search

chainguard-dev / malcontent

#supply #chain #attack #detection
Apache License 2.0
453 stars 32 forks source link

scan quietly quits if a critical finding is found and multiple folders are provided #478

Closed tstromberg closed 1 month ago

tstromberg commented 1 month ago

If you pass multiple folders in, scan appears to exit after the first critical finding:

% mal scan ~/Desktop ~/Downloads
[CRIT] /Users/t/Desktop/x2.sh: 
- combo/dropper/shell (change dir, fetch file via tor, make it executable, and run it)
- 3P/signature_base/susp/indicators (Detects indicators often found in linux malware samples)

In comparison:

% mal scan ~/Downloads

[CRIT] /Users/t/Downloads/d801ad1beeab3500c65434da51326d7648a3c54923d794b2411b7b6a2960f31e.macho: 
- combo/stealer/wallet (makes HTTPS connections and references multiple Chrome crypto wallet extensions)
- malware/family/beaver_tail (Beaver Tail Infostealer)
- secrets/keychain (steals login keychain)

[CRIT] /Users/t/Downloads/e064158742c9a5f451e69b02e83eea9fb888623fafe34ff5b38036901d8419b4.macho: 
- combo/dropper/macos (dropper that hides it's payload using chflags)
- combo/dropper/shell (fetches, chmods, and runs a program)
- combo/stealer/notes (steals the contents of macos Stickies application)
- malware/family/rustdoor (Rustdoor v2)
- privesc/osascript (uses osascript to prompt for a sudo password)

[CRIT] /Users/t/Downloads/e6e3f77e3e3156ea656e6097509a1b6880f723b78b1575c3e1b074c05e93af1e.elf: 
- 3P/signature_base/susp/gobfuscate (Identifies binaries obfuscated with gobfuscate)

[CRIT] /Users/t/Downloads/ec9fe93b08af6bbbaf14d7ae1ae00cf04bd052fe7fc9c59470b6d30a5e0f856d.elf: 
- tools/backdoor/silver (Sliver C2 implant)
- 3P/elastic/multi/sliver (Detects Multi Trojan Sliver (Multi.Trojan.Sliver))
- 3P/ditekshen/sliver (Detects Sliver implant cross-platform adversary emulation/red team)
- 3P/signature_base/susp/gobfuscate (Identifies binaries obfuscated with gobfuscate)

[CRIT] /Users/t/Downloads/libdpt1.so: 
- evasion/packer/ezuri (packed with Ezuri (AES))
tstromberg commented 1 month ago

cc @egibs

egibs commented 1 month ago

Oh interesting. I'll take a look.

egibs commented 1 month ago

This is likely due to only supporting a single scan path (so in your example it only considered ~/Desktop):

case c.String("image") == "" && !c.Bool("processes"):
    cmdArgs := c.Args().Slice()
    mc.ScanPaths = []string{cmdArgs[0]}

I'll work on a PR to support multiple scan paths.