ASD releases Azul open-source malware analysis tool

The Australian Signals Directorate (ASD) has released a tool to store and analyse large amounts of malware samples, aimed at enterprise and government security teams looking to collaborate and speed up analysis.

Named Azul, the open-source platform comes with a structured sample repository that features an analytical engine and clustering suite built on OpenSearch, allowing analysts to identify shared infrastructure, development patterns and behavioural similarities across large volumes of malware samples.

Azul seeks to speed up malware reverse engineering analysis by wrapping commonly performed steps into automated workflows with reusable plugins.

Sample files for Azul are kept in a Simple Storage Service (S3) compatible binary large object (blob) store, and processed through the Apache Kafka event queueing system.

Azul is built in Python, Golang and TypeScript, deploys to a Kubernetes cluster via the Helm package manager chart templates, and supports monitoring and alerting through tools including Prometheus, Loki and Grafana.

Azul supports Yara rules, Snort signatures, SSDEEP and TLSH (Trend Micro locality sensitive hash) context-sensitive hashing, and MACO (malware configuration) extraction routines.

By itself, Azul doesn't determine if a particular file is malicious.

For this, analysts can use tools such as Canadian Centre for Cyber Security's Assemblyline tool, also open-source, for triage.

This is the first open-source release of the malware analysis tool, which stands at the 9.0.0 version number currently.

It is not to be confused with the other Azul, a Java platform for enterprises.

ASD's code and documentation have been published on the GitHub open source repository.