$(win.eventdata.image) created the executable $(win.eventdata.targetFilename). Possible CHAVECLOAK malware activity.</description>
    <mitre>
      <id>T1204.002</id>
    </mitre>
  </rule>
  
<!-- Lightshot executable loaded -->  
  <rule id="100202" level="12">
    <if_sid>61609</if_sid>
    <field name="win.eventdata.image" type="pcre2">Lightshot.exe</field>
    <field name="win.eventdata.imageLoaded" type="pcre2">Lightshot.exe</field>
    <description>$(win.eventdata.originalFileName) executable loaded. CHAVECLOAK malware detected.</description>
    <mitre>
      <id>T1073</id>
    </mitre>
  </rule>
 
<!-- DLL Sideloading -->
  <rule id="100203" level="12">
    <if_sid>61609</if_sid>
    <field name="win.eventdata.image" type="pcre2">Lightshot.exe</field>
    <field name="win.eventdata.imageLoaded" type="pcre2">Lightshot.dll</field>
    <description>$(win.eventdata.imageLoaded) loaded by $(win.eventdata.image). CHAVECLOAK malware detected.</description>
    <mitre>
      <id>T1073</id>
    </mitre>
  </rule>

<!-- Persistence detection --> 
  <rule id="100204" level="12">
    <if_sid>92300</if_sid>
    <field name="win.eventdata.image" type="pcre2">Lightshot.exe</field>
    <field name="win.eventdata.eventType" type="pcre2">(?i)SetValue</field>
    <field name="win.eventdata.targetObject" type="pcre2">(?i)\\\\CurrentVersion\\\\Run\\\\Lightshot</field>
    <description>New run key added to registry by $(win.eventdata.image). CHAVECLOAK malware detected.</description>
    <mitre>
      <id>T1547.001</id>
    </mitre>
  </rule>

<!-- Outbound network connection --> 
  <rule id="100205" level="12">
    <if_sid>61605</if_sid>
    <field name="win.eventdata.image" type="pcre2">Lightshot.exe</field>
    <field name="win.eventdata.destinationIp" type="pcre2">\d+.\d+.\d+.\d+</field>
    <description>Possible CHAVECLOAK malware activity: Network connection to $(win.eventdata.destinationIp):$(win.eventdata.destinationPort) detected.</description>
    <mitre>
      <id>T1036</id>
    </mitre>
  </rule>

</group>

Below is the list of rule IDs that are triggered when any activity associated with CHAVECLOAK malware is detected:

  • Rule ID 100201 is triggered when msiexec.exe creates an executable named Lightshot.exe in the %APPDATA% directory.
  • Rule ID 100202 is triggered when Lightshot.exe is self-executed.
  • Rule ID 100203 is triggered when Lightshot.exe loaded similarly named Lightshot.dll.
  • Rule ID 100204 is triggered when a new run key, Lightshot, is added to the Windows Registry for persistence.
  • Rule ID 100205 is triggered when Lightshot.exe attempts a connection to the C2 server.

3. Restart the Wazuh server for the changes to take effect:

# systemctl restart wazuh-manager

Detection results

From the Modules tab on your Wazuh dashboard, click on Agents to select the Windows endpoint, then select Security events tab to view the generated alerts.

The screenshot below shows the alerts generated on the Wazuh dashboard when the malware is executed on the victim’s Windows endpoint.

CHAVECLOAK malware alerts
Figure 1: CHAVECLOAK malware alerts on the Wazuh dashboard

Detecting and removing CHAVECLOAK malware with VirusTotal and active response

VirusTotal is a security platform that aggregates antivirus products and online scan engines, offering an API that can be queried using URLs, IP addresses, domains, or file hashes to detect security threats. You can configure Wazuh to automatically send requests to the VirusTotal API with the hashes of files created or modified on monitored endpoints.

We configure the Wazuh File Integrity Monitoring (FIM) module and VirusTotal to detect and scan files added or modified in specific directories on the Windows endpoint. Furthermore, we configure the Wazuh active response module to remove any files identified as malicious by VirusTotal.

Windows endpoint

Configure the Wazuh FIM module and create an active response script using the steps below.

