Crypton - Exposing malware's deepest secrets

Presented at REcon 2017, June 18, 2017, 11 a.m. (60 minutes)

As malware researchers, a significant part of our research process isdedicated to reversing cryptographic algorithms for extracting thedecrypted content. Revealing this content provides an access to the heartof the malware: all the strings, Windows API calls, DGA Algorithms,communication protocols, and while focusing on financial malware – the listof targeted institutions and webinjects.Malware authors put considerable effort into constantly changing theirencryption routines and designing customized implementation algorithms.Even the smallest change requires significant work from the malwareresearcher: revesring has to be applied to reconstruct the encryptionscheme.Our motivation was to find lightweight and practical implementation thatcan effectively speed up the research process.That’s why we developed an automation approach, based on a heuristic wayof detecting such cryptographic algorithms regardless of the type ofalgorithm used that extracts their plain text output. The implementation ofthis approach saves a lot of valuable research time by letting the malwaredo the job for us!During the lecture, we plan to give some basic background on our work withfinancial malware and their internals. We will describe the idea and thearchitecture of the Crypton tool and present a demo with live malware.



Similar Presentations: