Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[CB19] MalCfgParser: A Lightweight Malware Configuration Parsing Tool by Ycy Yu, Duckll Liao, Charles Li

396 views

Published on

"MalCfgParser" is a malware configuration parsing tool for incident response analysts and malware researchers.

Malware detection and analysis evasion is a cat-and-mouse game between analysts and malware authors. The attackers apply diverse landing mechanisms or obfuscation techniques to cloak their backdoors. It is imperative to adopt automated analysis to handle these rapidly changing malware. In this talk, we present "MalCfgParser", which dives into memory to perform automatic and brute-force parsing to extract the malware configuration. Malware configurations expose C&C servers, encryption key, campaign code, installation path or mutex name. It helps analysts or enterprise to produce a more complete vision to threat.

The MalCfgParser operate standalone for manually analysis, integrate with a sandbox, or any memory forensics tools. It is designed to be a flexible framework that every malware researcher could contribute their knowledge of a specific malware family, and easily add configuration settings to enhance its power. We believe the above scenarios and operated modes serve the needs for people fighting with malware, including malware researchers, forensic or incident response.

Lastly, we will have a live demo for both standalone and integration with TeamT5 product with several notorious APT malware, or crimeware.

  • Login to see the comments

  • Be the first to like this

[CB19] MalCfgParser: A Lightweight Malware Configuration Parsing Tool by Ycy Yu, Duckll Liao, Charles Li

  1. 1. MALCFGPARSER A LIGHTWEIGHT MALWARE CONFIGURATION PARSING TOOL
  2. 2. YCY Cyber Threat Analyst DUCKLL Cyber Threat Analyst CHARLES LI Chief Analyst
  3. 3. 3 60+ Clients in Asia Pacific 90%+ MSSP in Taiwan Government agencies Telecom / ISP Leading CTI Firms Accounting firms / Financial sectors Semiconductor / Manufacturing International Trading NGO / NPO Taiwan 10+ Partners Japan 2+ Partners Start from APAC, Speak for APAC, Guardian of APAC ASEAN 3+ Partners
  4. 4. POWERED BY SUPPORTS AND POSSIBLY OTHER PRODUCTS…?
  5. 5. MEMORY DUMP SCAN ADVERSARY: POLARIS (MUSTANG PANDA) MALWARE: PLUGX
  6. 6. LIVE MEMORY SCAN MALWARE: PHANTOMIVY
  7. 7. LIVE MEMORY SCANEVER-CHANGING MALWARE 2015 FROM APT20 PLUGX 0X36A4 LOADER 2016 FROM DRAGONOK > STRINGS cPNfEPGjP<p=t XeWTjYfOOib]jYR hJ;b@K:CJiFCJaNBJX c[]ln[x d5BF Ba>;BP rIFBPmTGQIP <111 T;BB7 bhgvn pRCjHSBKRoVISKRv GetProcAddress LoadLibraryA KERNEL32.dll ;Tls.u MessageBoxA user32.dll GetModuleFileNameA GetModuleHandleA GetSystemTime Sleep lstrlenA kernel32.dll !+W RasTls.dll DoWork 2X<^<&= …
  8. 8. LIVE MEMORY SCANEVER-CHANGING MALWARE 2017 FROM SLIME.HLEMONK PLUGX 0X36A4 LOADER IN MEMORY > STRINGS Create FileW CreateFileMappingW MapViewOfFile GetSystemTime GetModuleHandleA VirtualProtect VirtualAlloc GetModuleFileNameW lstrcpyW lstrcpyA lstrcatA GetProcAddress GetLastError f91u JhL0 VVVVVVQV 5L0 ExitProcess GetCommandLineW CreateProcessW WaitForSingleObject lstrcpyW KERNEL32.dll JP0 JP1 JAP0 JAP1
  9. 9. ANOTHER CHALLENGE…
  10. 10. So here is born of…
  11. 11. WORKING WITH CUCKOO
  12. 12. WORKING WITH THREATSONAR
  13. 13. Malware Configuration { “C&C Server1": "…" “C&C Server2": "…" "Installation Path": "…" } VIRTUAL MACHINE LIVE MEMORY SCANHOW DOES IT WORK? MALCFGPARSER MALWARE DUMP FILES PID
  14. 14. LIVE MEMORY SCANINSIDE MALCFGPARSER Structure POWERED BY POWERED BY Parse Scan LOADS Decode Brute Force Parsing Validate
  15. 15. MALWARE LIVE MEMORY SCANWORKING WITH CUCKOO Ananlyzer PROCESS DUMP ProcMemory SUPPORTED BY GUEST MACHINE HOST MACHINE WEB SERVER
  16. 16. ycy@teamt5.org duckll@teamt5.org charles@teamt5.org

×