Configuring the FIM module

1. To monitor the intrusion of the CHAVECLOAK malware file, append the following configuration to the C:\Program Files (x86)\ossec-agent\ossec.conf file of the Wazuh agent. In our case, we configure the FIM module to monitor the Downloads folder:

<ossec_config>
  <syscheck>
    <directories check_all="yes" realtime="yes">C:\Users\*\Downloads</directories>
  </syscheck>
</ossec_config>

2. Restart the Wazuh agent to apply the changes by running the following PowerShell command as an administrator:

> Restart-Service -Name wazuh

Active response Python script configuration

We create an active response script to remove the CHAVECLOAK malware when VirusTotal identifies it as a threat.

1. Download Python 3.11 and run the installer. Select the following checkboxes on the installer dialog box: 

  • Use admin privileges when installing py.exe.
  • Add Python.exe to PATH

2. Run the following command with administrative privilege to install Pyinstaller via PowerShell:

> pip install -U pyinstaller

3. Create an active response script remove-threat.py on the Windows endpoint with the following content:

#!/usr/bin/python3
# Copyright (C) 2015-2022, Wazuh Inc.
# All rights reserved.
 
import os
import sys
import json
import datetime
 
if os.name == 'nt':
    LOG_FILE = "C:\\Program Files (x86)\\ossec-agent\\active-response\\active-responses.log"
else:
    LOG_FILE = "/var/ossec/logs/active-responses.log"
 
ADD_COMMAND = 0
DELETE_COMMAND = 1
CONTINUE_COMMAND = 2
ABORT_COMMAND = 3
 
OS_SUCCESS = 0
OS_INVALID = -1
 
class message:
    def __init__(self):
        self.alert = ""
        self.command = 0
 
def write_debug_file(ar_name, msg):
    with open(LOG_FILE, mode="a") as log_file:
        log_file.write(str(datetime.datetime.now().strftime('%Y/%m/%d %H:%M:%S')) + " " + ar_name + ": " + msg +"\n")
 
def setup_and_check_message(argv):
 
    # get alert from stdin
    input_str = ""
    for line in sys.stdin:
        input_str = line
        break
 
 
    try:
        data = json.loads(input_str)
    except ValueError:
        write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
        message.command = OS_INVALID
        return message
 
    message.alert = data
 
    command = data.get("command")
 
    if command == "add":
        message.command = ADD_COMMAND
    elif command == "delete":
        message.command = DELETE_COMMAND
    else:
        message.command = OS_INVALID
        write_debug_file(argv[0], 'Not valid command: ' + command)
 
    return message
 
 
def send_keys_and_check_message(argv, keys):
 
    # build and send message with keys
    keys_msg = json.dumps({"version": 1,"origin":{"name": argv[0],"module":"active-response"},"command":"check_keys","parameters":{"keys":keys}})
 
    write_debug_file(argv[0], keys_msg)
 
    print(keys_msg)
    sys.stdout.flush()
 
    # read the response of previous message
    input_str = ""
    while True:
        line = sys.stdin.readline()
        if line:
            input_str = line
            break
 
    # write_debug_file(argv[0], input_str)
 
    try:
        data = json.loads(input_str)
    except ValueError:
        write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
        return message
 
    action = data.get("command")
 
    if "continue" == action:
        ret = CONTINUE_COMMAND
    elif "abort" == action:
        ret = ABORT_COMMAND
    else:
        ret = OS_INVALID
        write_debug_file(argv[0], "Invalid value of 'command'")
 
    return ret
 
def main(argv):
 
    write_debug_file(argv[0], "Started")
 
    # validate json and get command
    msg = setup_and_check_message(argv)
 
    if msg.command < 0:
        sys.exit(OS_INVALID)
 
    if msg.command == ADD_COMMAND:
        alert = msg.alert["parameters"]["alert"]
        keys = [alert["rule"]["id"]]
        action = send_keys_and_check_message(argv, keys)
 
