THOR-Launcher

Host-base scanning tool using known IOCs and YARA rules to detect malware, apt attack. This tool is a launcher of the THOR-Lite APT Scanner.

1. Launcher features

Scanning based on modules
Cross-platform support: Windows, Linux, MacOSX
Encryption IOCs, YARA rules before packing the tool
Automatic update of IOCs and YARA rules from Nextron Systems GmbH
You can add your own IOCs and YARA rules
Multiple report export options: Text, HTML, JSON, CSV, etc..
Customize configuration of CPU usage, memory, scan file size, etc..
and more..!

2. Setting up environment

Download and install Python 3: https://www.python.org/downloads. Currently supported Python version 3.6 and above. To verify python installed:

# Windows
$ where python
  
# Linux or MacOSX
$ which python3

Create virtual python environment:

$ pip3 install virtualenv

# Windows
$ mkdir my-project & cd my-project
$ virtualenv -p c:\path\to\python.exe venv

# Linux or MacOSX
$ mkdir my-project && cd my-project
$ virtualenv -p /path/to/python3 venv

Active virtual python environment:

# Windows:
$ venv\Scripts\activate

# Linux or MacOS:
$ source venv/bin/activate

Clone THOR-Launcher:

$ git clone https://github.com/hailehong95/thor-launcher.git

Install dependencies packages:

(venv) $ pip install -r requirements.txt

3. Building THOR-Launcher

3.1. THOR Utility

A utility used to packing the THOR-Lite set into a single executable, convenient for distribution to clients when scanning.

(venv) $ python thor-util.py
Usage: thor-util.py [OPTIONS] COMMAND [ARGS]...

  A CLI Utility for THOR APT Scanner by HaiLH

Options:
  --help  Show this message and exit.

Commands:
  build      Build THOR APT Scanner package
  clean      Clean all temporary working files
  extract    Extract THOR packs
  keygen     RSA keys generator
  license    Add THOR license
  make       Create THOR APT Scanner bundle
  remove     Remove THOR optional binaries and dirs
  rename     Rename THOR binaries
  rsakey     Add encryption key
  signature  Add custom signatures
  update     Update signatures
  upgrade    Upgrade THOR and signatures
  version    Show Utility version

3.2. THOR-Launcher packing up steps

Get THOR-Lite: request to Nextron Systems GmbH: https://www.nextron-systems.com/thor-lite/download. Then wait for them to send the download link with the license key file via email. Download and save the THOR (.zip) to ./thor_packs/ directory. Similarly, the license file (*.lic) is saved in the ./thor_license/ directory
- YARA Rules: Add your rules to the ./signatures/ directory
- UPX Packer (optional): Use UPX for compression as well as an extra step of protecting the executable. Download: https://github.com/upx/upx/releases and put in the corresponding directory in ./packer/

Generate RSA key pair

(venv) $ python thor-util.py keygen --keyname "key" --length 4096

Automatically create the THOR set
```
(venv) $ python thor-util.py make
```
Packing THOR APT Scanner
```
(venv) $ python thor-util.py build
```
Running THOR-Launcher
```
$ thor-apt-scanner.exe
```
- A THOR-Launcher will invoke the THOR binaries to scan. The final executable will have these binaries embedded and the iocs and yara rules included with the Python interpreter.
- After scanning is completed, the report files will be encrypted and compressed into a *.zip file.

4. Systems that have been tested

Microsoft Windows: 7, 8/8.1, 10, 2012, 2016, 2019
Linux: Ubuntu 18.04 LTS, Ubuntu 20.04 LTS
MacOSX: 10.16 (Big Sur)

5. Important

THOR-Launcher as a project for learning purposes
Do not use it for commercial purposes
Please read the "THOR Lite End User License Agreement" inside Thor-Lite packs