mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 05:29:40 +03:00
301 lines
12 KiB
Markdown
301 lines
12 KiB
Markdown
---
|
|
name: performing-firmware-malware-analysis
|
|
description: >
|
|
Analyzes firmware images for embedded malware, backdoors, and unauthorized modifications
|
|
targeting routers, IoT devices, UEFI/BIOS, and embedded systems. Covers firmware extraction,
|
|
filesystem analysis, binary reverse engineering, and bootkit detection. Activates for
|
|
requests involving firmware security analysis, IoT malware investigation, UEFI rootkit
|
|
detection, or embedded device compromise assessment.
|
|
domain: cybersecurity
|
|
subdomain: malware-analysis
|
|
tags: [malware, firmware, IoT, UEFI, embedded-security]
|
|
version: 1.0.0
|
|
author: mahipal
|
|
license: Apache-2.0
|
|
---
|
|
|
|
# Performing Firmware Malware Analysis
|
|
|
|
## When to Use
|
|
|
|
- A compromised IoT device or router needs firmware analysis to identify implanted backdoors
|
|
- Investigating UEFI/BIOS rootkits that persist across OS reinstallations
|
|
- Analyzing firmware updates for supply chain compromise or malicious modifications
|
|
- Extracting and examining embedded Linux filesystems from IoT device firmware images
|
|
- Verifying firmware integrity after a suspected hardware or firmware-level compromise
|
|
|
|
**Do not use** for standard operating system malware; use PE/ELF analysis tools for OS-level malware on conventional systems.
|
|
|
|
## Prerequisites
|
|
|
|
- binwalk installed for firmware image analysis and extraction (`pip install binwalk`)
|
|
- Ghidra with ARM/MIPS architecture support for embedded binary reverse engineering
|
|
- UEFI Tool (UEFITool) for UEFI firmware parsing and analysis
|
|
- Firmware Analysis Toolkit (FAT) or EMBA for automated firmware analysis
|
|
- QEMU for emulating extracted firmware filesystems
|
|
- Cross-compilation toolchains for ARM, MIPS, and other embedded architectures
|
|
|
|
## Workflow
|
|
|
|
### Step 1: Extract and Identify Firmware Components
|
|
|
|
Analyze the firmware image structure and extract filesystems:
|
|
|
|
```bash
|
|
# Identify embedded filesystems and compressed data
|
|
binwalk firmware.bin
|
|
|
|
# Extract all identified components
|
|
binwalk -e firmware.bin
|
|
|
|
# Recursive extraction with signature scanning
|
|
binwalk -eM firmware.bin
|
|
|
|
# Output typically includes:
|
|
# - Bootloader (U-Boot, GRUB, custom)
|
|
# - Kernel image (Linux, RTOS)
|
|
# - Root filesystem (SquashFS, JFFS2, CramFS, ext4)
|
|
# - Configuration data
|
|
# - Digital signatures or checksums
|
|
|
|
# Entropy analysis to find encrypted or compressed regions
|
|
binwalk -E firmware.bin
|
|
|
|
# Identify specific filesystem types
|
|
file _firmware.bin.extracted/*
|
|
|
|
# For SquashFS filesystems
|
|
unsquashfs _firmware.bin.extracted/squashfs-root.img
|
|
ls squashfs-root/
|
|
```
|
|
|
|
### Step 2: Analyze the Extracted Filesystem
|
|
|
|
Search for malicious modifications in the firmware filesystem:
|
|
|
|
```bash
|
|
# Directory structure analysis
|
|
find squashfs-root/ -type f | head -50
|
|
|
|
# Search for suspicious files
|
|
find squashfs-root/ -name "*.sh" -exec ls -la {} \;
|
|
find squashfs-root/ -perm -4000 -type f # SUID binaries
|
|
find squashfs-root/ -name "*.so" -newer squashfs-root/bin/busybox # Modified libraries
|
|
|
|
# Check startup scripts for backdoors
|
|
cat squashfs-root/etc/init.d/rcS
|
|
cat squashfs-root/etc/inittab
|
|
ls -la squashfs-root/etc/rc.d/
|
|
|
|
# Search for hardcoded credentials
|
|
grep -rn "password\|passwd\|secret\|key\|token" squashfs-root/etc/ 2>/dev/null
|
|
grep -rn "root:" squashfs-root/etc/shadow 2>/dev/null
|
|
|
|
# Check for unauthorized SSH keys
|
|
find squashfs-root/ -name "authorized_keys" -exec cat {} \;
|
|
|
|
# Network configuration backdoors
|
|
cat squashfs-root/etc/hosts
|
|
grep -rn "iptables\|nc\|netcat\|ncat" squashfs-root/etc/ squashfs-root/usr/bin/
|
|
|
|
# Check for reverse shells in cron
|
|
find squashfs-root/ -name "crontab" -o -name "cron*" | xargs cat 2>/dev/null
|
|
|
|
# Identify all ELF binaries for analysis
|
|
find squashfs-root/ -type f -exec file {} \; | grep ELF
|
|
```
|
|
|
|
### Step 3: Reverse Engineer Suspicious Binaries
|
|
|
|
Analyze extracted binaries that may be backdoors:
