Hands-on Cybersecurity Studies: Uncovering and Decoding Malware Communications-Initial Analysis with Wireshark and Volatility

This report presents the first of three hands-on software reverse-engineering exercises with the ultimate objective of learning how a particular malware malicious software is communicating across a network, and developing software to detect and reveal these communications in plaintext, in vivo. Remote access trojans RATs are a type of malware that persist on the infected machine after compromise and provide the malicious actor in control of the malware with remote access to the infected machine via established command-and-control channels. RATs are typically spread through phishing emails or websites where the software is downloaded without the user knowing it can also spread by taking advantage of vulnerabilities in software running on the victims devices. This report details the first of three software reverse-engineering exercises, which can be completed cumulatively or individually as each accomplishes a specific task and builds off the previous exercise. This exercise entails identifying and extracting malware that will be used in subsequent exercises. The effects and communications of RATs are demonstrated, and participants are guided through a series of steps leveraging the open-source Wireshark tool to analyze suspicious network traffic and the Volatility tool to pinpoint and extract malicious files within a previously captured memory image.