Friday 2 October 14:00 - 14:30, Green room
Marion Marschalek (Cyphort)
download slides (PDF)
A while ago a bunny crossed my way. I mean... a binary, which literally named itself bunny. Bunny is a beautiful piece of software, orchestrating a massive thread model with the goal of feeding downloaded Lua scripts to an integrated Lua engine. The scripts are then supposed to call back into the C++ code through C/Invoke Lua bindings to change the malware behaviour runtime.
A number of binaries with equal handwriting were identified, among them a sample which strikes the analyst with surprising sophistication. The shining star of this menagerie is a DLL implant aiming at, well, all the things. This binary is a fancy espionage tool, which keeps track of all data it can get its tentacles on. The implant clings onto running processes by injecting its payload into other applications. Once settled, the implant will create screen captures and intercept keystrokes. If applicable, the malware can also tap the microphone and record sound to steal data from installed softphones.
This implant's dropper is a bloated binary, linked to debug information for a project named 'Babar64'. Babar is a French cartoon character, an elephant. Now who, if not the French, would call a piece of malware Babar? Ça a l'air louche. But oh, mon Dieu, I'm not blaming the French. That was actually Canadian Communications Security Establishment (CSEC) calling on France in a leaked government document published earlier this year. Besides the CSEC allegations, malware of the same strain has even popped up in Syria. The newest representatives are dubbed 'Casper', the (questionably) friendly ghost.
The focus of this talk will be a deep insight to the technical finesse of the espionage toolset and an outline of the implementation details as well as an investigation of the binary handwriting which made it possible to relate the identified cartoons. The talk will close with a glimpse of victimology, providing educated guesses on the motivations behind the cartoon attacks.
Marion Marschalek is a threat researcher and reverse engineer on duty for Cyphort Inc. Santa Clara, California. Marion is focuses on the analysis of emerging threats and exploring novel methods of threat detection. She also teaches malware analysis at the University of Applied Sciences St. Pölten and writes articles for security magazines. She has spoken at international conferences around the globe, among others BlackHat Las Vegas, RSA San Francisco and SyScan Singapore. Marion was winner of the Female Reverse Engineering Challenge 2013, organized by RE professional Halvar Flake. She practices martial arts and has a vivid passion for taking things apart. Preferably, other people's things.