Create and Run Malware Simulations with LUCY

Setup and run different types of malware attack simulations with LUCY: In a set of screencasts we show you how you can execute vulnerability scans, ransomware simulations, remote console posts and many more!
Template based malware attack simulations: We created a series of screencasts, where we show quickly, how you can customize a vulnerabiltiy scan or a malware attack simulation using a predefined template.  Let’s have a look on these 5 videos:
  1. Setting up a malware testing toolkit simulation.
  2. Executing a malware simulation with LUCY. A harmless vulnerability scan is run.
  3. Which types of malware simulation templates are available in LUCY?
  4. Setting up a ransomware attack simulation (harmless).
  5. How the simulations are reported: An example of a vulnerability scan report.

1/5 – Setting Up a Malware Testing Toolkit Simulation

This Video shows how you set up a purely technical malware campaign within 10 minutes. The screencast has been made with LUCY 3.0 so there may be differences in future versions. But the basic mechanisms will remain the same.  If you want to know more technical details please refer to our Support Wiki (Section Malware Testing Toolkit)
  1. LUCY Server is running and you are in the LUCY-Gui using your browser.
  2. Create a new campaign. Name it, select the client,  choose ‘Expert mode’ and save the new campaign.
  3. Add a scenario: Select the ‘technical malware test’ template’ using the ‘use’ button, select f.e. ‘English’
  4. Name the scenario, configure the base settings like the sender domain name (can stay local IP if you are using it just for getting the file by yourself), set the filename and the compression-format (zip). Save the scenario.
  5. Go to the landing page of the scenario and configure the behaviour of the malware simulation. You should select in the ‘Configuration’ dropdown menu the value ‘Malware Testing Toolkit’. Customize other values or leave everything by default and save the configuration you made. Please be shure that the ‘show GUI’ parameter is enabled, otherwise the malware simulation runs in ‘dark mode’.
  6. Edit the message template of the scenario, add sender informations and save it. There’s no need to configure the listed malware testing toolkit again, because it’s not attached on the message (you will download it from the landing page instead and there you did configure it just before). Save the settings.
  7. If a warning is displayed while you save the message template you need to push the save button again.
  8. Press the “Play” button |> to get to the Dashboard
  9. Add recipients to the campaign by adding an adress goup. Link the scenario created before to the adress group witch using the ‘Scenarios’ check box  and save it.
  10. Start the campaign using the play button |> , select real attack
  11. Wait until the campaign checks are finished, correct warnings or errors if necessary. Warnings are highlighted in yellow, errors are highlighted in red.
  12. Hit the start (anyway) button again, if needed
  13. The mails are send to the recipients
  14. As a recipient, go to your inbox.
  15. As a recipient, click on the link in the mail you got. You are directed to the landingpage containing the link for the malware testing toolkit file.
  16. As a recipient, download, extract and run the malware testing toolkit simulation file. This action is covered by the next video.

2/5 – Executing a malware simulation with LUCY. A harmless vulnerability scan is run

A 6 Minute screencast shows how the malware simulation is downloaded and run on a PC. The .exe file is also known as LHFC (Low Hanging Fruit Collector). It can be configured within LUCY but when it’s downloaded on the PC you just can switch on/off the different check groups, a customization is not possible anymore.
Executing the malware simulation – the steps:
  1. As a recipient, yo received a message in your inbox with the link to the landing page for downloading the malware testing toolkit. Please click on the link in the mail and you are directed on the landing page.
  2. You are now on the landing page. Download the zip-file to your computer and extract it. It’s good to extract the file in a dedicated folder.
  3. Execute the file – the malware testing toolkit- by double clicking the file. If a Windows Defender Warning pops out for example, please proceed anyway. It’s good when such a tool warns you, but in this case you can continue with your work, LUCYs malware simulation toolkit is harmless.
  4. The GUI of the malware testing toolkit should be visible now (If not, please check if you checked the parameter ‘Show GUI’ = ‘on’). If you want to, you can disable/enable predefined malware simulation routines, but you can’t configure them anymore.
  5. Push the ‘start’ button. The malware simulation starts. You can see realtime if every predefined test fails or is successful (a successfull test is generally a identified vulnerability). Wait until all tests are finished. Depending on the configuration more than 50 tests are executed and more than 10 minutes are needed to run all malware simulation tests. So please wait until the scan has finished.
  6. After the scan has completed its work, you see the results of the scan, just scroll up to see all the checks which have been done.
  7. When you push the ‘send’ button: The data is send back to the LUCY server and saved on the server for analysis by the system administrator.
  8. When you push the ‘save’ button: A report is generated and stored locally on your computer, it can be viewed with a regular web browser.

3/5 – Different types of available malware simulation templates: LUCY Server.

