View Categories

Daolpu infostealer detection and response

4 min read

What is Daolpu?

Daolpu is a type of infostealer malware that steals sensitive information, such as login credentials, browser history, and cookies, from infected Windows computers.

How Does Daolpu Work?

  1. Delivery Method:
    • It is delivered via phishing emails.
    • These emails contain a malicious Microsoft Word document with harmful macros.
  2. Behavior on an Infected System:
    • Kills Chrome Browser: The malware stops Chrome using the command:

taskkill /F /IM chrome.exe

  1. Steals Information: It collects:
    • Login credentials
    • Browser history
    • Cookies from browsers like Chrome, Edge, and Firefox.
  2. Saves Data Locally: The stolen data is saved in a file named result.txt located in:

C:\Windows\Temp\result.txt 

  1. Sends Data to a C2 Server:
    • The file result.txt is sent to a remote Command and Control (C2) server via an HTTP POST request.
  2. Deletes Evidence: To avoid detection, it deletes the result.txt file after sending it.

Here is a step-by-step guide to implementing the detection and response mechanism for Daolpu malware using Argus as described in the uploaded document:

Infrastructure Setup

  1. Install Argus Server and Agent:
    • Set up the Argus central components (server, indexer, dashboard) using the pre-built Argus.
    • Install the Argus agent on a Windows 10 endpoint and enroll it with the Argus server.

Detection with Argus

1. Set Up Sysmon on the Windows Endpoint

  1. Download Sysmon and the configuration file sysmonconfig.xml.
  2. Edit sysmonconfig.xml to include the following rule under <EventFiltering>:

<RuleGroup groupRelation=”or”>

   <FileDeleteDetected onmatch=”include”>

      <TargetFilename condition=”contains”>\Temp\result.txt</TargetFilename>

   </FileDeleteDetected>

</RuleGroup>

  1. Install Sysmon using PowerShell:

In powershell

.\Sysmon64.exe -accepteula -i .\sysmonconfig.xml

  1. Edit the Argus agent configuration file ossec.conf:

<localfile>

   <location>Microsoft-Windows-Sysmon/Operational</location>

   <log_format>eventchannel</log_format>

</localfile>

  1. Restart the Argus agent:

powershell

Restart-Service -Name Argus

2. Configure Detection Rules on the Argus Server

  1. Create a rule file daolpu_malware.xml on the Argus server:

touch /var/ossec/etc/rules/daolpu_malware.xml

  1. Add the following rules:

<group name=”windows,sysmon,daolpu_detection_rule,”>

   <rule id=”100060″ level=”10″>

      <description>Malware killed Chrome process</description>

      <match type=”pcre2″>cmd.exe /c taskkill /F /IM chrome.exe</match>

   </rule>

   <rule id=”100061″ level=”12″>

      <description>Malware created sensitive file</description>

      <field name=”win.eventdata.targetFilename” type=”pcre2″>\Temp\result.txt</field>

   </rule>

   <rule id=”100062″ level=”10″>

      <description>Malware deleted sensitive file</description>

      <field name=”win.eventdata.targetFilename” type=”pcre2″>\Temp\result.txt</field>

   </rule>

</group>

  1. Restart the Argus manager:

sudo systemctl restart Argus-manager

YARA Integration for Malware Removal

1. Prepare the Victim Endpoint

  1. Install Python 3.8.7 or later and Microsoft Visual C++ Redistributable.
  2. Download and extract YARA:

powershell

Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.5.1/yara-master-2298-win64.zip -OutFile yara.zip

Expand-Archive yara.zip -DestinationPath .

  1. Place the YARA binary in the directory:

powershell

mkdir ‘C:\Program Files (x86)\ossec-agent\active-response\bin\yara\’

cp .\yara64.exe ‘C:\Program Files (x86)\ossec-agent\active-response\bin\yara\’

  1. Download YARA rules using valhallaAPI:

from valhallaAPI.valhalla import ValhallaAPI

v = ValhallaAPI(api_key=”your_api_key_here”)

rules = v.get_rules_text()

with open(‘yara_rules.yar’, ‘w’) as f:

    f.write(rules)

  1. Add a custom YARA rule for Daolpu malware to the yara_rules.yar file.

2. Configure the Argus Server for Active Response

  1. Create a batch script yara.bat for automated file scanning:

:: Deletes malicious files based on YARA results

del /f “C:\Path\To\Malicious\File”

  1. Edit the Argus server configuration:
    • Add the custom decoders, rules, and active-response configurations in ossec.conf.
    • Restart the Argus manager:

sudo systemctl restart Argus-manager

Visualizing Alerts

  1. Log in to the Argus dashboard.
  2. Navigate to Threat intelligence > Threat Hunting.
  3. Add filters for the rules configured (100060, 100061, 100062) and others.
  4. View alerts and confirm the detection and mitigation actions.

Leave a Reply

Your email address will not be published. Required fields are marked *