Full Report
Wiz is expanding our existing detection capabilities to include pattern-based malware detection using YARA rules written by the Wiz Research team
Analysis Summary
# Tool/Technique: YARA Rules for Malware Detection
## Overview
YARA is a tool used for malware detection that enables researchers to write specific rules based on textual or binary patterns to identify malware families. Wiz is now applying proprietary YARA rules in an agentless manner across cloud environments (VMs, containers, serverless, buckets, code repositories) to detect malware variants, including types prevalent in cloud settings like webshells, offensive security tools, Trojan payloads, and crypto miners.
## Technical Details
- Type: Tool / Detection Methodology
- Platform: Cloud Environments (VMs, Containers, Serverless, Buckets, Code Repositories)
- Capabilities: Pattern-based detection of known and novel malware variants, digital forensics, real-time threat identification.
- First Seen: Not explicitly stated for the general tool, but Wiz integration is a recent addition.
## MITRE ATT&CK Mapping
This capability primarily focuses on **Detection** and **Defense Evasion** if applied by defenders, though the underlying malware families aim for execution and persistence.
- TA0014 - **Defense Evasion** (YARA is used to bypass obfuscation common in custom compiled malware)
- T1562 - **Impair Defenses** (If underlying malware family does this)
- T1027 - **Obfuscated Files or Information** (YARA helps detect obfuscated variants)
## Functionality
### Core Capabilities
- **Pattern Matching:** Uses collections of strings, regular expressions, and logical conditions to identify specific patterns within files indicative of malware.
- **Variant Detection:** Robustly detects many variants of malware families, crucial for polymorphic or easily customized malware like webshells and offensive tools.
- **Agentless Scanning:** Allows continuous evaluation of cloud assets for malware without needing to deploy an agent on the workload.
### Advanced Features
- **Detection of Custom/Variable Malware:** Specifically targets malware types that are uniquely generated per target (e.g., webshells with unique credentials) or compiled on the fly (e.g., offensive tools with varied IPs/commands).
- **Runtime Complement:** Works alongside runtime sensors for real-time analysis on executed binaries.
- **Threat Intelligence Integration:** Wiz Research Team builds and updates rules based on cloud threat intelligence to detect novel threats in the Wiz Threat Center.
## Indicators of Compromise
Since YARA rules are the detection mechanism, specific IoCs listed below are examples of what the rules are designed to identify in the environment:
- File Hashes: N/A (Rules look for patterns, not specific hashes)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Rules are file-based, though underlying malware uses C2)
- Behavioral Indicators: Detection of specific command line arguments (e.g., for XMRig), characteristic assembly code sequences (e.g., for Reverse TCP payloads).
## Associated Threat Actors
Threat actors deploying the targeted malware families:
- Cryptojacking operations (using modified XMRig).
- Actors using webshells (like Godzilla).
- Actors deploying offensive security tools (like Sliver).
## Detection Methods
- **Signature-based detection (Pattern Matches):** Primary method via YARA rules scanning file contents.
- **Behavioral detection:** Provided by the associated Runtime Sensor which monitors executed binaries.
- **YARA rules:** Proprietary rules tailored by Wiz Research Team.
## Mitigation Strategies
- **Proactive Scanning:** Utilizing agentless malware scanning with YARA rules for continuous cloud environment hygiene.
- **Runtime Monitoring:** Deploying Runtime Sensors to detect actual execution of malicious binaries.
- **Contextual Prioritization:** Integrating malware findings into the Wiz Security Graph to prioritize remediation based on adjacent risks (e.g., public exposure, secrets, high privileges).
## Related Tools/Techniques
- **XMRig:** Legitimate software often abused for cryptojacking activities targeted by specific YARA rules.
- **Godzilla:** A webshell family detectable via pattern matching.
- **Sliver:** An offensive security tool framework that can be compiled differently to evade simple detection.
- **Reverse TCP:** A C2 connection technique detected by analyzing specific ELF payloads.
- **GuardDuty, Microsoft Defender for Cloud, Google Security Command Center:** Native cloud detection tools whose findings can be integrated with Wiz for added context.