|
|
|
|
```bash
|
|
# Identify architecture and format
|
|
file squashfs-root/usr/bin/suspicious_binary
|
|
|
|
# Extract strings for IOC discovery
|
|
strings squashfs-root/usr/bin/suspicious_binary | grep -iE "http|ip|port|shell|connect|exec"
|
|
|
|
# Cross-reference against known firmware binaries
|
|
# Compare SHA-256 hashes with known-good firmware
|
|
sha256sum squashfs-root/usr/bin/* > current_hashes.txt
|
|
# diff against baseline: diff baseline_hashes.txt current_hashes.txt
|
|
|
|
# Import into Ghidra for disassembly (select correct architecture)
|
|
# ARM: ARM/AARCH64 (Little Endian for most IoT devices)
|
|
# MIPS: MIPS/MIPS64 (Big or Little Endian depending on device)
|
|
# x86: For UEFI modules
|
|
|
|
# Analyze with radare2 for quick triage
|
|
r2 -A squashfs-root/usr/bin/suspicious_binary
|
|
# Commands: afl (function list), pdf @main (disassemble main), iz (strings)
|
|
```
|
|
|
|
### Step 4: UEFI/BIOS Firmware Analysis
|
|
|
|
Analyze system firmware for bootkits and implants:
|
|
|
|
```bash
|
|
# Extract UEFI firmware volumes with UEFITool
|
|
# GUI: UEFITool -> File -> Open -> Select firmware.rom
|
|
# CLI: UEFIExtract firmware.rom
|
|
|
|
# Analyze UEFI firmware with chipsec (requires hardware access)
|
|
python chipsec_main.py -m common.bios_wp # BIOS write protection
|
|
python chipsec_main.py -m common.spi_lock # SPI flash lock
|
|
python chipsec_main.py -m common.secureboot # Secure Boot status
|
|
python chipsec_main.py -m common.uefi.s3bootscript # S3 resume script
|
|
|
|
# Dump UEFI firmware from live system
|
|
python chipsec_util.py spi dump firmware_dump.rom
|
|
|
|
# Compare with known-good firmware
|
|
sha256sum firmware_dump.rom
|
|
# Compare against vendor-provided firmware hash
|
|
|
|
# Scan for known UEFI malware signatures
|
|
yara -r uefi_malware_rules.yar firmware_dump.rom
|
|
```
|
|
|
|
```
|
|
Known UEFI Malware Families:
|
|
━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
LoJax: First in-the-wild UEFI rootkit (APT28/Fancy Bear)
|
|
Modifies SPI flash to drop persistence agent
|
|
MosaicRegressor: Modular UEFI framework dropping multiple payloads
|
|
CosmicStrand: UEFI firmware rootkit modifying kernel during boot
|
|
BlackLotus: UEFI bootkit bypassing Secure Boot on Windows 11
|
|
ESPecter: ESP (EFI System Partition) bootkit modifying boot manager
|
|
MoonBounce: SPI flash implant modifying CORE_DXE module
|
|
FinSpy UEFI: Surveillance software with UEFI persistence
|
|
```
|
|
|
|
### Step 5: Emulate Firmware for Dynamic Analysis
|
|
|
|
Run extracted firmware in an emulated environment:
|
|
|
|
```bash
|
|
# Emulate ARM-based IoT firmware with QEMU
|
|
# Mount the extracted filesystem
|
|
sudo mount -o loop squashfs-root.img /mnt/firmware
|
|
|
|
# Chroot into the firmware with QEMU user-mode emulation
|
|
sudo cp /usr/bin/qemu-arm-static /mnt/firmware/usr/bin/
|
|
sudo chroot /mnt/firmware /bin/sh
|
|
|
|
# Or use firmadyne for automated firmware emulation
|
|
# https://github.com/firmadyne/firmadyne
|
|
python3 fat.py firmware.bin
|
|
|
|
# Network service analysis within emulated firmware
|
|
# Scan for open ports and services
|
|
nmap -sV localhost -p 1-65535
|
|
|
|
# Monitor network traffic from emulated firmware
|
|
tcpdump -i tap0 -w firmware_traffic.pcap
|
|
```
|
|
|
|
### Step 6: Document Firmware Analysis
|
|
|
|
Compile comprehensive firmware analysis findings:
|
|
|
|
```
|
|
Analysis documentation should cover:
|
|
- Firmware image metadata (vendor, model, version, build date)
|
|
- Extraction results (filesystem type, kernel version, architecture)
|
|
- Modified files compared to known-good baseline
|
|
- Backdoor binaries discovered with reverse engineering findings
|
|
- Hardcoded credentials and unauthorized access mechanisms
|
|
- Network services and their security posture
|
|
- UEFI/BIOS integrity verification results
|
|
- Extracted IOCs (IPs, domains, file hashes, SSH keys)
|
|
- Remediation recommendations (reflash, replace, update)
|
|
```
|
|
|
|
## Key Concepts
|
|
|
|
| Term | Definition |
|
|
|------|------------|
|
|
| **Firmware** | Software permanently stored in device hardware (flash memory, EEPROM) controlling low-level device operations and boot process |
|
|
