CERT SEKOIA attended to 0xA edition of REcon at Montreal in Canada from the 17th to the 19th of June. REcon is a well-known security conference dedicated to reverse engineering as well as software or hardware topics. As the previous one, this edition was technically impressive and the subjects were various. We selected some interesting topics for this blog post.
Visiting The Bear Den – Joan Calvet, Jessy Campos & Thomas Dupuy (ESET Researcher)
The researchers performed a deep analysis of the toolset used by the Sednit group (aka APT28, Fancy Bear, Sofacy, STRONTIUM or Tsar Team). The group performed targeted attacks since 2006. The researchers explained the “modus operandi” of the group and performed a timeline of a “normal” week for this group (spear phishing, compromise, installation of a downloader, installation of the payload, exfiltration, …). The presenters discovered that the group developed advanced persistence modules such as bootkits or rootkits. A white paper is coming soon; we will update this blog post when the document will be released.
Process Failure Modes – James Forshaw (Google)
James Forshaw presented his work concerning Windows process creation and some particular bugs that could allow privilege escalation. At the end of the presentation, the researcher explained how to fool WMI and change the path of an existing process. This trick could be used by malware developers in order to hide their activities against incident response handlers that use WMI to collect artefacts. More information can be found on the Project Zero blog.
Monitoring & Controlling Kernel-mode Events by HyperPlatform – Satoshi Tanda (SOPHOS)
Satoshi Tanda presented its open-source tool called HyperPlatform and available on Github there. The tool is a Windows driver that uses CPU virtualisation capabilities (Intel VT-x & EPT) in order to monitor the activity of the Windows Kernel. The driver is capable of monitoring access to virtual/physical memory, system registers, occurrence of interrupts… To conclude the presentation, the researcher showed how to unpack the Turla (aka Urobouros, Snake) rootkit automatically thanks to HyperPlatform.
Sol[IDA]rity – Markus Gaasedelen & Nick Burnett
The researchers started to present all the attempts of creating IDA Pro extensions in order to perform collaborative reversing. They estimated that all the existing attempts were bad and they decided to create their own tool. The researchers showed videos of their tool: Sol[IDA]rity. The tool is a client-server application where the client side is composed of IDA with a Python plugin and the server side is a web service in Python. The tool allows:
– Real-time updates of the renames, comments, structure definition, etc.;
– Chat between users;
– The capability to see who is working on which part of the binary;
Sadly, the tool is not available for the moment. The researchers mentioned “coming soon” on http://solidarity.re…
KEYSTONE: the last missing framework for Reverse Engineering – NGUYEN Anh Quynh
The researchers presented the Keystone framework. A framework used to assemble code. The developer is the maintainer of Capstone (disassembler framework) and Unicorn (emulator framework). This trilogy is really impressive and can be used on unlimited cases. Since CERT SEKOIA uses these frameworks on several internal projects and malware analysis training, we can confirm this extreme flexibility. You can download the frameworks there: http://www.keystone-engine.org/, http://www.capstone-engine.org/ and http://www.unicorn-engine.org/.
Abusing the NT Kernel Shim Engine – Alex Ionescu (Crowdstrike)
Alex Ionescu presented an undocumented features of Microsoft Windows: the NT Kernel Shim. The shims can be used to hook IAT, IRP callbacks or Drivers callbacks. This feature can be used for the kernel monitoring or by malware developers to perform malicious action on the system. As demonstration, the researcher presented DriverMon, that could be considered as a “kernel ProcMon”. The tool will be available soon on the website of Crowdstrike.
Conclusion & Bonus
The REcon is the most impressive conference concerning reverse engineering topics. This year was an amazing edition. In bonus, the organiser announced during the closing ceremony that2 Recons will be organized next year:
– In January/February in Europa (Bruxelles)
– In June in Montreal as usual
That’s a great new and we look forward to assist to the first edition of REcon Europa!
Sekoia is creating solutions for cyber-risk prevention and cyber-attack response. Since 2008, Sekoia is developing know-hows and technologies in order to address emerging risks faced by companies in the cyber-space.