Sunday, 12 August 2018

IRIS-H: Alpha is dead! Long live Beta.

Quick Summary

Build Version: 0.2.0 (beta)

Change Type: new version release
Affected Components: API, UI
Short Description: New version includes:

  • (new) complete re-write of the UI 'look & feel'
  • (new) Yara rules support
  • (new) personal service accounts
  • (new) 'Workbench' data view (see Detailed Summary section for description)
  • (new) 'External Intelligence' section added to the 'Report' data view
  • (new) public GitHub repository for issues tracking and feedback
  • API backend data handling infrastructure changes
  • static analysis data extraction routines improvements
  • bug fixes

Outstanding Tasks: Attach external intelligence feeds, minor cosmetic UI fixes, further data parsers improvements.
Known Issues: Minor cosmetic glitches in the UI.

Detailed Summary

Disclaimer: All the functionality descriptions and screenshot examples given below are relevant to the application state at the release time. Some features and interface 'look & feel' might change in the follow up releases.

Sections below describe some of the major features/changes implemented in this release.

New UI

IRIS-H UI has been completely re-written using Akveo Nebular UI and the mighty power of Angular. Where data views and service pages content is mostly the same, their look changed completely. Please see below for detailed breakdown.

Dashboard (Home page)

IRIS-H Dashboard View

The dashboard now performs 3 functions:

  • overall submitted data view
  • system health display
  •  filters for currently loaded data
Where overall submitted data and systems health views are self-explanatory, the data filters functionality is explained below.

Each statistical data view panel is interactive. Clicking on a pie chart section or a bar will filter the 'Submissions' table view. For example, clicking 'Malicious OLE' bar in 'Object Linking & Embedding' panel will change the 'Submissions' table view to display only reports for malicious OLE files.

Filtering 'Submissions' table view using Dashboard submitted data panel
NOTE: The filters will apply only to the data already loaded into the dashboard - 50 latest submissions.

The data displayed in the dashboard depends on the user type - Public / Registered. There is a concept of 'Public' and 'Private' data now. The file analysis data is tied to the user account the file was submitted under.

Public data - file analysis reports generated under 'Public User' account (not logged in)

Private data - file analysis reports generated under logged in user.

Submission Page

Submission page didn't change that much in terms of the content and functionality.

IRIS-H Submission Page
The page now includes submission type indicator - Public/Private

IRIS-H submission type indicator - Public
IRIS-H submission type indicator - Private
Report Page

Content displayed on the report page has been re-worked and majority of the generic information has been removed.

IRIS-H Report page example
The report page now supports multiple reports display using separate report page tabs. Where the same functionality can be achieved with opening separate browsing session tabs in the Internet browser application, this feature serves as a good alternative.

IRIS-H Report page - tabs view example
NOTE: The memory consumed by the tool depends on the number of reports opened at the same time. Use Internet browser page refresh functionality to remove all report tabs except the currently active one.

Workbench Page

Workbench is a new data view type added in this release. It can be accessed through 'Report' page navigation sub-menu or through the main interface side bar if any workbench data is already loaded.

Access 'Workbench' view from 'Report' page

The 'Workbench' page allows for the submitted file content browsing using its structural view. The file content is displayed in HEX and ASCII formats.

IRIS-H Workbench Page example
The 'File Structure' tree view on the left hand side is interact-able as well as the HEX view of the data. When entry in the tree view is selected the corresponding HEX and ASCII pieces of data are scrolled into the view. HEX view is also interact-able the same way except for the scrolling part.

IRIS-H Workbench Page - file content browsing example

On each tree or HEX views interaction, content of the 'Description' panel on the right hand side is updated with corresponding data description as per official file format specification.

Download function is available for each individual file component as well as for the submitted file itself. The 'Download' button can be found on the right hand side in each workbench panel header.

NOTE: This feature is currently available for files in 'Shell Link Binary' format (LNK) only.

General UI features

Akveo Nebular UI offers many features to customize the interface look. All of the customization options are available through 'Settings' sub-menu located in the top right corner.
IRIS-H Interface customization settings
Where all of them are self-explanatory, I'd like to single out my favorite one - UI Theme customization. It allows for the interface theme on-the-fly change. There are currently 3 themes available - light, cosmic and corporate. Corporate theme is the default one, though my personal favorite is cosmic.

IRIS-H with Cosmic UI Theme applied
Yara Rules Support + 'External Intelligence'

New addition to the static analysis engine. IRIS-H will now scan the submitted files and their partial content with Yara rules. The scanning engine is based on node-yara module developed by NoSpaceships.

Current Yara rules set consist of the rules developed and collected by Florian Roth for his Nextron Systems scanners.

'Report' page now includes a new section called 'External Intelligence & Automated Scanning' that displays any Yara matches.

IRIS-H Report Page - Yara match example

This section will also display information collected from external sources. This feature is currently under development.

Personal Service User Account

IRIS-H now supports personal user accounts. Since this new feature is still in testing, the public registration process is currently unavailable, however user accounts can be provisioned upon a request(hit me up on Twitter).

Current personal account design provides the same features as the public account with the exception of making analysis report data private and available only to the user logged in with the account the submitted file was processed under.

There is no other difference in the features set.

GitHub Repository

Repository has been created on GitHub to enable issues tracking. Issue reports and feature suggestions are much appreciated.


This project wouldn't be where it is now without such a great support from the InfoSec community and all those highly talented people who create beautiful tools and applications that help and inspire a curious mind. There are no words to describe how much I value any collaboration that happens in those communities - you can never stop learning.

Special kudos go to:

  • InfoSec community (honest to creators, you are machines. I envy your energy!)
  • Angular community on (you're a mind-blowing folks)
  • Individuals who supported the project with their valuable feedback and file samples. I simply can't post such a big list here and I do not support fame leeching, but you know who you are. I endlessly value our relationships.

