FortiGuard Labs Threat Research
This year I attended BlackHat 2019 and presented a framework at the Arsenal that I have been working with in the lab for some time called “BLACKPHENIX – Malware Analysis + Automation Framework.” I had a great time meeting new people and answering interesting questions from attendees. I would like to extend my gratitude to the BlackHat staff for such a great experience.
Here are some pictures taken during my presentation:
BLACKPHENIX is an open-source malware analysis automation framework composed of services, scripts, plug-ins, and tools based on a Command-and-Control (C&C) architecture. It relies on virtual machine software to operate and scripts to remotely control (GUI and console) tools and scripts running on a guest (analysis) virtual machine. It reports back results to a controller machine to perform further deep data analysis and execution decisions.
In general terms, the purpose of BLACKPHENIX is to help malware analysts speed-up their “post-Sandbox” analysis process by automating tasks through the creation of python (BPH Scripts) scripts and analysis (BPH Analysis) modules. Instead of waiting for Sandbox reports to start investigating, an analyst can leverage the framework to do the hard work for them – automatically.
Today’s malware analysis process is composed of combinations of tools and various environment requirements that often delay analysis. The BLACKPHENIX framework provides a single execution point whereby well-known malware/system analysis tools can be used programmatically.
Lab infrastructure is also a common problem for analysts because setting up the right environment consumes time and resources, and sometimes requires certain skills to do so. This is another problem that BLACKPHENIX is trying to solve. For instance, the following video showcases how the framework has the ability to dynamically modify its virtualized network environment, switching between NAT (Open-Internet access) and the TOR Network, all from a single (BPH) Script.
During the early development of the framework, we used BPH Scripts to detect new malware and variants. One of our malware research engagements resulted in two blog posts that were posted on Fortinet’s threat research blog, showcasing our findings by leveraging BLACKPHENIX collected data.
The following picture shows the architectural overview of the framework.
In the context of BLACKPHENIX, every tool and malware artifact (sample) are Python objects. For instance, the packer detection tool “PEiD” can be instantiated as peid = Peid(“MySample.exe”), then its methods can be defined as peid.deep_scan(), all from a BPH Script. A Sample’s Object’s methods (sample.symbols()) and its attributes (sample.md5, sample.path, etc.) can be accessed as well. A single “BPH Script” can execute several tools (bundled execution), and the data generated by such tools can be automatically analyzed via a “BPH Analysis” module. BLACKPHENIX users can also easily integrate their own tools/scripts into the framework.
Analysts can use the framework to perform automated, virtual machine-based malware analysis activities by automating the execution of well-known analysis tools, custom tools, and scripts that run in a remote virtual machine. They can do this through the execution of python scripts called “BPH Scripts” and “BPH Analysis Modules” to perform parsing and further data analysis.
A malware analyst can use the framework to fulfill a specific requirement that needs to be performed within a tight schedule, such as writing a quick prototype to collect specific data when a malware sample behaves in certain way.
BPH Scripts are python scripts that import Windows tools python modules (BPH Plug-ins) and contain execution instructions for one or more imported tools (bundled execution). For instance, a BPH script can call the UPX tool to unpack a compressed UPX executable and the next instruction can call another tool, such as ExeInfoPe or any other tool selected by the user. Since BPH Scripts are simply python scripts, a user can introduce non-BPH python code written to adapt the results to specific analysis or research requirements.
The following code illustrates the BPH Script structure of the ExeInfoPe tool. Once this script is executed, BLACKPHENIX processes the file, executing its tool’s default options. After its execution, the data is gathered and sent back to the C&C. The “output()” call displays the tool’s response in its console, and the “files()” call lists the absolute path of such files.
# Tool imports
from bph.tools.windows.exeinfope import BphExeInfoPe as ExeInfoPe
# Core Imports
from bph.core.server.template import BphTemplateServer as TemplateServer
from bph.core.session import BphSession as Session
from bph.core.sample import BphLabFile as LabFile
session = Session(project_name='blackhat_arsenal_2019')
templateserver = TemplateServer()
sample_file = LabFile(session.launcher_abs_path)
exeinfope = ExeInfoPe(sample_file)
To help users better understand how this all works, I am sharing some videos I presented at BlackHat Arsenal 2019 showcasing BPH script executions and interactions between the BPH Controller and Analysis virtual machines – all together.
All BPH Scripts can be found in the “examples” folder of the framework’s package.
BLACKPHENIX provides support for the following tools:
The BLACKPHENIX Framework can be downloaded from the following URL:
Users can refer to the “BPH Implementation Manual” and “BPH Script Development Guide” documentation which is located in the “docs” folder.
BLACKPHENIX Dev Team
Read about the FortiGuard Security Rating Service, which provides security audits and best practices.