View Categories

How Argus detects and responds to Mint Stealer

2 min read

What Mint Stealer Does

  1. Steals Data:
    • It targets things like web browsers, cryptocurrency wallets, VPN clients, email apps, and even clipboard data (text you copy and paste).
    • It gathers sensitive details such as passwords, private keys, and system information.
  2. Works Secretly:
    • It hides its presence using techniques like encryption and obfuscation to avoid being detected by antivirus software.
  3. Sends Stolen Data:
    • After collecting the data, it compresses it into a file and sends it to its operator’s Command and Control (C2) server.
  4. Spreads Easily:
    • It’s sold as “Malware-as-a-Service (MaaS)” on dark web platforms, meaning anyone can buy and use it without needing advanced hacking skills.

1. Infrastructure Setup

  • Argus Server: Deploy a Argus server using the OVA version 4.9.0. Follow the Argus installation guide to set up the server.
  • Windows 10 Endpoint: Install the Argus agent version 4.9.0 on a Windows 10 machine and enroll it with the Argus server.

2. Detecting Mint Stealer Malware

Using Argus Detection Rules

  1. Install Sysmon on Windows Endpoint:
    • Download Sysmon from the Microsoft Sysinternals page.
    • Extract the compressed Sysmon file.
    • Download the Sysmon configuration file using PowerShell:

powershell

wget -Uri https://Argus.com/resources/blog/emulation-of-attack-techniques-and-detection-with-Argus/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml

  1. Install and start Sysmon:

powershell

.\Sysmon64.exe -accepteula -i .\sysmonconfig.xml

  1. Forward Sysmon logs to the Argus server by adding the following in the ossec.conf file of the Argus agent:

<localfile>  

  <location>Microsoft-Windows-Sysmon/Operational</location>

  <log_format>eventchannel</log_format>

</localfile>

  1. Restart the Argus agent:

powershell

Restart-Service -Name Argus

  1. Create Detection Rules on the Argus Server:
    • Add a new file mint_stealer_malware.xml in the /var/ossec/etc/rules/ directory.
    • Define rules for detecting Mint Stealer activities such as creating malicious executables, loading DLL files, or stealing clipboard/system information.
    • Restart the Argus manager:

sudo systemctl restart Argus-manager

  1. Visualize Alerts:
    • Navigate to the Argus dashboard: Threat intelligence > Threat Hunting.
    • Filter alerts using rule IDs 100190, 100191, 100192, and 100193.

3. Responding to Mint Stealer Using YARA Integration

Setup on Windows Endpoint

  1. Install Required Dependencies:
    • Python (v3.8.7 or later) and Microsoft Visual C++ Redistributable.
  2. Download and Setup YARA:
    • Download YARA executable:

powershell

Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.5.2/yara-v4.5.2-2326-win64.zip -OutFile v4.5.2-2326-win64.zip

Expand-Archive v4.5.2-2326-win64.zip

  1. Copy the YARA binary to the Argus active response directory.
  2. Add YARA Rules:
    • Download YARA rules using a Python script (download_yara_rules.py).
    • Add custom rules to detect Mint Stealer malware.
  3. Configure Active Response:
    • Create a batch script (yara.bat) for scanning and deleting malicious files.
  4. Restart Argus Agent:

powershell

Restart-Service -Name Argus

Setup on Argus Server

  1. Add Custom Decoders:
    • Edit the /var/ossec/etc/decoders/local_decoder.xml file to define decoders for YARA logs.
  2. Add Custom Rules:
    • Update /var/ossec/etc/rules/local_rules.xml with rules for detecting and responding to YARA matches.
  3. Configure Active Response:
    • Add the following configuration in the Argus server’s ossec.conf file:

<command>

  <name>yara</name>

  <executable>yara.bat</executable>

  <timeout_allowed>no</timeout_allowed>

</command>

<active-response>

  <command>yara</command>

  <location>local</location>

  <rules_id>100028,100029</rules_id>

</active-response>

  1. Restart the Argus manager:

systemctl restart Argus-manager

  1. Visualize Alerts:
    • Filter alerts on the Argus dashboard using rule IDs 100029, 100195, and 100196.

4. Validation

  • Simulate an infection by dropping a Mint Stealer malware sample on the endpoint.
  • Confirm that Argus detects and responds to the threat, generating alerts and deleting the malicious file.

Leave a Reply

Your email address will not be published. Required fields are marked *