Malware Masquerade (backend)

[mssalvatore]

Description

Masquerade - to assume the appearance of something one is not [1]

A common way of detecting and identifying an executable as malware it to write a detection rule (for a tool like YARA) that checks for the existence of strings or unique byte sequences within the file. In order to improve the fidelity of Infection Monkey's malware emulation, users should be able to specify arbitrary data that will be injected into the agent binaries. This will enable Infection Monkey Agents to masquerade as specific types of malware. This may be particularly useful for a user who writes their own detection rules and needs a way to test them.

Approach

A null byte (or a few null bytes) followed by the desired data (bytes) can be appended to Linux or Windows binaries with no ill effects. The appended data will not execute, but simply be present within the binary.

See [2] for a note on signed Windows binaries.

Tasks

• Create a MasqueradeAgentBinaryRepositoryDecorator. This will wrap IAgentBinaryRepository methods and append the masque data (supplied to the decorator's constructor) to the agent binaries when they are requested. (0d) @ilija-lazoroski
  • Don't forget caching
• Add a apply_{linux,windows}_masque(masque: Optional[bytes]) function to IAgentBinaryService (0d) @mssalvatore
  • Implement AgentBinaryService.apply_{linux,windows}_masque(masque: Optional[bytes]), It should apply the masque decorator to the repository if the masque is not None, or remove the decorator if masque is None.
• Add flask resources for GET/PUT /api/agent-binaries/{linux,windows}/masque (0d) - @shreyamalviya
  • The endpoint should accept raw bytes/octets
  • Don't forget unit tests
• Modify one or more ETE tests to apply a masque. (0d) - @shreyamalviya
  • Depth 1
  • Depth 4
• Remove vulture entries