<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1018517621595528&amp;ev=PageView&amp;noscript=1">
How to
Jonathan Crowe
Jun 2017

Introducing Stackhackr: Test Your Security by Building Mock Malware

Stackhackr is a new free malware simulation tool designed for testing your business’s endpoint security. Try it now.

See how safe your company is from malware — by building your own

Stackhackr lets you create and customize your own mock malware that simulates malicious behavior — without actually doing any harm on your machine. It’s a quick and safe way to find out whether your company’s machines are vulnerable to real attacks.

In just two minutes you can build and customize your own mock malware and see how your current security stands up to two of the most common and damaging types of cyber attack — ransomware and credential theft.

  • Want to jump right in and try stackhackr out? Visit: https://stackhackr.barkly.com/ 
  • Or keep reading for more info on how stackhackr works and to see screenshots of the tool in action.

Can your security block fileless attacks?

Question: How do you know whether your security is actually capable of blocking the latest malware when the latest malware looks different every day? 

These days, testing to see whether your AV is up-to-date with the latest blacklisted file signatures isn’t enough. That's because much of today's malware is modified to evade detection by file-scanning. In fact, more and more of it is designed to be distributed and/or executed filelessly.

To truly know whether you're protected against evasive, fileless attacks not only do you need to know how your security is going to respond to the presence of known malicious files, you need to know how your security is going to respond to the presence of malicious behavior.

And you need to know that before a real attack gives you the answer.

Stackhackr will tell you whether your security can detect malicious behavior associated with two of the most common cyber attacks — ransomware and credential theft.

Stackhackr walkthrough

Curious to see what stackhackr looks like in action? Let’s walk through a testing scenario step by step.

Stackhackr_homepage.png

A quick system requirements note before we dive in: Stackhackr currently runs on Windows 7, 8.1, and 10. 

Step 1: Choosing an attack vector

Stackhackr_attack_vector.png

The first step is choosing an attack vector. This is really just a fun way of getting the testing executable onto our machine. It’s also a good reminder there are many ways malware can be distributed. 

There are three attack vector options to choose from:

  • Drive-by download
  • Phishing
  • Malvertising

For this walk-through, let’s pick malvertising. That means when we launch the test, the first thing we’ll see is a browser window open on a fake website (“The Funyun”) with a mock malicious ad carrying our payload.

Speaking of payloads, that’s the next thing for us to pick.

Step 2: Choosing a payload

Stackhackr_payload.png

The payload will determine which type of simulated malware behavior will attempt to run on our machine.

Currently, the two options are:

  • Ransomware: This payload simulates deleting shadow volume copies by creating a script hidden in your temp directory. That script then launches an executable to simulate the shadow volume deletion. This is a suspicious string of behaviors common to ransomware, designed to prevent victims from using shadow volume copies to recover encrypted files.
  • Credential theft: This payload simulates another malicious behavior common to cyber attacks — exfiltrating passwords stored on Windows machines in Local Security Authority Subsystem Service (LSASS.exe) memory.

We also have the option of customizing our payload to change what the ransom screen or credential theft notice looks like.

Stackhackr_customize_payload.png

If our security fails the test and allows the simulation to run, we’ll see this customized ransom screen pop up.

Step 3: Launching the test

Screen Shot 2017-06-22 at 8.45.13 AM.png

Once we’ve chosen our attack vector and payload the only thing left to do is give them a quick review and read the testing instructions.

Now we’re ready to launch the test! Hitting the “Launch test” button will open a browser window, and since we chose the malvertising attack vector, we see a fake website called “The Funyun” with a conspicuous advertisement enticing us to click.

stackhackr_malvertising.png

Of course, in real life, we’d never click on something this obvious. But in real life attackers are also much more inconspicuous. Point made, let’s click “Download Now” so we can grab our mock payload and run the test.

stackhackr_building.png

After a short “Building your mock malware” notice we can now see “launcher.exe” has been downloaded. This is the program that will launch the malware simulation.

stackhackr_launcher_1.png

Note: If AV programs block the launcher.exe it must be allowed to run. The launcher file is not part of the test. It needs to execute in order to launch the actual simulation.
 

Attention: Note on Windows Defender SmartScreen

Windows 10 users will see Windows Defender SmartScreen flag launcher.exe as an unrecognized app. This isn’t because it detected anything malicious (there’s nothing malicious in the launcher file), it’s simply because the program is new.

To run the launcher, we need to click “More info” and “Run anyway.”

stackhackr_smartscreen.pngstackhackr_smartscreen_2.png

Now the actual simulation will start. When it does, a command prompt box will pop up detailing the simulation activity and progress.

stackhackr_command_screen.png

What happens next will depend on whether our security blocks the simulated malware behavior or not. 

Test result: Your security passed

When we run the simulation with Barkly installed, this is what we see:

stackhackr_barkly_blocked.png

Barkly recognized the mock malicious behavior and blocked it.

Test result: Your security failed

When we run the simulation without Barkly installed, here is what we see: 

stackhackr_ransom_screen.png

That’s the ransom screen we customized. If this had been a real ransomware attack, at this point we would know we were infected. 

Behind the ransom screen is a message explaining that the simulation was successful and our security (which wasn’t on in this case) failed the test.

stackhackr_security_failed_screen.pngIf you see this notice when you run stackhackr that unfortunately means you are vulnerable to real attacks. If the mock malware can get past your security, then the real stuff can, too. 

Ready to build your own mock malware and put your security to the test? 

Get started at https://stackhackr.barkly.com/ 

Want more technical details on how stackhackr works and what the simulation is doing behind the scenes? Visit: https://www.barkly.com/how-stackhackr-works 

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical point of view.

blocks.svg

Close the gaps in your security

See how Barkly’s Runtime Malware Defense blocks attacks other solutions miss.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.