Introducing CelesTLSH: Advanced Malware Detection with Fuzzy Hashing

We are excited to announce the integration of the CelesTLSH Malware Scanner into the LimaCharlie ecosystem. Developed by Magonia Research, CelesTLSH enhances your security operations by scanning files collected via the BinLib extension. It identifies known malware and threat actor tools through advanced fuzzy hashing techniques.

How CelesTLSH Works

CelesTLSH employs a systematic approach to detect malware based on code similarity:

1. Active Malware Tracking

Magonia Research maintains an up-to-date repository of active malware samples and threat actor tools.

2. File Collection

The LimaCharlie BinLib extension gathers unique files from your monitored network.

3. TLSH Fuzzy Hashing

BinLib computes the TLSH (Trend Micro Locality Sensitive Hashing) fuzzy hash for each collected file.

4. Similarity Comparison

CelesTLSH measures the distance between the TLSH hashes of collected files and known malware samples. If the similarity falls within a user-defined threshold, an alert is generated.

This methodology enables the detection of malware based on underlying code structures, even when files have been modified to evade traditional, signature-based detection.

Advantages of Using CelesTLSH

Enhanced Detection

Identify malware variants that share code similarities with known threats, regardless of superficial changes.

Proactive Defense

Detect threat actor tools and dual-use software that may pose risks to your organization.

Customizable Sensitivity

Adjust the similarity threshold to balance detection accuracy and false positives according to your security needs.

Considerations

While TLSH fuzzy hashing is a robust technique, it's important to note:

Evasion Tactics

Advanced threat actors may use code obfuscation or significant alterations to evade detection. This forces them to up their game when targeting your organization, or an organization you manage.

Indicator of Malicious Intent

Threat Actors may need to use heavier obfuscation to evade Fuzzy Hashing than they would have otherwise, which can become a detector in and of itself. Avoidance techniques used to evade Fuzzy Hashing can also become a method to fingerprint and identify specific threat actors.

Supported Malware and Tools

CelesTLSH monitors a comprehensive list of nearly 100 known malware samples and attack tools, and is always expanding. These tools include (but are not limited to):

Malware Samples

LummaStealer, CobaltStrake, BruteRatel, LockBit, RedLineStealer, and more.

Attack Tools and Dual-Use Software

BloodHound, Mimikatz, and others.

For a complete and regularly updated list, please refer to the Magonia Research Documentation.

Getting Started with CelesTLSH

To integrate CelesTLSH into your LimaCharlie environment:

1. Enable the BinLib Extension

Ensure that the BinLib extension is active to collect files from your network.

2. Configure CelesTLSH

By default, the CelesTLSH extension distance is set to a score of 50, which has a false positive rate of 0.52% Set up the CelesTLSH extension and define your desired similarity threshold for alerts.

If you're unsure of what score is best for your environment, you can reference this table:

3. Monitor Alerts:

Review alerts generated by CelesTLSH to identify and respond to potential threats.

For detailed setup instructions, please visit the Magonia Research Documentation.

Support and Feedback

For updates, assistance, or to report issues such as false positives, please contact Magonia Research support at support@magonia.io or join the Magonia Research channel on the LimaCharlie Slack Community.

The Magonia Research team is committed to enhancing your security operations and welcome your feedback to further improve CelesTLSH.