| **UEFI (Unified Extensible Firmware Interface)** | Modern system firmware replacing legacy BIOS; provides boot services, runtime services, and a modular driver architecture |
|
|
| **SPI Flash** | Serial Peripheral Interface flash memory chip storing UEFI/BIOS firmware; can be read and modified for persistence |
|
|
| **Secure Boot** | UEFI feature verifying digital signatures of boot components to prevent unauthorized code execution during startup |
|
|
| **SquashFS** | Read-only compressed filesystem commonly used in embedded Linux firmware for space-efficient storage |
|
|
| **Bootkit** | Malware infecting the boot process (MBR, VBR, UEFI) to load before the operating system and evade OS-level security |
|
|
| **Firmware Emulation** | Running extracted firmware in a virtual environment (QEMU, firmadyne) to analyze behavior without physical hardware |
|
|
|
|
## Tools & Systems
|
|
|
|
- **binwalk**: Firmware analysis tool for scanning, extracting, and analyzing embedded file systems and compressed data in firmware images
|
|
- **UEFITool**: Open-source UEFI firmware image parser and extractor for analyzing UEFI volumes, modules, and drivers
|
|
- **chipsec**: Intel's open-source framework for platform security assessment including SPI flash, Secure Boot, and UEFI analysis
|
|
- **firmadyne**: Automated firmware analysis and emulation platform for Linux-based embedded devices
|
|
- **Ghidra**: NSA's reverse engineering tool with ARM, MIPS, and other embedded architecture support for firmware binary analysis
|
|
|
|
## Common Scenarios
|
|
|
|
### Scenario: Investigating a Compromised Router with Persistent Backdoor
|
|
|
|
**Context**: A network router continues to exhibit suspicious behavior (unexpected DNS resolutions, traffic to unknown IPs) even after factory resets. Firmware-level compromise is suspected.
|
|
|
|
**Approach**:
|
|
1. Dump the firmware from the router using JTAG/UART debug interface or vendor management tools
|
|
2. Extract the filesystem with binwalk and identify the Linux distribution and kernel version
|
|
3. Compare file hashes against known-good firmware image from the vendor
|
|
4. Search startup scripts (rcS, inittab, crontab) for backdoor entries
|
|
5. Analyze any modified or new binaries with Ghidra (ARM/MIPS architecture)
|
|
6. Check for hardcoded credentials, unauthorized SSH keys, and reverse shell scripts
|
|
7. Emulate the firmware to observe network behavior and identify C2 communication
|
|
|
|
**Pitfalls**:
|
|
- Not dumping firmware from the actual device (downloading from vendor site gives clean version, not the compromised one)
|
|
- Ignoring modified shared libraries (.so files) that may hook system functions
|
|
- Missing firmware modifications stored outside the main filesystem (bootloader, configuration partitions)
|
|
- Not checking both the primary and backup firmware partitions (some devices have dual-bank flash)
|
|
|
|
## Output Format
|
|
|
|
```
|
|
FIRMWARE MALWARE ANALYSIS REPORT
|
|
===================================
|
|
Device: NetGear R7000 Router
|
|
Firmware Version: V1.0.11.116 (modified)
|
|
Architecture: ARM (Little Endian)
|
|
Filesystem: SquashFS (Linux 3.4.103)
|
|
Dump Method: UART debug console
|
|
|
|
INTEGRITY CHECK
|
|
Vendor Firmware Hash: aaa111bbb222... (clean V1.0.11.116)
|
|
Analyzed Firmware Hash: ccc333ddd444... (MISMATCH)
|
|
Modified Files: 14 files differ from vendor baseline
|
|
|
|
BACKDOOR FINDINGS
|
|
[!] /usr/bin/httpd_backdoor (new binary, not in vendor firmware)
|
|
Architecture: ARM 32-bit
|
|
Function: Reverse shell to 185.220.101[.]42:4444
|
|
Persistence: Added to /etc/init.d/rcS
|
|
|
|
[!] /etc/shadow modified
|
|
Root password changed to known hash
|
|
New user 'admin2' added with UID 0
|
|
|
|
[!] /etc/crontab modified
|
|
Added: */5 * * * * /usr/bin/httpd_backdoor
|
|
|
|
[!] /root/.ssh/authorized_keys (new file)
|
|
Contains attacker's SSH public key
|
|
|
|
EXTRACTED IOCs
|
|
C2 IP: 185.220.101[.]42
|
|
C2 Port: 4444
|
|
SSH Key: ssh-rsa AAAA... attacker@control
|
|
Backdoor Hash: eee555fff666...
|
|
|
|
REMEDIATION
|
|
1. Flash clean vendor firmware via TFTP recovery mode
|
|
2. Change all device credentials
|
|
3. Update to latest firmware version
|
|
4. Enable firmware integrity checking if available
|
|
5. Monitor for re-compromise indicators
|
|
```
|