Events

Long live REcon – my 10th REcon anniversary

I got back from REcon 2015 a week ago and I’m well and truly over the jet lag at last. As usual, it was a great conference with many interesting talks and people. It is always great to meet other reverse engineers from all over the world and discuss new techniques, tools and research.

Tradition dictates that the event starts with training sessions, and I gave my usual four-day training on malware reverse engineering. During that time we covered all sorts of topics such as how to unpack/decrypt malware, analyze APT and so on.

I even got an award to mark 10 years of teaching Reverse Engineering class at REcon. Time flies 🙂

Long live REcon – my 10th REcon anniversary

The conference was great. There were several interesting talks, more or less related to malware research. Here are the summaries of a few of them:

  • Introducing Dynamic IDA Enrichment framework (a.k.a DIE):

    DIE is a new Hex-Rays IDA plugin that crosses the static-dynamic gap directly into the native IDA GUI. It gives researchers access to runtime values from within their standard disassembler screen.

    As opposed to previous projects with similar goals, DIE takes a different approach by using an extensive plugin framework which allows the community to constantly add logic in order to better analyze and optimize the retrieved runtime values.

    With a click of a button, everything is accessible to the researcher: he can inspect handles passed to a function, analyze injected code or runtime strings, enumerate dynamic structures, follow indirect function calls and more.

    After the framework was explained, 3 live demos showed how to use the tool.

    The slides are available here: http://fr.slideshare.net/ynvb/0x3e9-waystodie
    The framework can be downloaded here: https://github.com/ynvb/DIE

  • Totally Spies!

    This presentation covered research done into the AnimalFarm operation as well as technical details of their various pieces of malware. The presentation also highlighted connections between samples as well as technical hints found regarding attribution.

  • The M/o/Vfuscator

    Based on a paper that proves that the “mov” instruction is Turing complete, the M/o/Vfuscator takes the source code and compiles it into a program that uses *only* mov instructions – no comparisons, no jumps, no math (and definitely no SMC cheating).

    The talk demonstrated how it is possible to write programs with only mov instructions as a way to obfuscate code. I asked the author of the presentation to make a crackme using the obfuscator, which he kindly made.

Crackme: https://github.com/xoreaxeaxeax/movfuscator/tree/master/poc/crackme
Obfuscator: https://github.com/xoreaxeaxeax/movfuscator

Other interesting talks included:

  • This Time Font can hunt you down in 4 bytes
  • Hooking Nirvana
  • One font vulnerability to rule them all
  • Reversing the Nintendo 64 CIC

You can find the full conference schedule at http://recon.cx/2015/schedule/

Slides and the videos from every talk will be uploaded soon on the REcon website.

See you next year at REcon 2016!

Long live REcon – my 10th REcon anniversary

Long live REcon – my 10th REcon anniversary

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox