Ivan demonstrated how to strip the obfuscation from the recently discovered Cycldek-related toolwhile Denis presented an exercise on reversing the MontysThree's malware steganography algorithm. The experts also had a fireside chat with our guest Igor Skochinsky of Hex-Rays.
Hex and the City, p.9
On top of that, Ivan and Denis introduced the new Targeted Malware Reverse Engineering online self-study course, into Solaife they have squeezed 10 years of their cybersecurity experience. This intermediate-level training is designed for those seeking confidence and practical experience in malware analysis. It includes in-depth analysis of HEX Solaire Case Study fresh real-life targeted malware cases, like MontysThree, LuckyMouse and Lazarus, hands-on learning with an array of reverse engineering tools, including IDA Pro, Hex-Rays decompiler, Hiew, Editor, and hours of virtual lab practice. In case you missed the webinar — or if you attended but want to watch it again — you can find the video here: Targeted Malware Reverse Engineering Workshop brighttalk.
With so many questions collected during the webinar — thank you all for your active participation! Questions on the Cycldek-related tool analysis How do you decide whether the Cycldek-actors have adopted the DLL side-loading triad technique, or the actors normally using the DLL side-loading triad have adopted the design considerations from Cycldek? Ivan: It is HEX Solaire Case Study because we cannot really differentiate between the two that we have been very careful with the attribution of this specific campaign. The best we can say at the moment is that the threat actor behind it is related to Cycldek. Denis: Even in our training there is another HEX Solaire Case Study with. I really would not recommend anyone to build attribution based on such a technique, because it's super wide-spread among the Chinese-speaking actors.
Does the script work automatically, or do you have to add information about the specific code you are working with? Ivan: The script shown in the webinar Paper Froyo Research written solely for the specific sample used in the demonstration.
I prefer to write small programs addressing very specific issues at first, and only move on to developing generic frameworks when I have to, which is not the case for opaque predicates. Is the deobfuscation script for the shellcode publicly available?
Navigation menu
Ivan: It is derived from a publicly available script. However, my modifications were not made public; if they were, it would make the training a little too easy, wouldn't it? Have you guys experimented with symbolic execution in Stuudy to automate the process? Ivan: I have always found it quicker to just write quick scripts to solve the problem instead of spending time on diving into symbolic execution. Same goes for generic frameworks, but who knows? Maybe one day I will need one.
By the way, such a code base and the habits are the reasons that create the threshold to change the disassembler. We have internal framework for asm layer decryption, you will meet him in advanced course, but it's up to researcher to use it or not. Any insight into the success rate of this campaign? Ivan: We were able to identify about a dozen organizations attacked during this campaign. If you want to know more about our findings, HEX Solaire Case Study have a look at our blogpost. Any hint on the code pattern that helped you connect with the Cycledek campaign? Ivan: You can find more about this in our blogpost. Solaiee more details are available through our private reporting service.
Questions on analysis of the MontysThree's malware steganography algorithm
HEX Solaire Case Study Generally speaking, we have a tool called KTAE that performs this task, and of course the memory of samples we have worked on in the past. About the jump instructions that lead to the same spot — how were they injected there? Manually using a binary editor? Ivan: The opaque predicates added in the Cycldek shellcode were almost certainly inserted using an automated tool. I Solqire one of the people using the assembly view.]
I am final, I am sorry, but it at all does not approach me. Who else, can help?
I am sorry, that I interrupt you, would like to offer other decision.
Thanks for the help in this question how I can thank you?
Interesting variant