Developer Updates for Morpheus V1 : Latest Progress and Plans

[phantom0004]

Welcome to the Developer Updates thread! Here, I'll keep you informed about the latest progress, upcoming features, and important changes happening in the project. Whether you're a contributor, a user, or just interested in the direction of development, this space is where I will post regular updates to keep everyone in the loop.

[phantom0004]

Project Overview: Upgrade to Ransomsniffer

This project is an upgrade to Ransomsniffer. Since Ransomsniffer will continue to expand, it makes sense to separate it from KRYP0S. This repository will be solely dedicated to:

• Detecting malicious files
• Detecting the KRYPT0S ransomware that was created
• Finding several IOC in files
• Identifying general file information which can be beneficial

I will be adding all relevant updates here. Please ensure that KRYP0S is only used for ransomware updates related to the project.

Thank you for your understanding and collaboration, and welcome to Morpheus.

[phantom0004]

A setup script is being made to gather several used Yara rules and IOC files that will be used with Morpheus, These will be ready made Yara rules that have been tested.

[phantom0004]

Some links include :

• https://github.com/Neo23x0/signature-base.git
• https://github.com/elastic/protections-artifacts
• https://github.com/reversinglabs/reversinglabs-yara-rules
• https://github.com/airbnb/binaryalert

[phantom0004]

A comprehensive setup file has been made, gathering quality Yara files from several directories. This is OS friendly and works both for Windows and Linux based systems. It also cleans any junk/un-used files at the end, ensuring a smooth and clean installation.

More work needs to be done in terms of error handling and neater output, however the script works and gets its malware Yara files from 4 repositories for now (more will be added later).

The downside of this is the large amount of Yara rules that would be accumulated, however this is unavoidable due to the large attack surface and variations of malware, rest assured that the files are not large and the setup script will swiftly install and handle basic errors if encountered.

Note, this setup can be done periodically to ensure the most recent Yara rules, I may create a setup script that will automatically update these rules, however this is currently just an idea.

[phantom0004]

Issues are open, if any problems arise when using the script; make sure to open an issue and I will swiftly respond :)

[phantom0004]

The setup is going through further strenuous updates, this time catering for users who may only want to install the bare necessities, for this I made a menu. Apart from the installation menu flexibility, more error handling is being done to ensure a smooth process as well as customizing the terminal to make it look more pleasing. Below is a snippet of how the menu is coming so far:

[phantom0004]

The Fortress Edition handles MANY Yara files, below is the storage comparison (Storage comparison snapshot of 18/09/2024) :

Fortress Edition : 122 MB worth of sophisticated Yara rules
NanoShield : 11.6 MB worth of bit sized but still effective Yara rules

These Yara rules are coming from well known repositories which are also backed up by much larger projects such as THOR and Loki.

[phantom0004]

The setup.py file has been updated to incorporate recent changes. It now includes a simple log file that tracks the latest updates from repositories using hashed values. In the future, an update_database.py script will be developed to selectively update new YARA rules, enabling Morpheus to automatically refresh its dataset. While this feature is not the top priority at the moment, further improvements will be made to the setup.py file to lay the groundwork for this functionality. For now, users can simply re-run the setup.py file to update the YARA rules. Stay tuned for more updates!

[phantom0004]

A new file has been introduced which will handle the updating of the Yara files, once a user creates all the required files with the "setup.py" file the user will not need to go through this lengthy process again and will simply need to run the updater to see if any updates are available for the current repositories. This is still a work in progress, and I am multi-tasking between this and the file analysis Yara files. The development of the modules will be in progress soon.

[phantom0004]

Morpheus Yara updater has been fully implemented. You all may now use this to update your Yara rules.

[phantom0004]

Working on adding a few other Yara files that specifically use the "pe" module within Yara. This aims to uncover some information of the file at hand and can prove some insightful information such as the architecture and more. Besides this, I am also creating a small Yara file in which this detects some common IOC's in files or suspicious actions. These can be shellcode, nopsleds and more. Keep in mind that Morpheus relies heavily on the other enterprise Yara rules, the Yara rules being developed here WILL NOT be the main rules Morpheus will use, these simply provide more information about the file.

The above are in development, I am also currently renaming some rules to make them more informative and also testing out some rules to ensure they do what they are supposed to do.

These updates are catered mostly to the file analysis folder of Yara, and once this is done implementation of the python imports can be started. This will mark a big start for Morpheus, your patience is appreciated! <3

[phantom0004]

Today marks another day of heavy development in the Yara rules, with several commits done today related to the testing of these rules and adding several new features, work is going to be pushed on adding new rulesets on the "portable_executable_analysis.yar" to ensure a more in-depth analysis for such executable files. Work in progress

[phantom0004]

Development has started for the modules used by Morpheus, this will be a slow and stead development that will be aimed at the functionality of Morpheus. A step further towards the finishing goal.