        # if necessary, abort execution
        if action != CONTINUE_COMMAND:
 
            if action == ABORT_COMMAND:
                write_debug_file(argv[0], "Aborted")
                sys.exit(OS_SUCCESS)
            else:
                write_debug_file(argv[0], "Invalid command")
                sys.exit(OS_INVALID)
 
        try:
            os.remove(msg.alert["parameters"]["alert"]["data"]["virustotal"]["source"]["file"])
            write_debug_file(argv[0], json.dumps(msg.alert) + " Successfully removed threat")
        except OSError as error:
            write_debug_file(argv[0], json.dumps(msg.alert) + "Error removing threat")
           
       
    else:
        write_debug_file(argv[0], "Invalid command")
 
    write_debug_file(argv[0], "Ended")
 
    sys.exit(OS_SUCCESS)
 
if __name__ == "__main__":
    main(sys.argv)

The os.remove() function in the active response Python script handles the removal of the malicious file:

os.remove(msg.alert["parameters"]["alert"]["data"]["virustotal"]["source"]["file"])

4. Convert the Python script remove-threat.py to an executable file by running the command below:

> pyinstaller -F remove-threat.py

5. Move the executable file remove-threat.exe from the \dist folder under your current working directory to C:\Program Files (x86)\ossec-agent\active-response\bin.

6. Restart the Wazuh agent to apply the changes by running the following PowerShell command as an administrator:

> Restart-Service -Name wazuh

Wazuh server

We configure VirusTotal to scan the files monitored by the Windows endpoint against public malware engines for malicious behavior. Consequently, we configure the Wazuh active response module to automatically run the Python executable when VirusTotal flags the scanned files as malicious.

VirusTotal configuration

1. Append the configuration below to the /var/ossec/etc/ossec.conf file to scan the files with VirusTotal:

<ossec_config>
  <integration>
    <name>virustotal</name>
    <api_key><API_KEY></api_key> <!-- Replace with your VirusTotal API key -->
    <rule_id>554,550</rule_id>
    <alert_format>json</alert_format>
  </integration>
</ossec_config>

Note: Replace the <API_KEY> with your VirusTotal API key.

Active response configuration

1. Append the following configuration to the /var/ossec/etc/ossec.conf file:

<ossec_config>

    <command>
        <name>remove-threat</name>
        <executable>remove-threat.exe</executable>
        <timeout_allowed>no</timeout_allowed>
    </command>

    <active-response>
        <disabled>no</disabled>
        <command>remove-threat</command>
        <location>local</location>
        <rules_id>87105</rules_id>
    </active-response>

</ossec_config>

2. Add the following rules to the /var/ossec/etc/rules/local_rules.xml file to generate alerts when the active response module successfully removes the malicious files.

<group name="virustotal,">

<!-- VirusTotal detection rules -->

  <rule id="100206" level="12">
    <if_sid>657</if_sid>
    <match>Successfully removed threat</match>
    <description>$(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file)</description>
    <mitre>
      <id>T1107</id>
      <id>T1485</id>
    </mitre>
  </rule>

  <rule id="100207" level="12">
    <if_sid>657</if_sid>
    <match>Error removing threat</match>
    <description>Error removing threat located at $(parameters.alert.data.virustotal.source.file)</description>
  </rule>
</group>

Where:

  • Rule ID 100206 is triggered when the active response module successfully removes the threat.
  • Rule ID 100207 is triggered when the active response module fails to remove the threat.

3. Restart the Wazuh manager to apply configuration changes:

# systemctl restart wazuh-manager

Active response result

To test the configuration, a sample of the CHAVECLOAK malware is added to the Downloads folder on the Windows endpoint. The screenshot below shows the file integrity monitoring and active response alerts on the Wazuh dashboard.

VirusTotal and Active response alerts
Figure 2: VirusTotal and Active response alerts on the Wazuh dashboard

Conclusion

This blog post shows how to detect and respond to CHAVECLOAK malware on a Windows endpoint with Wazuh. We utilize Sysmon integration to enrich Windows event logs from the victim endpoint and then create rules to detect malicious activities associated with CHAVECLOAK malware. We also combine VirusTotal with the Wazuh Active response to scan and remove the malware file from the victim endpoint.

Wazuh is a free and open source enterprise-ready security platform for threat detection, incident response, and compliance. Wazuh integrates with third-party platforms. Wazuh also has a growing community where users are supported. To learn more about Wazuh, please check out our documentation and blog posts.

References