Malware Triage: Analyzing Malscripts – Return of The Exploits!

Presented at BruCON 0x0A (2018), Oct. 4, 2018, 1:30 p.m. (240 minutes)

In recent years malscripts and file based exploits have become a main delivery method for malware. Malscripts are often heavily obfuscated and they can take many different forms including WScript, Javascript, macros, and PowerShell. There has also been been a rise in document based exploits used to deliver and execute these malscripts. As a result incident responders and malware analysts need to be comfortable analyzing different document formats, identifying potential exploits, and analyze malscripts. In this workshop you will work through the triage of a live malware delivery chain that includes a malicious document, malicious scripts, and a final malware payload. During this process you will be exposed to different document based exploits, and you will practice the skills required to manually analyze malscripts. This workshop focuses on the fundamental analysis techniques used when identifying, deobfuscating, and analyzing maldocs and malscripts. However, we will also provide an introduction to automaton tools and techniques that can be used to speed up the analysis process. This workshop is aimed at junior incident responders, hobby malware analysts, and general security or IT practitioners who are interested in learning more about the malware triage process. If you have no experience with malware analysis but you have a good understanding of scripting languages like VBScript, and Javascript, and you are familiar with windows internals you should have no problem completing the workshop. You will be provided with a VirtualMachine to use during the workshop, please make sure to bring a laptop that meets the following requirements. Your laptop must have VirtualBox installed and working (VMWare is not supported). Your laptop must have at least 60GB of disk space free, preferably 100GB. Your laptop must be able to mount USB storage devices. Make sure you have the appropriate dongle if you need one.

Presenters:

• Sean Wilson
  Twitter: @seanmw YouTube: https://www.youtube.com/oalabs Sean is a co-founder of Open Analysis, and volunteers as a malware researcher. He splits his time between reverse engineering malware and building automation tools for incident response. He is an active contributor to open source security tools focused on incident response and analysis. Sean brings over a decade of experience working in a number of incident response and application security roles with a focus on security testing and threat modelling. In his free time Sean loves fly fishing.
• Sergei Frankoff
  Twitter: @herrcore YouTube: https://www.youtube.com/oalabs Sergei is a co-founder of Open Analysis, and volunteers as a malware researcher. When he is not reverse engineering malware Sergei is focused on building automation tools for malware analysis. Sergei is a strong believer in taking an open, community approach to combating cyber crime. He actively contributes to open source tools and tries to publish as much analysis as possible. With over a decade of experience Sergei has held roles both as the manager of an incident response team, and as a malware researcher.

Links:

• https://brucon0x0a.sched.com/event/FXIK/malware-triage-analyzing-malscripts-return-of-the-exploits

Similar Presentations:

• DEF CON 30 (2022) / Automated Debugging Under The Hood - Building A Programmable Windows Debugger From Scratch (In Python) Workshop
• BruCON 0x07 (2015) / Crowdsourced Malware Triage Workshop - Making Sense of Malware with a Browser and a Notepad Workshop
• BruCON 0x09 (2017) / Malware Triage: Malscripts Are The New Exploit Kit Workshop