[phantom0004]

Several updates completed for Morpheus however some issues have occured in the compilation of the Yara rules. This is being investigated in order to resume with the main program. As for now, all commits are purely there for documentation purposes and currently the program is not intended for usage due to the heavy changes ongoing.

Several error handling methods will also be used to ensure that if a Yara rule downloaded from a GitHub repository is not valid it will ignore it rather then crashing.

This is currently the main work, pefile module is in the backlog as well as enhancements for the file analysis yara rules. With the main integration in place, the updating and addition of more functions in methods would be next.

[phantom0004]

The issue has been identified and fixed, this was a minor syntax and logical error on my end. Implementations of merging Morpheus and the yara_analysis module has been successful and has been proved fruiteful.

Debugging and testing is ongoing to find the root of the issue found on issue #5 . Once this is fixed, the output will be further refined to show more informative information. Several ongoing works are in progress, these days will prove crucial for Morpheus.

You all may try the program at this point as it is semi-operational, with it being able to do basic scans, STILL IN HEAVY BETA.

[phantom0004]

Several works are ongoing in updating Morpheus as well as the Yara module to not only fix the issue that was mentioned in issue #5 but to also enhance Morpheus. The next update will ensure users could now use Morpheus in a basic form, allowing users to scan files from either the extensive database or else via the Virus total API (which is already implemented).

More ideas are currently being thought of to make this application better and more extensive, however this will be discussed once the main features are in place.

Please be patient in this procedure, expect an update in the coming days.

[phantom0004]

Ongoing Heavy Updates

Windows Compatibility and the non-Git usage:

Multiple updates are in progress to enhance the quality of Morpheus. We are also conducting extensive tests on Windows machines to ensure cross-compatibility. In addition, I am introducing a default external YARA rules folder for Morpheus. For users who do not have Git or prefer not to install it, Morpheus will remain highly versatile. However, running 'setup.py' is recommended to access a significantly larger, portable rules database. Morpheus will utilize a trimmed version of the 'signature-base' YARA rules to reduce its footprint. Running 'setup.py' will ensure a clean installation and seamlessly configure additional parameters to further enhance the tool's capabilities.

Other Notes:

Also be aware that fixes and enhancements are also being done in terms on the output of the Yara rules. Ensuring a mix of verbosity and low clutter. Improvements on performance will be done later on to ensure the rules are compiled effectively, scaling easily on weaker machines.

[phantom0004]

[phantom0004]

To address this, a major update will be made to 'setup.py,' primarily targeting Windows users and resolving issues identified during testing. This update aims to fix common problems related to cloning GitHub repositories, which have been reported by several Windows users.

[phantom0004]

Windows Support Update!

The setup file has been updated to support both Windows and Linux, ensuring that users, even those without pre-installed dependencies, can easily install everything required, including YARA rules.

Installment and setup on a windows 10 machine

Significant time was dedicated to enhancing cross-platform compatibility, particularly to overcome challenges with Windows. Unlike Linux, where terminal-based installations are more flexible, Windows posed unique difficulties. However, these issues were successfully addressed to provide a seamless experience.

Please feel free to test it on your own machine! Your feedback and suggestions are highly appreciated.

[phantom0004]

Several Linux related updates have also rolled out! The setup has been tested in several areas, and the script was updated accordingly. <3

[phantom0004]

Performance enhancements, new additions to scan types, enhanced terminal output and MORE has all been committed today! A focus on the modules will now be taken into consideration, this will allow further sophistication in Morpheus by allowing access to more fine tuned libraries and methods; such as the "pefile" which was recently added.

Besides the new additions, works on fixing issue #7 will be in place, this will enhance performance and fix certain issues related to scanning.

[phantom0004]

Several enhancements have been done today, enhanced verbosity and console output formatting was implemented. Besides this, some fixes have been issued to ensure better error handling and enhanced cross compatibility.

Upcoming updates would also now include some performance boosts to ensure the tool can run on larger datasets. Currently Morpheus was used to test a sample file of "WannaCry" which yielded positive outcomes in the tool. Better output handling and more verbosity will be considered.

[phantom0004]

Priority Update for Morpheus, The following plan takes precedence over all other tasks. For further details, please refer to issue #7 .

[phantom0004]

MORPHEUS V2

Check Issue #7 for more details!

[phantom0004]

Discussion Closure and Next Steps

The release of Morpheus V2 will be scheduled for next week - On Tuesday 26th.

Stay tuned for the large update heading way! This discussion will now be closed to reflect a new phase for Morpheus, please check discussion #8 for the new V2 discussion.