Kevin O’Reilly – The Malware CAPE: Automated Extraction of Configuration and Payloads from Sophisticated Malware

Over the next few weeks we’re going to announce the 44CON talks and workshops. Don’t forget to get your tickets!

Our next announcement is Kevin O’Reilly – The Malware CAPE: Automated Extraction of Configuration and Payloads from Sophisticated Malware.

Within the fields of malware research and threat intelligence, one of the biggest challenges faced by the security industry is the significant time and skill required to reverse engineer new malware samples. This has led to the emergence of a number of systems designed to automate this process, but such solutions are often limited in their ability to implement the skilled techniques required to unravel the malware’s secrets.

For nation-state malware research in particular there is often a dependency on skilled analysts, who, even when faced with a familiar malware family, will often have to repeat time-consuming and highly skilled procedures in order to extract useful information from a new sample. In conflict with this, consumers of threat intelligence demand indicators of compromise (IOCs) from new samples instantaneously, with the indicators being at their most useful to the defender in the time immediately following the malware’s discovery.

In this talk we will unveil the open-source launch of our solution CAPE, which automates many of the complex tasks routinely performed by skilled analysts when dissecting common nation state malware families. This solution allows for the extraction of payloads, configuration and other indicators from these malware families via a single intuitive malware analysis platform.

We will begin by describing the techniques and stand-alone tools that were combined to create CAPE and demonstrate the capabilities of this system when deployed against some of the most prevalent state-sponsored malware families. We will show how support for additional malware families can be added to the system via the open-source launch of CAPE. Our hope is that CAPE will be used by the community, and further expanded, in the ongoing battle against malware of ever-increasing sophistication.

Kevin O’Reilly is a Principal Consultant and Head of Threat at Context Information Security. He is responsible for leading threat research and malware analysis within Context’s Response department. He has been working in information security for over 12 years. Prior to joining Context, he was previously Research Developer at Corsaire, after beginning his career as Virus Researcher at Anti-Virus firm Sophos.

Details of all of our talks, workshops and speakers are being announced daily. Don’t forget to book your tickets before they’re sold out!