Events

Long live REcon – my 10th REcon anniversary

I got back from REcon 2015 a week ago and I’m well and truly over the jet lag at last. As usual, it was a great conference with many interesting talks and people. It is always great to meet other reverse engineers from all over the world and discuss new techniques, tools and research.

Tradition dictates that the event starts with training sessions, and I gave my usual four-day training on malware reverse engineering. During that time we covered all sorts of topics such as how to unpack/decrypt malware, analyze APT and so on.

I even got an award to mark 10 years of teaching Reverse Engineering class at REcon. Time flies 🙂

Long live REcon – my 10th REcon anniversary

The conference was great. There were several interesting talks, more or less related to malware research. Here are the summaries of a few of them:

  • Introducing Dynamic IDA Enrichment framework (a.k.a DIE):

    DIE is a new Hex-Rays IDA plugin that crosses the static-dynamic gap directly into the native IDA GUI. It gives researchers access to runtime values from within their standard disassembler screen.

    As opposed to previous projects with similar goals, DIE takes a different approach by using an extensive plugin framework which allows the community to constantly add logic in order to better analyze and optimize the retrieved runtime values.

    With a click of a button, everything is accessible to the researcher: he can inspect handles passed to a function, analyze injected code or runtime strings, enumerate dynamic structures, follow indirect function calls and more.

    After the framework was explained, 3 live demos showed how to use the tool.

    The slides are available here: http://fr.slideshare.net/ynvb/0x3e9-waystodie
    The framework can be downloaded here: https://github.com/ynvb/DIE

  • Totally Spies!

    This presentation covered research done into the AnimalFarm operation as well as technical details of their various pieces of malware. The presentation also highlighted connections between samples as well as technical hints found regarding attribution.

  • The M/o/Vfuscator

    Based on a paper that proves that the “mov” instruction is Turing complete, the M/o/Vfuscator takes the source code and compiles it into a program that uses *only* mov instructions – no comparisons, no jumps, no math (and definitely no SMC cheating).

    The talk demonstrated how it is possible to write programs with only mov instructions as a way to obfuscate code. I asked the author of the presentation to make a crackme using the obfuscator, which he kindly made.

Crackme: https://github.com/xoreaxeaxeax/movfuscator/tree/master/poc/crackme
Obfuscator: https://github.com/xoreaxeaxeax/movfuscator

Other interesting talks included:

  • This Time Font can hunt you down in 4 bytes
  • Hooking Nirvana
  • One font vulnerability to rule them all
  • Reversing the Nintendo 64 CIC

You can find the full conference schedule at http://recon.cx/2015/schedule/

Slides and the videos from every talk will be uploaded soon on the REcon website.

See you next year at REcon 2016!

Long live REcon – my 10th REcon anniversary

Long live REcon – my 10th REcon anniversary

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox