Full Report
We are pleased to announce the release of Suru version 2.0, our MITM proxy. Suru has now been rewritten to work with the .Net 2 runtime environment and includes all the features of the original 1.x stream, as well as numbers of enhancements and upgrades. Features which have been added since the last 1.1 stable release include the following: Upstream proxy support Response timing for timing-based attacks Highlighting of search terms in the request editor and the browser Neater and sortable request and fuzz list boxes Request interception There is currently a known bug when using Suru 2.0 with Mac OS/X and Parallels, but we hope to have the issue ironed out as soon as possible and will release a fix for this in the very near future.
Analysis Summary
# Tool/Technique: Suru version 2.0
## Overview
Suru version 2.0 is a Man-in-the-Middle (MITM) proxy tool developed by SensePost. It has been rewritten to function on the .Net 2 runtime environment and includes enhancements over its previous versions.
## Technical Details
- Type: Tool
- Platform: Windows (Implied by .Net 2 runtime environment), with known compatibility issues noted for Mac OS/X running under Parallels.
- Capabilities: MITM proxy functionalities, request/response manipulation, and timing analysis support.
- First Seen: October 08, 2007 (Release date mentioned in the article)
## MITRE ATT&CK Mapping
Suru is primarily a security testing/analysis tool, but its capabilities directly map to certain offensive techniques:
- **TA0011 - Command and Control**
- T1090 - Proxy
- T1090.002 - External Proxy (When used to channel traffic)
- **TA0007 - Discovery** (If used for sniffing or analyzing internal traffic)
- T1046 - Network Service Scanning (Implied capability if used to map network interactions)
## Functionality
### Core Capabilities
- Acts as a Man-in-the-Middle (MITM) proxy.
- Request interception, allowing modification of traffic in transit.
- Maintenance of original 1.x stream features.
### Advanced Features
- **Upstream proxy support:** Allows Suru itself to tunnel traffic through another proxy.
- **Response timing:** Specifically designed to capture response timing data, useful for timing-based attacks or side-channel analysis.
- **Request/Response Editing:** Highlighting of search terms in the request editor and browser view.
- **Fuzzing Support:** Features "fuzz list boxes," suggesting capabilities for manipulating inputs.
## Indicators of Compromise
*Note: Suru is a legitimate testing tool; IOCs listed here pertain to its installation/execution, not necessarily malicious activity.*
- File Hashes: N/A (Not provided)
- File Names: N/A (Not provided)
- Registry Keys: N/A (Not provided)
- Network Indicators: N/A (Since it's a proxy, network indicators depend entirely on the traffic it is configured to handle, not inherent C2 infrastructure.)
- Behavioral Indicators: Traffic manipulation, response delay observation, interception of HTTP/S traffic flows.
## Associated Threat Actors
The article does not specify any threat actors known to use Suru. It is presented as a tool released by SensePost, primarily used for security testing and research.
## Detection Methods
Detection would focus on identifying the presence of the proxy application or suspicious network redirection indicative of an MITM setup.
- Signature-based detection: Signatures targeting the Suru binary or associated components (.Net 2 application).
- Behavioral detection: Monitoring for applications redirecting local or network traffic through an intermediary process not traditionally associated with standard proxy services (like Squid or Burp Suite).
- YARA rules: N/A (Not available)
## Mitigation Strategies
- **Network Hardening:** Ensure encrypted traffic (TLS/SSL) is strictly enforced to hinder passive MITM inspection. Traffic monitoring should flag unencrypted credential submission.
- **Application Whitelisting:** Prevent the execution of unapproved security tools like Suru on sensitive endpoints.
## Related Tools/Techniques
- Burp Suite (Commercial standard for web application interception and modification)
- OWASP ZAP (Open-source web application security scanner and proxy)
- Charles Proxy/Fiddler (General-purpose traffic debugging proxies)