Dr. Wesley McGrew, Senior Cyber Fellow at MartinFed, has written this blog to complement his Breakout Session at this year’s National Cyber Summit. You can catch Dr. McGrew’s session on Wednesday, September 25th, at 4:15 p.m. CST in Ballroom 2 of the Von Braun Center.
Each year at the National Cyber Summit I present a detailed technical session on malware analysis. I select a piece of malware that has been attributed to a nation-state sponsored threat actor (typically foreign military/intelligence) and walk through the technical details of how it works with the audience. It’s listed on the conference agenda as an “advanced” session, but that’s relative to the broader context of the conference. For those looking to get into software reverse engineering, it’s a good introduction to the approach and basic concepts and has served as a starting point for attendees to begin their own technical education in malware analysis. Non-technical attendees may not follow every detailed step of the analysis, but they can see what information can be derived from advanced persistent threat group malware, and the tactics and strategies used by these groups.
For this presentation, I usually choose a single piece of malware to demonstrate. Most years, this takes as much time as anything else in developing the presentation, because there are certain criteria I keep in mind.
It should:
• …have some relevance to current events, to capture the interest of the conference attendees.
• …be associated with a nation-state sponsored threat group. National Cyber Summit attendees run the gamut of organizations trying to protect against direct threats to national security.
• …be accessible to a software reverse engineer that’s early in their learning path. While I cover advanced topics in my presentations, something too sophisticated is difficult to completely dissect in a 45-minute presentation.
• …be available. Often, distribution is protected of samples that I lead analysis on as part of projects and engagements at MartinFed, due to a variety of confidentiality agreements and concerns. For a public presentation at a conference, I like to use malware that has already been publicly distributed and partially analyzed. Technical attendees can “follow along” with my work. I lean heavily on VX-Underground’s work on archiving and distributing malicious software sample.
• …be interesting. I like to discuss the tactics, strategy, and design decisions about the malware I discuss.
This year, I’ve selected a malware sample designated by Google/Mandiant’s analysis team as MINIBUS. It has been attributed to the Islamic Revolutionary Guard Corp, a branch of the Iranian armed forces, and has been used in targeted intelligence-gathering attacks against Israel during the ongoing Israel-Hamas conflict, certainly ticking the box for relevance. MINIBUS isn’t too technically complex to cover in the context of my National Cyber Summit talk, and a sample of it has been made publicly available on VX-Underground.
MINIBUS is delivered via email and takes the form of an application that alleges to be part of a social network for the Israeli “Bring Them Home” movement, for the return of Israeli hostages being held by Hamas. This is a decoy application. In the background, as it installs and runs, it also installs a “remote access trojan” that allows the attackers to remotely execute code on the target system to control it.
At MartinFed, I’ve enjoyed developing and teaching several training classes on offensive security topics, among those red team tool development. If the developers of this malware had to submit it as a final project for one of my classes, I’m sure I’d return it with notes for improvement (I don’t think the IRGC will mind or care about me saying so). It’s bulky and clunky: it requires that the victim unzip a file into a folder, navigate in and run it. It has a weird-looking installer that places the fake application into a folder on the desktop—not a normal location for an install. The fake application doesn’t work after being installed (at least not in a Windows 11 virtual machine). An analyst can tell at a glance which files are decoys and which files are of operational interest simply by looking at which ones have more recent timestamps.
I can criticize their development choices all day, but in the end, did it negatively impact their mission? When we look at APTs, advanced persistent threat groups, we place a lot of emphasis on the “advanced”, when a close look at the tools and tradecraft often aren’t all that sophisticated. Persistence, mission focus, resources, and the audacity of being able to operate outside the law without consequence can make up for a lot of what we perceive as technical deficiency.
Many times, when I analyze nation-state sponsored malware, I see very little development effort put towards “anti-analysis”—properties and activities of the malware that make it difficult for software reverse engineers to pick it apart and understand how it works. Comparatively, profit-focused cybercriminals put much more effort into making their software hard to reverse engineer. Why is this, especially when the state-sponsored group clearly should have plenty of resources? It’s a consequence of strategic decisions. A cybercriminal typically profits from every moment that their malware is active on as many targets as possible. Any delay in analysis and detection directly translates to money in their pocket. An espionage-focused state-sponsored group, however, has a more limited number of targets, and will choose those that have a lower level of technical sophistication such that the “rough edges” of the malware won’t cause any suspicion. A state sponsored group will know that it’s “game over” the moment they gain the attention of a security analyst or reverse engineer, so putting much effort into making that analysis more difficult once it has begun is wasted.
If you are interested in learning more, I’m presenting more technical details of this Iranian malware Wednesday afternoon, 4:15PM at National Cyber Summit in Huntsville. Before and after, I’ll be at the MartinFed booth on the vendor floor (Booth #613) and I’ll be happy to talk about malware analysis and offensive cyber operations. I hope to see some of you there, and set some of you on the path of learning what reverse engineering capabilities can provide to you and your organizations.