Presented at 44CON 2016
Within the fields of malware research and threat intelligence, one of the biggest challenges faced by the security industry is the significant time and skill required to reverse engineer new malware samples. This has led to the emergence of a number of systems designed to automate this process, but such solutions are often limited in their ability to implement the skilled techniques required to unravel the malware's secrets.
For nation-state malware research in particular there is often a dependency on skilled analysts, who, even when faced with a familiar malware family, will often have to repeat time-consuming and highly skilled procedures in order to extract useful information from a new sample. In conflict with this, consumers of threat intelligence demand indicators of compromise (IOCs) from new samples instantaneously, with the indicators being at their most useful to the defender in the time immediately following the malware's discovery.
In this talk we will unveil the open-source launch of our solution CAPE, which automates many of the complex tasks routinely performed by skilled analysts when dissecting common nation state malware families. This solution allows for the extraction of payloads, configuration and other indicators from these malware families via a single intuitive malware analysis platform.
We will begin by describing the techniques and stand-alone tools that were combined to create CAPE and demonstrate the capabilities of this system when deployed against some of the most prevalent state-sponsored malware families. We will show how support for additional malware families can be added to the system via the open-source launch of CAPE. Our hope is that CAPE will be used by the community, and further expanded, in the ongoing battle against malware of ever-increasing sophistication.