performing-firmware-malware-analysis

What this skill does

# Performing Firmware Malware Analysis

## When to Use

- A compromised IoT device or router needs firmware analysis to identify implanted backdoors
- Investigating UEFI/BIOS rootkits that persist across OS reinstallations
- Analyzing firmware updates for supply chain compromise or malicious modifications
- Extracting and examining embedded Linux filesystems from IoT device firmware images
- Verifying firmware integrity after a suspected hardware or firmware-level compromise

**Do not use** for standard operating system malware; use PE/ELF analysis tools for OS-level malware on conventional systems.

## Prerequisites

- binwalk installed for firmware image analysis and extraction (`pip install binwalk`)
- Ghidra with ARM/MIPS architecture support for embedded binary reverse engineering
- UEFI Tool (UEFITool) for UEFI firmware parsing and analysis
- Firmware Analysis Toolkit (FAT) or EMBA for automated firmware analysis
- QEMU for emulating extracted firmware filesystems
- Cross-compilation toolchains for ARM, MIPS, and other embedded architectures

## Workflow

### Step 1: Extract and Identify Firmware Components

Analyze the firmware image structure and extract filesystems:

```bash
# Identify embedded filesystems and compressed data
binwalk firmware.bin

# Extract all identified components
binwalk -e firmware.bin

# Recursive extraction with signature scanning
binwalk -eM firmware.bin

# Output typically includes:
# - Bootloader (U-Boot, GRUB, custom)
# - Kernel image (Linux, RTOS)
# - Root filesystem (SquashFS, JFFS2, CramFS, ext4)
# - Configuration data
# - Digital signatures or checksums

# Entropy analysis to find encrypted or compressed regions
binwalk -E firmware.bin

# Identify specific filesystem types
file _firmware.bin.extracted/*

# For SquashFS filesystems
unsquashfs _firmware.bin.extracted/squashfs-root.img
ls squashfs-root/
```

### Step 2: Analyze the Extracted Filesystem

Search for malicious modifications in the firmware filesystem:

```bash
# Directory structure analysis
find squashfs-root/ -type f | head -50

# Search for suspicious files
find squashfs-root/ -name "*.sh" -exec ls -la {} \;
find squashfs-root/ -perm -4000 -type f  # SUID binaries
find squashfs-root/ -name "*.so" -newer squashfs-root/bin/busybox  # Modified libraries

# Check startup scripts for backdoors
cat squashfs-root/etc/init.d/rcS
cat squashfs-root/etc/inittab
ls -la squashfs-root/etc/rc.d/

# Search for hardcoded credentials
grep -rn "password\|passwd\|secret\|key\|token" squashfs-root/etc/ 2>/dev/null
grep -rn "root:" squashfs-root/etc/shadow 2>/dev/null

# Check for unauthorized SSH keys
find squashfs-root/ -name "authorized_keys" -exec cat {} \;

# Network configuration backdoors
cat squashfs-root/etc/hosts
grep -rn "iptables\|nc\|netcat\|ncat" squashfs-root/etc/ squashfs-root/usr/bin/

# Check for reverse shells in cron
find squashfs-root/ -name "crontab" -o -name "cron*" | xargs cat 2>/dev/null

# Identify all ELF binaries for analysis
find squashfs-root/ -type f -exec file {} \; | grep ELF
```

### Step 3: Reverse Engineer Suspicious Binaries

Analyze extracted binaries that may be backdoors:

```bash
# Identify architecture and format
file squashfs-root/usr/bin/suspicious_binary

# Extract strings for IOC discovery
strings squashfs-root/usr/bin/suspicious_binary | grep -iE "http|ip|port|shell|connect|exec"

# Cross-reference against known firmware binaries
# Compare SHA-256 hashes with known-good firmware
sha256sum squashfs-root/usr/bin/* > current_hashes.txt
# diff against baseline: diff baseline_hashes.txt current_hashes.txt

# Import into Ghidra for disassembly (select correct architecture)
# ARM:   ARM/AARCH64 (Little Endian for most IoT devices)
# MIPS:  MIPS/MIPS64 (Big or Little Endian depending on device)
# x86:   For UEFI modules

# Analyze with radare2 for quick triage
r2 -A squashfs-root/usr/bin/suspicious_binary
# Commands: afl (function list), pdf @main (disassemble main), iz (strings)
```

