Threat Research

BlackHat 2019 Arsenal & BLACKPHENIX Framework

By Chris Navarrete | October 23, 2019

This year I attended BlackHat 2019 and presented a framework at the Arsenal that I have been working with in the lab for some time called “BLACKPHENIX – Malware Analysis + Automation Framework.” I had a great time meeting new people and answering interesting questions from attendees. I would like to extend my gratitude to the BlackHat staff for such a great experience.

Here are some pictures taken during my presentation:

What is BLACKPHENIX?

BLACKPHENIX is an open-source malware analysis automation framework composed of services, scripts, plug-ins, and tools based on a Command-and-Control (C&C) architecture. It relies on virtual machine software to operate and scripts to remotely control (GUI and console) tools and scripts running on a guest (analysis) virtual machine. It reports back results to a controller machine to perform further deep data analysis and execution decisions.

Why Develop this Framework?

In general terms, the purpose of BLACKPHENIX is to help malware analysts speed-up their “post-Sandbox” analysis process by automating tasks through the creation of python (BPH Scripts) scripts and analysis (BPH Analysis) modules. Instead of waiting for Sandbox reports to start investigating, an analyst can leverage the framework to do the hard work for them – automatically.

Today’s malware analysis process is composed of combinations of tools and various environment requirements that often delay analysis. The BLACKPHENIX framework provides a single execution point whereby well-known malware/system analysis tools can be used programmatically.

Lab infrastructure is also a common problem for analysts because setting up the right environment consumes time and resources, and sometimes requires certain skills to do so. This is another problem that BLACKPHENIX is trying to solve. For instance, the following video showcases how the framework has the ability to dynamically modify its virtualized network environment, switching between NAT (Open-Internet access) and the TOR Network, all from a single (BPH) Script.

Automatic Internet & TOR redirection – (BPH Virtual Machine Manager + Python)

During the early development of the framework, we used BPH Scripts to detect new malware and variants. One of our malware research engagements resulted in two blog posts that were posted on Fortinet’s threat research blog, showcasing our findings by leveraging BLACKPHENIX collected data.

Features

  • Easy Installation & Deployment
  • Tool automation modules
  • Virtual Machine management
  • Scripting support (Python)
  • Internet emulation
  • Traffic redirection
  • TOR support

Architecture Overview

The following picture shows the architectural overview of the framework.

Your Tool == My Python Object

In the context of BLACKPHENIX, every tool and malware artifact (sample) are Python objects. For instance, the packer detection tool “PEiD” can be instantiated as peid = Peid(“MySample.exe”), then its methods can be defined as peid.deep_scan(), all from a BPH Script. A Sample’s Object’s methods (sample.symbols()) and its attributes (sample.md5, sample.path, etc.) can be accessed as well. A single “BPH Script” can execute several tools (bundled execution), and the data generated by such tools can be automatically analyzed via a “BPH Analysis” module. BLACKPHENIX users can also easily integrate their own tools/scripts into the framework.

How This Tool Can Be Used

Analysts can use the framework to perform automated, virtual machine-based malware analysis activities by automating the execution of well-known analysis tools, custom tools, and scripts that run in a remote virtual machine. They can do this through the execution of python scripts called “BPH Scripts” and “BPH Analysis Modules” to perform parsing and further data analysis.

A malware analyst can use the framework to fulfill a specific requirement that needs to be performed within a tight schedule, such as writing a quick prototype to collect specific data when a malware sample behaves in certain way. 

What Are BLACKPHENIX (BPH) Scripts?

BPH Scripts are python scripts that import Windows tools python modules (BPH Plug-ins) and contain execution instructions for one or more imported tools (bundled execution). For instance, a BPH script can call the UPX tool to unpack a compressed UPX executable and the next instruction can call another tool, such as ExeInfoPe or any other tool selected by the user. Since BPH Scripts are simply python scripts, a user can introduce non-BPH python code written to adapt the results to specific analysis or research requirements.

The following code illustrates the BPH Script structure of the ExeInfoPe tool. Once this script is executed, BLACKPHENIX processes the file, executing its tool’s default options. After its execution, the data is gathered and sent back to the C&C. The “output()” call displays the tool’s response in its console, and the “files()” call lists the absolute path of such files.
 

# Tool imports

from bph.tools.windows.exeinfope import BphExeInfoPe as ExeInfoPe

 

# Core Imports

from bph.core.server.template import BphTemplateServer as TemplateServer

from bph.core.session import BphSession as Session

from bph.core.sample import BphLabFile as LabFile

 

session = Session(project_name='blackhat_arsenal_2019')

session.start()

session.set_launcher(move_sample=False)

 

templateserver = TemplateServer()

templateserver.start()

 

sample_file = LabFile(session.launcher_abs_path)

 

exeinfope = ExeInfoPe(sample_file)

exeinfope.default()

exeinfope.execute()

exeinfope.output()

exeinfope.files()

BPH Scripts - Execution Demos

To help users better understand how this all works, I am sharing some videos I presented at BlackHat Arsenal 2019 showcasing BPH script executions and interactions between the BPH Controller and Analysis virtual machines – all together.

All BPH Scripts can be found in the “examples” folder of the framework’s package.

Malware Initial Assessment (PEStudio)

Packer Detection & Automatic Unpacking (ExeInfoPe + UPX) 

Behavioral Analysis (Procmon) 

XOR-Key Scanning (XorSearch)

Debugger Execution (OllyDbg + OllyScript)

Memory Dumping - Malware Execution - W32/Farfli.PZ!tr (pd32)

Network Traffic - Malware Execution – W32/Agent.J!tr (NetworkTrafficView)

Supported Tools (v1.0.0)

BLACKPHENIX provides support for the following tools:

*Upcoming release

Where Can I Download BLACKPHENIX?

The BLACKPHENIX Framework can be downloaded from the following URL:

https://github.com/fortinet/ips-bph-framework

Users can refer to the “BPH Implementation Manual” and “BPH Script Development Guide” documentation which is located in the “docs” folder.

Contact

BLACKPHENIX Dev Team
bph_framework@fortinet.com

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolioSign up for our weekly FortiGuard Threat Brief.

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.