Reverse APT Malware with Ghidra

Abstract

In this course, we first introduce APT basic knowledge to realize the threat/behavior of the APT. Then we explain 3 different APT cases in Taiwan, Japan and Korea. For Taiwan’s case, Operation ShadowHammer is classical supply chain attack. JPCERT discovered the Taidoor malware is used in Operation Bitter Biscuit. Kimsuky, is the other state-sponsored APT compaign, targets many South Korean organizations.

To analysis these APTs, we then introduce the tools could be used for threat hunting, regularly tracking for hidden APT activities. The introduced tools include Moloch, ELK, Yara.

In the last part, we move to reverse the APT malware. Using Ghidra, we could analysis these APT malware. The technique to deal with APT samples are introduced here, e.g. PE Header, Decryption/Decoding, Shellcode, Data Structure and Import Table Hash.

Trainer

Name: C.K. Chen
Bio :
Chung-Kuan Chen is currently a senior researcher in CyCraft, and responses for organizing research team. He earned his PHD degree of Computer Science and Engineering from National Chiao-Tung University (NCTU). His research focuses on cyber attack and defense, machine learning, software vulnerability, malware and program analysis. He tries to utilize machine learning to assist malware analysis and threat hunting, and build automatic attack and defense systems. He has published several academic journal and conference papers, and has involved in many large research projects from digital forensic, incident response to malware analysis. He also dedicates to security education. Founding of NCTU hacker research clubs, he trained students to participate world-class security contests, and has experience of participating DEFCON CTF (2016 in HITCON Team and 2018 as coach in BFS team). He organized BambooFox Team to join some bug bounty projects and discover some CVEs in COTS software and several vulnerabilities in campus websites. Besides, he has presented technical presentations in technique conferences, such as BlackHat, HITCON, HITB, RootCon, CodeBlue OpenTalk, FIRST and VXCON. As an active member in Taiwan security community, he is in the chairman of HITCON review committee, and ex-chief of CHROOT - the top private hacker group in Taiwan.

Back to GCC 2021 Online Page