If you have read our previous blogpost “Targeted Malware Reverse Engineering Workshop follow-up. Part 1“, you probably know about the webinar we conducted on April 8, 2021, with Kaspersky GReAT’s Ivan Kwiatkowski and Denis Legezo, to share best practices in reverse engineering and demonstrate real-time analysis of recent targeted malware samples. The experts also had a fireside chat with Igor Skochinsky of Hex-Rays and introduced the Targeted Malware Reverse Engineering online self-study course.
The webinar audience having been so active – it was a very pleasant surprise, thanks again! – not only were we unable to address all the incoming questions online, we didn’t even manage to pack the rest of them in one blogpost. So here comes the second part of the webinar follow-up.
Questions related to malware analysis
Ivan: It is difficult to provide an answer encompassing all legitimate software. As a general rule, obfuscation or evasion techniques can provide a relevant weak signal potentially indicating malicious behavior, but should not be used for detection.
Denis: We mostly deal with malicious, not legit code, but I would not expect such tricks there. What for — protection? I would not expect opaque predicates even from third-party protectors.
Ivan: Such techniques are extremely rare, possibly because attackers know that the presence of such protections will raise suspicion.
Denis: We met several flattening cases lately. I could also name a couple of cases of custom internal VM usage in malware. So, not often, but they do exist.
Ivan: It turns out that packed executables are not as widespread as you would think. They turn up so rarely that I always default to manual work.
Denis: We mostly deal with targeted malware, and packing executables are not common in this world, I agree.
Ivan: We don’t, however, if this is of interest to you, I strongly recommend you to watch Vitaly Kamluk’s presentation on the subject.
Denis: Not in this training, but again, I would not say such tools are too popular in the world of targeted malware. Mostly due to being detected by security products, I suppose.
Ivan: I would name the LuckyMouse APT which deploys stripped down malware samples containing none of its configuration anymore, once saved somewhere on the victim’s machine. Generally speaking, they’re very good at making sure that files obtained by defenders are incomplete.
Denis: The best anti-reversing trick I have seen is a seasoned software design pro with brain-damaging multi-module development style and 30 years of experience on the other side of the court. The only thing you want to do after the encounter is to yell at him/her, your disassembler, your PC, and yourself. But when you are done at last — well, this is the reason why we do it.
Questions on the Targeted Malware Reverse Engineering course syllabus
You can find the full syllabus here.
Ivan: We occasionally use debugging, and debuggers are available in the VM. Most of the work, however, takes place in IDA Pro.
Denis: Ah, our deep belief in static analysis has affected the training for sure. But we do debugging as well, it is true. For example, in the LuckyMouse track.
Ivan: It is closer to the other way around. When we have no time to show everything, we focus on the most complex parts of the infection chain (the beginning), tackle all the problems, and leave the easy part (looking at the unobfuscated final stage) as an exercise for the audience.
Ivan: The course is organized around the specific real malware cases. There is no theory segment on obfuscation. However, we show many samples that use different techniques and demonstrate how to approach each one of them.
Ivan: To some extent, yes. One of the tracks is entirely dedicated to analyzing a network utility, understanding and re-implementing its custom protocol.
Denis: For example, in the Topinambour track, you deal with simple C2 communication protocol analysis from the reversing point of view: it means means by analyzing the code you come to understand what to expect from the traffic.
Ivan: We only cover IDA Python, but the participants are free to use IDC if they choose to.
Ivan: It’s our intentional choice to focus on real-life cases; and it is a fact that the vast majority of samples I have worked on involved no such protections. One of the malware specimens shown in the course has Anti-VM detection, which doesn’t bother us as we are just reading the code.
Ivan: The malicious document studied in the course is the InPage exploit.
Denis: The InPage file format is based upon Compound Document Format, and we will analyze how the Biodata campaign operators had embedded the shellcode into it.
Ivan: As you will probably see, the course is quite packed as it is! We may make a comment here and there about what could be a good Yara rule, but only in passing. I am, however, certain that the training will help you write better Yara rules.
Ivan: Yes, a large part of the course focuses on defeating the various protections that prevent us from seeing the actual payload!
Topics not addressed in the Targeted Malware Reverse Engineering training
Ivan: There are many things we could not get into. Rust/Go malware, CPU architectures beyond x86 and x64, ARM arch and Mac OS, etc. But we believe we were able to provide a varied yet realistic sample of what we usually encounter.
Denis: In the third-level reverse engineering course from Kaspersky, you may expect the use of a decryption framework to facilitate such typical reversing tasks.
Ivan: This is a use case not covered by the course, and in fact one that I have yet to encounter.
Denis: One quite unique _document_ format with the shellcode in it is featured in the course, but it needs no loader module, as you understand. Pity, but your topic seems to be out of the scope of this training. We are planning to create additional reversing screencasts from time to time — let’s think about covering this, too.
Ivan: Due to legal restrictions in some countries, participants are required to work in the dedicated virtual lab that we provide and the VM cannot be downloaded. The good news is that it contains all the necessary tools, including a full version of IDA Pro.
Ivan: Virtual machines will indeed be suspended after 100 hours of runtime. We can extend the hours on a case-by-case basis, but we expect this should be enough to complete all the tracks of the training.
Ivan: The virtual environment is accessed directly from the web browser.
Ivan: The VMs provided in the training make no attempt at concealing what they are. Most of the malware provided does not particularly try to prevent execution in virtualized environments, and in any case the training is focused on static analysis with IDA Pro.
Ivan: Sadly, this will not be possible. But the scripts you write should remain relatively modest in size, and will probably not be generic enough to allow future use anyway.
You can check information on prerequisites here.
- Do you have any good recommendations on how to prepare for the training? Any prerequisites for this course?
Ivan: I would advise to check out the demo version of the training. It should give you an idea of whether you meet the prerequisites, and we also provide a number of third-party resources in the introduction in case you need a bit of preparation.
- Is knowledge of cryptographic algorithms also required? Or shall we learn how to detect them in the binaries?
Ivan: We touch on that subject lightly. In most cases, figuring out which cryptographic algorithm is used is straightforward. If not, some help will be provided during the solution segments.
- Knowledge of which languages is required?
Ivan: Python scripting is required at some point. Other than that, familiarity with compiled languages, such as C or C++, is recommended.
Support & feedback
- How much support or guidance will be available if I get stuck on an exercise?
Ivan: We will collect your requests through helpdesk. Also a monthly call with the trainers is scheduled to answer your questions about the course. Otherwise, we are generally available on Twitter: @JusticeRage and @legezo.
- Does the Targeted Malware Reverse Engineering training provide for some kind of exam/cert at the end?
Ivan: There is no exam as such, although each track contains challenging knowledge checks and quizzes to check your progress. Certification will be awarded to all participants who complete all the tracks of the course.
- How much will this course cost?
Ivan: $1,400 VAT included.
Future plans/Future courses
- What is the difference between the Targeted Malware Reverse Engineering training and the upcoming third-level Advanced Malware Analysis training?
Ivan: This is an intermediate-level course, while the upcoming one will be an advanced expert-level course.