What is Daolpu?
Daolpu is a type of infostealer malware that steals sensitive information, such as login credentials, browser history, and cookies, from infected Windows computers.
How Does Daolpu Work?
- Delivery Method:
- It is delivered via phishing emails.
- These emails contain a malicious Microsoft Word document with harmful macros.
- Behavior on an Infected System:
- Kills Chrome Browser: The malware stops Chrome using the command:
taskkill /F /IM chrome.exe
- Steals Information: It collects:
- Login credentials
- Browser history
- Cookies from browsers like Chrome, Edge, and Firefox.
- Saves Data Locally: The stolen data is saved in a file named result.txt located in:
C:\Windows\Temp\result.txt
- Sends Data to a C2 Server:
- The file result.txt is sent to a remote Command and Control (C2) server via an HTTP POST request.
- Deletes Evidence: To avoid detection, it deletes the result.txt file after sending it.
Here is a step-by-step guide to implementing the detection and response mechanism for Daolpu malware using Argus as described in the uploaded document:
Infrastructure Setup
- Install Argus Server and Agent:
- Set up the Argus central components (server, indexer, dashboard) using the pre-built Argus.
- Install the Argus agent on a Windows 10 endpoint and enroll it with the Argus server.
Detection with Argus
1. Set Up Sysmon on the Windows Endpoint
- Download Sysmon and the configuration file sysmonconfig.xml.
- Edit sysmonconfig.xml to include the following rule under <EventFiltering>:
<RuleGroup groupRelation=”or”>
<FileDeleteDetected onmatch=”include”>
<TargetFilename condition=”contains”>\Temp\result.txt</TargetFilename>
</FileDeleteDetected>
</RuleGroup>
- Install Sysmon using PowerShell:
In powershell
.\Sysmon64.exe -accepteula -i .\sysmonconfig.xml
- Edit the Argus agent configuration file ossec.conf:
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
- Restart the Argus agent:
powershell
Restart-Service -Name Argus
2. Configure Detection Rules on the Argus Server
- Create a rule file daolpu_malware.xml on the Argus server:
touch /var/ossec/etc/rules/daolpu_malware.xml
- Add the following rules:
<group name=”windows,sysmon,daolpu_detection_rule,”>
<rule id=”100060″ level=”10″>
<description>Malware killed Chrome process</description>
<match type=”pcre2″>cmd.exe /c taskkill /F /IM chrome.exe</match>
</rule>
<rule id=”100061″ level=”12″>
<description>Malware created sensitive file</description>
<field name=”win.eventdata.targetFilename” type=”pcre2″>\Temp\result.txt</field>
</rule>
<rule id=”100062″ level=”10″>
<description>Malware deleted sensitive file</description>
<field name=”win.eventdata.targetFilename” type=”pcre2″>\Temp\result.txt</field>
</rule>
</group>
- Restart the Argus manager:
sudo systemctl restart Argus-manager
YARA Integration for Malware Removal
1. Prepare the Victim Endpoint
- Install Python 3.8.7 or later and Microsoft Visual C++ Redistributable.
- Download and extract YARA:
powershell
Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.5.1/yara-master-2298-win64.zip -OutFile yara.zip
Expand-Archive yara.zip -DestinationPath .
- Place the YARA binary in the directory:
powershell
mkdir ‘C:\Program Files (x86)\ossec-agent\active-response\bin\yara\’
cp .\yara64.exe ‘C:\Program Files (x86)\ossec-agent\active-response\bin\yara\’
- Download YARA rules using valhallaAPI:
from valhallaAPI.valhalla import ValhallaAPI
v = ValhallaAPI(api_key=”your_api_key_here”)
rules = v.get_rules_text()
with open(‘yara_rules.yar’, ‘w’) as f:
f.write(rules)
- Add a custom YARA rule for Daolpu malware to the yara_rules.yar file.
2. Configure the Argus Server for Active Response
- Create a batch script yara.bat for automated file scanning:
:: Deletes malicious files based on YARA results
del /f “C:\Path\To\Malicious\File”
- Edit the Argus server configuration:
- Add the custom decoders, rules, and active-response configurations in ossec.conf.
- Restart the Argus manager:
sudo systemctl restart Argus-manager
Visualizing Alerts
- Log in to the Argus dashboard.
- Navigate to Threat intelligence > Threat Hunting.
- Add filters for the rules configured (100060, 100061, 100062) and others.
- View alerts and confirm the detection and mitigation actions.