This short 5 Min. screencast shows all the different types of Malware Simulations provided by LUCY 3.0. You can choose out of a hand of different scenario templates containing a configurable and harmless trojan.  The screencast has been made with LUCY 3.0 so there may be differences in future versions, but standard mechanisms will remain the same.
There are several types of malware simulations available in LUCY. Create a new scenario based on a ‘technical malware simulation’ template. Then you can choose out of the following malware simulation behaviours:
  • Console Post (Predefined, harmless commands are executed on the target system and checked what the results are)
  • Recent Documents (Filenames of eecently used documents are gathered)
  • Console outlook (trying to access Outlook)
  • Screen recorder
  • Console interactive (This is a feature for penetration testers. A reverse shell is opened and the system administrator gets realtime access to the remote system)
  • Malware Testing Toolkit (This is a fully customizeable, vulnerability scanner of the system. Please refer to the other videos in this article)
  • Macros (Droppers. Due to security reasons,  only LUCY own dropper functionality can be used. You have the choice between Java or Word macros.)
  • Keylogger (keystrokes are logged.)
  • Microphone recorder

4/5 – Setting up a ransomware attack simulation (harmless).

This Video shows how you set up a variety of the malware simulation toolkit: The tutorial shows how to run a ransomware attack simulation using the LUCY Malware SimulationTtoolkit Version 3.0 . You can configure if real data is to be used or if the Ransomware Simulation should use dummy data. The simulation is absolutely harmless. You can use it also for checking your security systems, f.e. if your installed monitoring software can detect a possible ransomware attack. Detailed information is available at our Support Wiki (Technical Malware Test)
A speciality of the technical Testing Toolkit is the possibility to run a simulated, harmless ransomware attack. The steps described in the video are:
  1. Your LUCY Server is running and you are using the LUCY-Gui in your browser.
  2. Create a new campaign. Name it, select the client,  choose ‘Expert mode’ and save the new campaign.
  3. Add a scenario: Select the ‘technical malware test’ template’ using the ‘use’ button, select f.e. ‘English’.
  4. Name the scenario, configure the base settings like the sender domain name (can stay local IP if you are using it just for getting the file by yourself), set the filename and the compression-format (zip). Ransomware scenarios need a file for download, so it’s always a file based attack scenario. Save the scenario.
  5. Go to the landing page of the scenario and configure the behaviour of the ransomware simulation: Choose the template ‘Malware Testing Toollkit’ and select in the ‘Configuration’ dropdown menu the value ‘ransomware’. Customize the ransomware simulation or keep everything by default and save the configuration you made. The most important variable is the ‘operation mode’ variable: Choosing the value ‘1’ the encryption uses dummy data and with that no client data is touched by the ransomware simulation on the client computer.
  6. Edit the message template of the scenario, add sender informations and push the save button. There’s no need to configure other parameters for the ransomware simulation, because you did it already on the landing page. Choose n/a in the ‘Template’ field. Save the settings.
  7. If a warning is displayed while you save the message template you need to push the save button again.
  8. Press the “Play” button |> to get to the Dashboard
  9. Add recipients to the campaign by adding an adress goup. Link the scenario created before to the adress group witch using the ‘Scenarios’ check box  and save it.
  10. Start the campaign using the play button |> , select real attack
  11. Wait until the preliminary campaign checks are finished, correct warnings or errors if necessary. Warnings are highlighted in yellow, errors are highlighted in red. If you click on the highlighted text areas, you’ll always get useful tips how to fix the issues.
  12. Hit the start (anyway) button again, if needed.
  13. The campaign starts and the mails are send to the recipients.
  14. As a recipient, go to your inbox.
  15. As a recipient, click on the link in the mail you got. You are directed to the landingpage containing the link for the ransomware simulation file.
  16. As a recipient, download, extract and doubleclick/run the ransomware simulation file.
  17. Now you should see the Gui of the ransomware simulator.
  18. You can check in the ‘Templates’ tab the settings of the  ransomware simulation.
  19. Start the simulated ransomware attack with the ‘run’ button and wait until the simulation has finished.
  20. When you push the ‘send’ button: The data is send back to the LUCY server and saved on the server for analysis by the system administrator.
  21. When you push the ‘save’ button: A report is generated and stored locally on your computer, it can be viewed with a regular web browser. After saving you can look into the report and check if and how the ransomware simulation did work!

5/5 – How malware simulations are reported: Example of a vulnerability scan report.

Analyzing the vulnerabilities and loopholes – The 5 Min. screencast shows how the LUCY technical security assessment (malware simulation aka LHFC) is reported and how the results of the vulnerability scan are displayed. The video focusses on the malware report which can be generated after the vulnerability scan is run.  This is not to be confused with the campaign monitoring feature of LUCY Server.

The malware simulation was executed on your computer and has finished successfully.

  1. Save the results of the malware simulation locally using the ‘save’ button, f. e. on the desktop.
  2. A new icon appears: Doubleclick it and open the index.html file.
  3. You will get all the results of the simulation (in this case all results of the vulnerability scan). For every check you see:
    1. The given check routine (f.e. microphone access)
    2. The result (f.e pass / fail) in green, yellow, red
    3. Possible actions in order to correct the issue
    4. Access to the output of the check (full data).
  4.  You can send everything to the LUCY server using the ‘send’ button.