Friday 6 October 12:00 - 12:30, Green room
Mark Lim & Zong-Yu Wu (Palo Alto Networks)
Malware, like many sophisticated software systems, relies on the concept of software configuration. This establishes guidelines for malware behaviour and is a common feature among the various malware families we examine. The configuration data embedded within malware can offer invaluable insights into the intentions of cybercriminals. However, due to its significance, malware authors deliberately make configuration data challenging to parse statically from the file.
Over the past few years, we have developed an internal malware configuration extraction system. We will share extractors for multiple malware families with the research community. These extractors, written in Python, are designed to scan and extract configuration data from memory dumps associated with specific malware samples.
In this presentation, we will explore selected configuration protection techniques employed by various malware families. We will present case studies from major families, such as Trickbot (TheTrick), IcedID (Bokbot) and Emotet (Geodo), as well as .NET malware SnakeKeyLogger. We will discuss shared protection designs across families and custom anti-analysis techniques that we've had to address in our extractors. Furthermore, we will highlight the evolution of analysis techniques used by two malware families: Guloader and Emotet. In addition, we will examine how configuration can be extracted against .NET malware.
Parsing malware configuration can be both enjoyable and beneficial, but it is rarely simple. In this presentation, we will begin with an introduction to malware configuration before diving deeper into parsing and extraction. Our case studies encompass malware families with diverse objectives and various anti-analysis techniques. Although this cat-and-mouse game is ongoing, we hope that sharing our knowledge will equip us better for the upcoming challenges.
Mark Lim has been working in the cybersecurity domain for close to 20 years. Currently, he is a senior malware reverse engineer at Palo Alto Networks. He focuses on analysing malware samples and developing detection mechanisms. Mark constantly looks for opportunities to improve his reverse engineering skills by sharing and receiving experiences with others. Mark believes every piece of binary contains a story waiting for a reverse engineer to tell it. Before working at Palo Alto Networks he spent 10 years as a blue teamer at the Singapore government.
Zong-Yu Wu is a senior malware reverse engineer at Palo Alto Networks. Currently, he focuses on static analysis and sandbox detection. His mission is reversing engineer malware for the purpose of diagnosing issues and researching novel methods to bridge the detection gap. Previously, he worked in the threat intelligence field, which helped develop his technical skills around malware configuration extractions, protocol emulation and intelligence collection. He also researches the human factors of cybercriminals at night, especially when x64dbg and IDAPro is a bit too much.