How to Defend Against IRONGATE-like malware?

    Talk to Sales

    Please leave your details and our representative would contact you immediately

    First Name

    Last Name

    Job Title

    Company

    Business email

    Country

    Phone (optional)

    We’re using (optional)

    How to Defend Against IRONGATE-like malware?

    Written by Research Team - 16 June 2016

      Share article
      FacebookTwitterLinkedInRedditCopy Link

      Get Free Account

      Join Now

      A lot of the recent buzz in the InfoSec community was about the IRONGATE malware. IRONGATE was recently discovered by FireEye while hunting for PyInstaller-crafted executables in VirusTotal.

      PyInstaller is a program that converts Python scripts into stand-alone executables under Windows, Linux, and more. Due to the simplicity of Python development and the easy deployment of Python programs enabled by PyInstaller, malware authors are able to write sophisticated malware in no time.

      But how can we defend against these kind of threats? We need to perform the following steps:

      1. Identifying PyInstaller Executables

      There’s a YARA signature created by Didier Stevens that can be used in either an automatic or a manual mode to detect PyInstaller files. This signature basically looks for a specific string which is unique to PyInstaller-crafted executables.

      1. Identify PyInstaller executables

      2. Analyze the PyInstaller executable by reviewing its original Python script code

      3. Remediate according to the specific threat found

      2. Analyzing The PyInstaller Executable

      To deal with PyInstaller files, we can extract the original Python source code from any PyInstaller file and then analyze the code to get an understanding about its purpose, maliciousness, and full threat potential.

      Unlike other executable binaries, for which we need to perform disassembly and review hard-to-read assembly code in order to fully analyze them, the process of analysis using PyInstaller is usually simple and fast. It fully exposes the entire Python code, making it easy to read.

      Extracting the Python source code can be done by using the excellent pyinstxtractor project

      It is used by running the pyinstallerextractor script:

      pyinstxtractor py PYINSTALLER_TEST_FILE exe

      Now, in the directory where you run pyinstxtractor, you should have the Python source code available to you. The only thing left is to rapidly read the code and analyze what it’s doing in your system.

      3. Remediation

      Remediation for PyInstaller files is not especially different from any other cyber threats; it really depends on the security systems deployed in your organization, and the code of the threat itself.

      If you need any assistance regarding a specific case, we would be happy to help — just visit our website or contact us via email at contact@intezer.com

      Research Team

      For A Stronger Cyber Immune System

      New: Connect Microsoft Defender with Intezer's Autonomous SOC solutionNew: Connect Microsoft Defender with Intezer's Autonomous SOC solution Learn more
      Generic filters
      Exact matches only
      Search in title
      Search in content
      Search in excerpt