Malware poses a critical threat to cloud environments, facilitating malicious activity by threat actors that results in compromise, data breach, or disruption in operations. According to SonicWall, there were 6.06 billion malware attacks in 2023, marking the highest global attack volume since 2019. That is why it is crucial to have malware scanning in place to detect and proactively remove infections. Wiz already provides customers with agentless malware scanning of virtual machines, containers, serverless, buckets, and code repositories to detect malicious software, as well as a runtime sensor and cloud event log analysis capabilities to detect malicious activity in cloud environments. Today, we are adding pattern-based malware detection using YARA rules to agentlessly detect unknown malware variants. Wiz customers' cloud environments are now continuously evaluated for malware using pattern-based rules, allowing detection of new malware variants as soon as they appear in the wild, with full coverage without needing to deploy an agent.
YARA rules for pattern-based malware detection
YARA is a tool used for malware detection that enables researchers to write specific rules for malware families based on textual or binary patterns, as well as generic rules to identify common attributes of various malware. Wiz now scans files against a set of proprietary YARA rules built and tested by the Wiz Research Team to support detection of malware variants.
These rules identify specific patterns within files that might not be discoverable otherwise. The new rules focus on malware types that are the most prevalent in cloud environments, such as webshells like Godzilla, offensive security tools like Sliver, Trojan payloads, and crypto miners. These types of malware families are detected efficiently using pattern-based detection due to their variability. For example, webshells are uniquely generated per target with a different user and password, and open-source offensive security tools can be compiled on the fly to utilize different hard-coded IP addresses and include different commands. In addition to these types of malware families, the Wiz Research team analyzes emerging threats based on our cloud threat intelligence and adds detection for novel threats in the Wiz Threat Center.
Why YARA?
YARA enables Wiz to robustly detect many variants of malware families across cloud environments. A YARA rule comprises collections of strings, regular expressions, and logical conditions that are carefully crafted to identify particular patterns within the analyzed files to detect malware. Thanks to its flexibility, YARA is widely favored by cybersecurity experts, malware analysts, and threat hunters. It plays a crucial role in digital forensics and real-time threat identification.
Examples of newly supported YARA rules
1. XMRig Malware
Many cryptojacking activities rely on the legitimate and ever-popular XMRig mining software to mine cryptocurrencies without the user's consent or knowledge. Wiz’s YARA rule for XMRig looks for patterns that match custom compilation of XMRig. This detection method accounts for the common case of an attacker that compiles XMRig with minor or no changes, which leaves some common binary patterns which uniquely identify this software. The YARA rule checks for specific command line arguments and other indicative compilation strings within the binary. While each string by itself is not enough to deem the file malicious, when all of them can be found in the same file, this provides high confidence in the detection.
2. Reverse TCP
Reverse TCP is a technique used by attackers to establish a connection from the impacted resource back to the attacker’s machine. This YARA rule detects common reverse TCP payloads by looking for a combination of several attributes, including:
Small file size (Since threat actors usually try to minimize the size of their generated payloads)
ELF magic header
Assembly code that builds the string `//bin/sh` on the stack
Assembly code that performs an `execve` syscall
The resulting assembly code of such payloads may look something like this (in x86):
push 'hs/n'
push 'ib//'
mov ebx, esp
push edx
push ebx
mov ecx, esp
mov al, 0Bh
int 80hMalware detection at runtime
In addition to Wiz’s agentless malware detection, customers can also detect malware execution in runtime with the Runtime Sensor. The sensor is designed to complement agentless detection by performing real-time analysis for binaries that are executed and therefore pose the most risk to your compute workloads. Additionally, customers that use native malware detection tools such as GuardDuty, Microsoft Defender for Cloud, and Google Security Command Center or other third-party tools can send findings to Wiz to gain additional risk correlation and context.
Triaging malware with context on the Wiz Security Graph
The Wiz Security Graph empowers organizations to prioritize malware remediation based on context around attack paths in the environment. Wiz correlates malware to other risks in your cloud so you can focus first on responding to malware detected on machines that are publicly exposed, have cleartext secrets, sensitive data, high privileges, or lateral movement paths to admin.
You can learn more about how Wiz uses YARA rules for malware detection by visiting the Wiz Docs (login required). If you prefer a live demo, we would love to connect with you.
