Malware related archives decryption using strings command

Cyber attacks landscape is evolving rapidly, reaching high levels of sophistication and complexity in order to exploit and breach enterprises, government entities, universities, financial institutions, etc… even in presence of properly designed and well maintained defense-in-depth strategies. Basically the main stages of a targeted attacks attack can  be summarized in the following five steps:

• Investigate
• Infiltrate
• Explore
• Exfiltrate
• Maintain Access

Each stage needs advanced tools and techniques in order to be completed stealthy and often the tools are very specific for each target. In many cases, that tools are created and coded by cybercriminals few hours ago before their deployment in the targeted network to avoid detection systems and signature based analysis. Besides these tools, however, are also used commercial utilities to perform many other activities like encryption, packaging, remote exec, remote access, etc…

RAR and ZIP archives are commonly used to compress and encrypt stolen data during the exfiltration phase of the attack. RAR format is preferred to ZIP thanks to it’s AES-256 encryption, command line utilities for many architectures and operating systems, archive-content encryption, etc…

Very often this archives are generated automatically by malware, scheduled tasks, command line utilities or attackers actions and could be identified by the filename structure in the infected filesystems or after a Forensics Analysis: YEAR_MONTH_DAY_USERID_HOSTNAME.RAR or similar as example.

If the archive content listing is blocked or encrypted, we cannot understand which data are included in the stolen archives and we have to start a password recovery task in order to open the files.
There are several options to achieve the goal:

• free or commercial tools on a single host
• commercial tools for distributed tasks over several machines
• online password recovery services
• GPU cracking utils
• hardware acceleration based on FPGA

Each method listed above could require hours, days, months or years to be completed depending on the password length and/or complexity used to protect the files, but we can speed up the process using a very specific dictionary file containing malware-related strings.

In order to create the dictionary we need the malicious code who generate archives (malware, scheduled task, exe, dll, etc..) and an analysis Linux box with “strings” command installed.
You can find and extract malicious code via Forensic Analysis or Network Analysis, malware detection tools or any other method you like 🙂

Using your preferred Linux distro (or a dedicated version for Forensics analysis like Deft, Caine, REMnux, SIFT, Helix PRO) run the following command (replace malware.dll and malware.dic as needed and “20” as maximul string length):

i=1; while [ $i -le 20 ]; do strings -a -n $i malware.dll >> malware.dic; i=$((i+1)); done

The script will create a dictionary file (malware.dic) containing every string with length between 1 and 20 chars extracted by your malware sample; you can use this specific dictionary against your malware using one of the method listed above or one of the many tools available in Forensics Distributions.

Hope this post could be useful 😉

Update 24-10-204: As expleined on Icamtuf’s blog is not suggested to run strings command on untrusted file. Please note that “-a” option must be used in order to mitigate risks during analysis. For further information check CVE-2014-8485)