Ironcat Malware Suite
Ironcat is Public
It’s been a few years. And despite me lacking the inate ability to update my own blog. A lot has happened! Ironcat, is more than my handle, more than a malware family. It’s now an initiative. A multi year experience that has gained me a ton of knowledge about gaps in security. Not just the rapidly failing anti-virus products. But, the functions and processess that we, ALL OF US, are still too immature to fully leverage in our enterprise security strategies.
But I will save that for a different blog post, with more warning about an incoming rant.
Here’s the thing. Ironcat Ransomware was simply v1.0, I’m now on v4.0. Things got a little out of hand.
v1.5 RSAC21
Facinated with the idea that a person could make malware, that was for education and now research. But that would totally evade anti-virus, even while using basic and sometimes quite old techniques, I decided to iterate, and explore this with a talk and workshop on the same topic.
RSAC21 Ironcat Based Ransomware Talk
v2.0 Ironcat Strikes Back
Developed for more advanced threat actor emulation and to test tooling and human responses to a ransomware event. This new version leveraged some learned yara rule evastion, added additional cat ASCII, split processes and added situationally based behavior. Notably, it now talks out to hello.iamironcat.com. Which provides a decent amount of telemetry for uses where it SHOULD NOT BE USED.
v2.5 Fluffy Kittens Backwards
If you want a more advanced experience, this version added some upgrades such as a persistent webshell, and removal of the use of batch file artifacts for code execution. All done to support an experience you can spin up and work through on Pluralsight.
Pluralsight Ironcat Ransomware Lab - Need Account
v3.0 Return of the Ironcat
The most recent advancement used for enterprise training. You know what is boring? Predictable strings and md5 hashes. Noticing that hashes were used WAY too much, this malware changes it’s own properties randomly on execution and as it copies itself on a given system, and few other upgrades along the way :), including a changed domain address and support for better server side reporting.
v3.5 RSAC 22
I don’t like doing things the same, so this one finally moved primary execution away from the file system and into memory!
RSAC22 Ironcat Based Ransowmare Workshop
Why do this?
Now having a 3 year old malware family that has been consistently evolved, leaked and detected by major security vendors, allows a unique research opportunity. Owning the source code I can repetitively tweak the details of execution to identify weak and strong points in anti-virus detection. Beyond anti-virus products, there is now a wide range of TTP’s from basic to more advanced that can be mixed and matched to match the level of an organization that wants to test their reponse and defensive capabilities. This data, is extremely valuable.
So along that vein, I will be launching ironcat.io over the next few months. Along with distributing multi year old versions of this malware with detections, and fully forensic information, I will also be devleoping a cyclical product to show the gaps in anti-virus and other automated detections.
The idea is that this will raise the awareness and subsequently the bar for security vendors as well as the general defensive industry. Hopefuly it humanizes the threat a bit. Malware authors are just humans, and malware itself is just software.