### Step 4: UEFI/BIOS Firmware Analysis

Analyze system firmware for bootkits and implants:

```bash
# Extract UEFI firmware volumes with UEFITool
# GUI: UEFITool -> File -> Open -> Select firmware.rom
# CLI: UEFIExtract firmware.rom

# Analyze UEFI firmware with chipsec (requires hardware access)
python chipsec_main.py -m common.bios_wp     # BIOS write protection
python chipsec_main.py -m common.spi_lock     # SPI flash lock
python chipsec_main.py -m common.secureboot   # Secure Boot status
python chipsec_main.py -m common.uefi.s3bootscript  # S3 resume script

# Dump UEFI firmware from live system
python chipsec_util.py spi dump firmware_dump.rom

# Compare with known-good firmware
sha256sum firmware_dump.rom
# Compare against vendor-provided firmware hash

# Scan for known UEFI malware signatures
yara -r uefi_malware_rules.yar firmware_dump.rom
```

```
Known UEFI Malware Families:
━━━━━━━━━━━━━━━━━━━━━━━━━━
LoJax:         First in-the-wild UEFI rootkit (APT28/Fancy Bear)
               Modifies SPI flash to drop persistence agent
MosaicRegressor: Modular UEFI framework dropping multiple payloads
CosmicStrand:  UEFI firmware rootkit modifying kernel during boot
BlackLotus:    UEFI bootkit bypassing Secure Boot on Windows 11
ESPecter:      ESP (EFI System Partition) bootkit modifying boot manager
MoonBounce:    SPI flash implant modifying CORE_DXE module
FinSpy UEFI:  Surveillance software with UEFI persistence
```

### Step 5: Emulate Firmware for Dynamic Analysis

Run extracted firmware in an emulated environment:

```bash
# Emulate ARM-based IoT firmware with QEMU
# Mount the extracted filesystem
sudo mount -o loop squashfs-root.img /mnt/firmware

# Chroot into the firmware with QEMU user-mode emulation
sudo cp /usr/bin/qemu-arm-static /mnt/firmware/usr/bin/
sudo chroot /mnt/firmware /bin/sh

# Or use firmadyne for automated firmware emulation
# https://github.com/firmadyne/firmadyne
python3 fat.py firmware.bin

# Network service analysis within emulated firmware
# Scan for open ports and services
nmap -sV localhost -p 1-65535

# Monitor network traffic from emulated firmware
tcpdump -i tap0 -w firmware_traffic.pcap
```

### Step 6: Document Firmware Analysis

Compile comprehensive firmware analysis findings:

```
Analysis documentation should cover:
- Firmware image metadata (vendor, model, version, build date)
- Extraction results (filesystem type, kernel version, architecture)
- Modified files compared to known-good baseline
- Backdoor binaries discovered with reverse engineering findings
- Hardcoded credentials and unauthorized access mechanisms
- Network services and their security posture
- UEFI/BIOS integrity verification results
- Extracted IOCs (IPs, domains, file hashes, SSH keys)
- Remediation recommendations (reflash, replace, update)
```

## Key Concepts

| Term | Definition |
|------|------------|
| **Firmware** | Software permanently stored in device hardware (flash memory, EEPROM) controlling low-level device operations and boot process |
| **UEFI (Unified Extensible Firmware Interface)** | Modern system firmware replacing legacy BIOS; provides boot services, runtime services, and a modular driver architecture |
| **SPI Flash** | Serial Peripheral Interface flash memory chip storing UEFI/BIOS firmware; can be read and modified for persistence |
| **Secure Boot** | UEFI feature verifying digital signatures of boot components to prevent unauthorized code execution during startup |
| **SquashFS** | Read-only compressed filesystem commonly used in embedded Linux firmware for space-efficient storage |
| **Bootkit** | Malware infecting the boot process (MBR, VBR, UEFI) to load before the operating system and evade OS-level security |
| **Firmware Emulation** | Running extracted firmware in a virtual environment (QEMU, firmadyne) to analyze behavior without physical hardware |

## Tools & Systems

- **binwalk**: Firmware analysis tool for scanning, extracting, and analyzing embedded file systems and compressed data in firmware images