Wednesday, 11 July 2018

You only had one job...

Brief translation for some files located in project Pegasus source code leak...


Project Pegasus - Content brief description

Pegasus - complex structured project for x32 and x64 platforms.
Installer injects system kernel into svchost process memory and deletes the source file.

The initial installer passes the execution controls in the following way:
Shellcode -> InstallDispatcherDll

New process passes the execution controls in the following way:
Shellcode -> WorkDispatcherDll -> all other modules

If installing over existing deployment, the build ID check is performed and if found below or equal the current version the installation is canceled.

Modules functionality will take a while to explain and describe in here. If absolutely necessary look at the corresponding source code - the description there is well structured and documented.

Microsoft Visual Studio 2013+ and PHP Tools for Visual Studio from Devsense are required to build the project.

Folders description:

Compiled modules and other code for x32 and x64 platforms

Final installers for both platforms, debug and release version depending on the sub folder it's stored in.

Program libraries used by different sub-projects.

Installer module, performs injects into a new process

Initial installer project

Files necessary for compiling the project without MSVCRT

Resource packing utility

Command execution module using the panel(new process, console command, etc)

Domain propagation module

KBR payment swapping module

Injector module that intercepts KBR data exchange process and receives swapped data from mod_KBRI

Password extraction module, re-written and patched mimikatz code

Communication module, including using pipes for machines with restricted network access

Special Executable file that is uploaded to a remote system in case of domain propagation scenario.

Common header and configuration files

Attached libraries load and execution shellcode

Project assembly scripts and utilities

Client part of the admin panel, integrated into Studio project

Admin panel, copy from the development server

System kernel

In general case,
\shared\config.h is configured first
\tools\MAKE_INSTALLERS.BAT with Release or Debug parameter assembles the rest
\BUILDS\ folder will contain the final build

Wednesday, 7 March 2018

IRIS-H (alpha): Added RTF files parser module

Quick Summary

Build Version: 0.0.1(alpha)
Change Type: new feature
Affected Components: API, UI
Short Description: API side code logic(parser) has been added to allow for RTF files processing. Currently, the new parser provides basic data extraction capabilities. UI side 'Submission' and 'About' pages have been updated to reflect the new changes.
Outstanding Tasks: Second development iteration.
Known Issues: Some data obfuscation types are not supported.

Detailed Summary

New code logic has been added to IRIS-H to allow for Rich Text Format (RTF) files processing. The 'Submission' page will now accept RTF file upload and pass it for further processing which includes the following:

  • extract document metadata
  • identify and parse embedded objects
  • extract font table
  • detect languages used in the document
  • provide description for all extracted data

Currently, the parsing module only provides essential processing. The module was tested with a good number of malicious RTF files and seems to be relatively stable handling the majority of obfuscation techniques. Thanks to @James_inthe_box for providing the samples!

Example Reports - ASLR/DEP evasion using msvbvm60.dll (–°VE-2017-11826 precursor)

Monday, 5 February 2018

IRIS-H (alpha): Added ZIP files support

Quick Summary

Build Version: 0.0.1(alpha)
Change Type: new feature
Affected Components: API, UI
Short Description: API side code logic has been added to allow submitting ZIPed files. Industry standard password 'infected' is supported. UI side 'Submission' and 'About' pages have been updated to reflect the new changes.
Outstanding Tasks: None
Known Issues: ZIP files created with Ubuntu 'Archive Manager' throw an error.

Detailed Summary

The code logic has been added to IRIS-H to allow handling file extraction from ZIP archive files. The 'Submission' page will now accept ZIP file upload and perform the following operations with it:

  • identify if the file is a Microsoft Office document in OOXML format
  • identify the number of files in the archive
  • identify if the password is set
  • identify the unpacked size of the compressed file contained in the archive
  • identify if the archive file is 'nested'

The following restrictions and limitations are applied:

  • ZIP file must contain a single file
  • if ZIP file password is enabled it must be set to 'infected'
  • unpacked size of the compressed file contained in the archive must not exceed 10MB
  • ZIP 'nesting' must not exceed 2 levels (ZIP-in-a-ZIP)
  • ZIP file size must not exceed 4MB*
* 4MB ZIP file size limit is enforced by the underlying technology employed to handle the file extraction. More on this in the following section.

What's under the hood?

Disclaimer: The choice of the technology used to implement ZIP files support was mainly driven by a will to learn it. Another contributing factor though is the lack of good NodeJS libraries that provide password protected ZIP files handling.

IRIS-H API and UI components are written in different flavours of JavaScript. Originally, I was looking to implement ZIP files support using a JS library, but to my surprise I couldn't find the one with proper support for different compression and encryption types. I realized it would have to be implemented in a different programming language, but the integration with the rest of the service and its infrastructure seemed challenging until I decided to look into using AWS Lambda.

AWS Lambda supports a number of programming languages including C# with .NET Core 2.0. This opens up a good number of possible solutions. The choice stopped with SharpZipLib. This library supports most of the compression and encryption methods. Building an AWS Lambda function turned out to be a rather easy task. The most challenging part was dealing with the 'RequestResponse' size limitations enforced by 'Invoke' function. The only solution I could find was to apply the ZIP file size limit at the submission time. It's currently set to 4 MB due to the lambda's set limit of 6 MB. 2 MB difference goes toward 'base64' conversion the submitted ZIP file is a subject to when sent to the lambda function. 

Testing it with ZIP files of different sizes shows that it takes about 10 seconds on average to process a 4 MB ZIP file. Those under 1 MB are processed almost with no delay.

Like the rest of the service, this new feature is experimental and requires more thorough testing. I'd appreciate any feedback.