Crafting truly artisanal and tailor-made malware requires a good development and testing setup. Over the last few years I have repeatedly installed and configured testing labs containing Windows virtual machines to write code, test tools or experiment with Active Directory. I have gratefully made use of the evaluation license offered by Microsoft for my lab setup. Unfortunately it expires after 90 days, thus blessing you with the pleasure of experiencing the installation and configuration process once more.

As I am currently developing malware on several machines, I decided to finally go through the pain of automating the whole installation and configuration process. Being already familiar with the excellent Game of Active Directory lab by Orange Cyber Defense, I decided to use it as a starting point. I did, however, trim it down to a more basic setup from which I may create more complex setups in the future.

In this post I will document the features and design of my lab setup. To automate this lab I have used the following software: Packer, Vagrant and Ansible. In this post I will indicate how this software works together and how you might change it to suite your needs. I must confess that most of the steps were figured out through trial and error, so it is by no means perfect, but it does work! I hope you can use this lab setup for your own research, or as a template to develop your own setup.

TLDR: Clone the repository and follow the instructions to get your own malware development lab up and running

Design

I have designed the lab to only require minimal software on your host machine. In order to run this lab you must have the following software installed: Packer, Vagrant & Oracle VirtualBox. The Lab consists of 3 VMs, but feel free to add more:

• team-server: A Linux VM for running Ansible to configure the other VMs,
• dev: A Windows Development VM with all the development tools,
• victim: A Windows Victim VM to test your malware on.

To install software on the Windows VM the Chocolatey package manager is used. Be aware that the Chocolatey packages are community maintained and thus their usage carries risks, but it does greatly simplify collection and installation of the software packages. The Linux VM is running Debian and pulls it software from the apt repositories.

Because I wanted to have full control, I used Packer to build the Window and Linux images from scratch (rather than using existing Vagrant boxes). To avoid violating any licenses or EULA’s the repository does not contain any of the ISOs. However, there is a script in there to download the ISO files from their official location (I might not update the links in the future, so update them yourself if needed). The entire VM is deleted if Packer crashes or freezes during the building process. Therefore, the process has been split up into several builder files following the guidance on this blog each builder serves as a save point in case anything goes wrong. In addition, if you want to build a different Windows VM Template you can start from any of the intermediate stages (e.g. after all updates have been installed) to save on time.

Vagrant is used to automate VirtualBox to create the required VMs and assign them to an internal network with static IP addresses. Initially I looked into Terraform, but this wasn’t really geared to VirtualBox and as such did not suite my needs for now. Once the VMs are running, the Linux VM is used to run Ansible playbooks to install the required software on all the VMs. If you want to add any software to the hosts, you should change the playbooks accordingly.

Running the Lab

If you are reading this you’ve decided to push through and get yourself a nice malware development lab. The process contains a few steps that might take hours to complete (building the VMs and installing the software on the lab VMs). So make sure to grab yourself something to drink and do during those steps.

Note that I am using Linux myself, but it should just as well work on a Windows host. It might require you to change the commands a little, or you may opt to perform the steps manually to get it running on Windows.

Packer

To get started make sure to install Packer, Vagrant and VirtualBox on your machine. Next, clone the repository and go into the Packer directory. Open a terminal in the Packer directory and run the download-iso.sh script to download the Windows 10, Debian 12 and VirtualBox Guest Additions ISO (if you are doing this manually, be aware that the filenames matter and that you download the matching version of the VirtualBox Guest Additions). Now proceed to compute the md5 checksums of the downloaded ISOs and update the Varfiles/debian.vars.pkr.hcl with the checksum for the Debian ISO and update the Varfiles/win10.vars.pkr.hcl with the checksum for the Windows ISO.

Finally, you can let Packer build the templates by running the below commands in two different terminal windows. Now it is time for your first break as updating the Windows image can take quite sometime, especially with a slow internet connection.

1bash ./build-win10.sh
2bash ./build-debian.sh

Once Packer is done, import the created boxes into Vagrant for the next steps. You can run the commands below for this:

1vagrant box add testing_win Build/windows10.virtualbox.box
2vagrant box add testing_deb Build/debian.virtualbox.box

Vagrant & Ansible

First we must use Vagrant to spin up our base VMs so that we can proceed to install and configure additional software. A Vagrant provisioner is used to get the Linux VM ready for use with Ansible. The provisioner starts the setup-teamserver.sh script to install Ansible and provision the Linux VM further through the linux-teamserver.yml playbook. Vagrant also shares the Ansible directory with the Linux VM to make the playbooks available to the team-server. To this end run the following commands:

1cd Vagrant
2vagrant up

Vagrant allows you to run ssh commands on Linux VMs. We will use this facility to run the two other Ansible playbooks to install and configure the Windows VMs.

1vagrant ssh team-server -t -c 'ansible-playbook --inventory inventory.yml windows-dev.yml'
2vagrant ssh team-server -t -c 'ansible-playboook --inventory inventory.yml windows-victim.yml'

You should now have the lab up and running, and are ready to continue your malware development journey!

Customize

Not fully satisfied yet? Good! There is plenty more you might want to add. Here I will document some general guidance on how to expand and customize this basic lab setup

Additional Software

Installing additional software that is available through the apt or chocolatey repositories is the easiest. If so, it is simply a matter of updating the appropriate Ansible playbooks. If it is not available through a repository, then you will have to extend the playbooks with new tasks to install the software. After that, run the playbooks again to actually install the software on the machines.

Extra Machines

If you want to add an extra Linux or Windows VM, simply update the provided Vagrantfile. You can copy the config of an existing VM and make changes as needed. Be sure to at least change the following properties: ip (line: 12) and define (line: 1 & 2).

 1  config.vm.define "dev" do |dev|
 2    dev.vm.define "dev-machine"
 3    dev.vm.box = "testing_win"
 4    dev.vm.communicator = "winrm"
 5
 6    # Admin user name and password
 7    dev.winrm.username = "vagrant"
 8    dev.winrm.password = "vagrant"
 9    dev.winrm.transport = :plaintext
10    dev.winrm.basic_auth_only = true
11
12    dev.vm.network :private_network, ip: "10.20.100.100", virtualbox__intnet: "malware"
13
14    dev.vm.guest = :windows
15    dev.windows.halt_timeout = 15
16
17    dev.vm.provider :virtualbox do |v|
18      v.gui = true
19      v.customize ["modifyvm", :id, "--cpus", 4]
20      v.customize ["modifyvm", :id, "--memory", 8192]
21      v.customize ["modifyvm", :id, "--graphicscontroller", "vboxsvga"]
22    end
23  end

Additional Operating Systems

To support additional operating systems you will have to create vagrant boxes yourself or use existing ones from Vagrant Cloud. To automate the installation of a different Windows OS version you will have to download its ISO, create an appropriate answerfile and a new <os>.variables.pkr.hcl variables file. To automate the installation of a different Linux OS version, you will have to download its ISO, consult their docs on unattended installation automation instructions and create a new <os>.variables.pkr.hcl variables file.

Once you have your box ready, you can follow the instructions for adding an extra machine to include it into your lab.

References

• GOAD GitHub Repository
• MalwareLab GitHub Repository
• Matthew Hodgkins Blog: Best Practices with Windows and Packer
• Packer by Hashicorp
• Vagrant by Hashicorp
• Oracle VirtualBox
• Vagrant Boxes Repository