Updates RAT King Parser to commit b85abe5 #2302
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi CAPE Team!
This PR brings the CAPEv2 implementation of RAT King Parser (ported over by @doomedraven - thank you again 💖) to the latest commit of the RAT King Parser.
The updates included introduce a few key changes to the parser that produced better reliability of the parser across a large sample set of AsyncRAT/DcRAT/VenomRAT/QuasarRAT/XenoRAT/XWorm samples, particularly among obfuscated samples.
I also swapped out the existing AsyncRAT and XWorm parsers in CAPEv2 with the RAT King Parser, as I believe RKP will be more robust than the existing configuration parsers as it's designed to not rely on specific config field names (as these are often obfuscated or changed by malware authors); However, if you would prefer to keep those existing parsers, please feel free to revert my changes.
I tried to keep the changes minimal and align them with the CAPEv2 style guide, but would appreciate someone checking the format and testing the configuration parsers within CAPE as I do not have a local instance stood up yet to test on.
Lastly, I am using a specific set of YARA rules in the non-ported version of RAT King Parser to detect payloads that can be extracted with RKP; You can find those in the RKP repository, or in my YARA signature repo, if they are needed for testing, and the following samples (found in the RKP README) can also be downloaded and used for testing:
Please let me know if there are any questions or edits to be made, and thank you for your continued contributions to the community!