Back From REcon 0xA

CERT SEKOIA attended to 0xA edition of REcon at Montreal in Canada from the 17th to the 19th of June. REcon is a well-known security conference dedicated to reverse engineering as well as software or hardware topics. As the previous one, this edition was technically impressive and the subjects were various. We selected some interesting topics for this blog post.

REcon 0xA

Visiting The Bear Den – Joan Calvet, Jessy Campos & Thomas Dupuy (ESET Researcher)

The researchers performed a deep analysis of the toolset used by the Sednit group (aka APT28, Fancy Bear, Sofacy, STRONTIUM or Tsar Team). The group performed targeted attacks since 2006. The researchers explained the “modus operandi” of the group and performed a timeline of a “normal” week for this group (spear phishing, compromise, installation of a downloader, installation of the payload, exfiltration, …). The presenters discovered that the group developed advanced persistence modules such as bootkits or rootkits. A white paper is coming soon; we will update this blog post when the document will be released.

Bootkit Workflow

Process Failure Modes – James Forshaw (Google)

James Forshaw presented his work concerning Windows process creation and some particular bugs that could allow privilege escalation. At the end of the presentation, the researcher explained how to fool WMI and change the path of an existing process. This trick could be used by malware developers in order to hide their activities against incident response handlers that use WMI to collect artefacts. More information can be found on the Project Zero blog.

Process creation

Monitoring & Controlling Kernel-mode Events by HyperPlatform – Satoshi Tanda (SOPHOS)

Satoshi Tanda presented its open-source tool called HyperPlatform and available on Github there. The tool is a Windows driver that uses CPU virtualisation capabilities (Intel VT-x & EPT) in order to monitor the activity of the Windows Kernel. The driver is capable of monitoring access to virtual/physical memory, system registers, occurrence of interrupts… To conclude the presentation, the researcher showed how to unpack the Turla (aka Urobouros, Snake) rootkit automatically thanks to HyperPlatform.

HyperPlatform

Sol[IDA]rity – Markus Gaasedelen & Nick Burnett

The researchers started to present all the attempts of creating IDA Pro extensions in order to perform collaborative reversing. They estimated that all the existing attempts were bad and they decided to create their own tool. The researchers showed videos of their tool: Sol[IDA]rity. The tool is a client-server application where the client side is composed of IDA with a Python plugin and the server side is a web service in Python. The tool allows:

–          Real-time updates of the renames, comments, structure definition, etc.;
–          Chat between users;
–          The capability to see who is working on which part of the binary;
–          …

Sadly, the tool is not available for the moment. The researchers mentioned “coming soon” on http://solidarity.re

Sol[IDA]rity

KEYSTONE: the last missing framework for Reverse Engineering – NGUYEN Anh Quynh

The researchers presented the Keystone framework. A framework used to assemble code. The developer is the maintainer of Capstone (disassembler framework) and Unicorn (emulator framework). This trilogy is really impressive and can be used on unlimited cases. Since CERT SEKOIA uses these frameworks on several internal projects and malware analysis training, we can confirm this extreme flexibility. You can download the frameworks there: http://www.keystone-engine.org/, http://www.capstone-engine.org/ and http://www.unicorn-engine.org/.

Trilogy of Reverse

Abusing the NT Kernel Shim Engine – Alex Ionescu (Crowdstrike)

Alex Ionescu presented an undocumented features of Microsoft Windows: the NT Kernel Shim. The shims can be used to hook IAT, IRP callbacks or Drivers callbacks. This feature can be used for the kernel monitoring or by malware developers to perform malicious action on the system. As demonstration, the researcher presented DriverMon, that could be considered as a “kernel ProcMon”. The tool will be available soon on the website of Crowdstrike.

DriverMon

Conclusion & Bonus

The REcon is the most impressive conference concerning reverse engineering topics. This year was an amazing edition. In bonus, the organiser announced during the closing ceremony that2 Recons will be organized next year:

–          In January/February in Europa (Bruxelles)
–          In June in Montreal as usual

That’s a great new and we look forward to assist to the first edition of REcon Europa!

Paul Rascagneres

Senior threat researcher, malware analyst and IT conf speaker…

Recent Posts

Categories

Archives

Paul Rascagneres Written by:

Senior threat researcher, malware analyst and IT conf speaker...

Comments are closed.