Malware Analysis is very critical when it comes to incident response. When an organization is attacked by a Malware - it is very essential that the malware be properly analyzed to estimate the severity of the attack and figure out what details and resources are compromised in-order to come up with an appropriate and necessary response to that security incident.
It is also fun doing Malware analysis because you get to discover new techniques that Malware authors use to bypass detection.
In this article, I demonstrate how to setup a Cloud Hosted Malware analysis lab using REMnux.
Let me tell you why a cloud hosted lab for performing malware analysis is better than a lab running on your local machine - It is safer and there is less risk of your personal machine getting infected with all the malware you will be dissecting. There's no doubt that you are going to execute different kinds of malicious binaries on your lab to analyze them - but what if the malicious binary you are executing has some kind of functionality that enables it to escape your sandbox and do damage outside of it? This is where a Cloud hosted lab has the advantage, since it is running on the cloud it can't affect your personal computer, and your digital footprint is also not compromised - as simple as that!
Setting up a Cloud hosted Malware Analysis Lab with Kasm and REMnux
We'll be using Kasm Workspaces to stream the REMnux docker image directly from a web browser! Which means you'll be able to use your lab from within your browser! Very convenient, isn't it? It is also super easy to setup.
Kasm Workspaces is a docker streaming platform using which you can stream different docker apps from your web browser. You get a neat dashboard that lists all your installed docker images, and also lets you add new docker images with a clean interface. It also provides various other features like session casting, customize your branding, etc. The community version of Kasm Workspaces is free to use - so go ahead and give it a try, I'm sure you will love it!
In this article, I will be setting up my Lab on an AWS EC2 instance. Feel free to use any other cloud provider as you wish.
Installing Kasm Workspaces
You can find out the minimum system requirements for Kasm from this page.
- Create a swap partition
sudo dd if=/dev/zero bs=1M count=1024 of=/mnt/1GiB.swap
sudo chmod 600 /mnt/1GiB.swap
sudo mkswap /mnt/1GiB.swap
sudo swapon /mnt/1GiB.swap- Make the swap file available on boot
echo '/mnt/1GiB.swap swap swap defaults 0 0' | sudo tee -a /etc/fstab- Download Kasm Workspaces.
cd /tmp
curl -O https://kasm-static-content.s3.amazonaws.com/kasm_release_1.12.0.d4fd8a.tar.gz- Extract with tar and install
tar -xf kasm_release*.tar.gz
sudo bash kasm_release/install.shOnce Kasm is installed, you will be prompted with the credentials to log in to Kasm, make sure you note them down. You can also change these randomly generated credentials later.
Now, go to https://<YOUR_IP>:443 in your browser, this will take you to the login page of Kasm Workspaces. Log in with your credentials that are generated during the installation. You will now be taken to your dashboard.
Installing REMnux on Kasm
To install the REMnux docker image on Kasm,
- Go to the 'Admin' tab and then 'Workspaces'. In this list, find REMnux and select 'Edit'
- Enable the image, and click 'Submit'
- Kasm is now going to pull the REMnux image from docker hub. Give it a good 5 minutes before going back to the 'Workspaces' tab. Once the image is downloaded, you can see it is listed in your installed apps.
- Now, you can simply spawn up a container (or a "session") of the REMnux image.
- You now have an instance of REMnux and you can access it directly from your browser. In-order to upload files to your instance, select the arrow icon on the left side and click 'Upload'
And that's it! You now have yourself an easily accessible Malware Analysis Lab that is hosted on the cloud!
Once you are done using your lab, you can immediately destroy your session by clicking 'Delete Session' and everything will be erased and reset back to normal!