Course Review - Kaspersky Targeted Malware Reverse Engineering
Getting to know real-life APT malefactors, miss IDA and APT's by members of the Global Research and Analysis (GReAT) team - And a Q&A with the course instructors
Disclaimer: The views, methods, and opinions expressed at Anchored Narratives are those of the author and do not necessarily reflect the official policy or position of my employer.
Introduction
Malware reversing is a great topic as an anchored narrative. Without detailed knowledge of it, you might miss relevant indicators of compromise, detect false flags, or other secrets stored in it. The better you get in it, the more you will understand file formats, data structures, programming routines, etcetera. As I’m very interested in the geopolitical cyber conflict between nations, I found Kaspersky delivered a virtual training course called “Targeted Malware Reverse Engineering.”
According to their course overview description, “reverse engineers are not born but made by experience.” The course description immediately triggered me as it focused on the powerful real-life APT actors. Kaspersky has been a company that shares its detailed, high-quality malware analysis on its famous securelist website already for multiple years. That said, it is my firm belief that you need to maintain your malware reversing skills if you work in this field as your first aid obligation in real life. Since my job was not really hands-on anymore, this seemed like a great learning opportunity.
In this anchored narrative, I will review the targeted malware analysis training by course setup, learning objectives, lessons learned and ended it with a Q&A section with the course instructors. This review will not give any spoilers. Let’s go.
My reversing background
In 2005, while working for Hoffmann Investigations, I went to the SANS 508 forensics training in San Diego. During that time, you were still allowed to buy course material from other courses. I bought the course material for the GREM 601 course by Lenny Seltzer. I took the syllabi to my hotel room and did not participate in any social event that night as the GREM course material was just great and really opened my eyes. Later that year, I took both exams 508 and GREM and passed. Still, my knowledge about reversing was very limited due to limited exposure to real malware. In the years that followed, that would rapidly change as I have participated and led investigations into many nation-state breaches by actors originating from Iran, China, and Russia and have been tracking them with YARA ever since. A lot later, I also followed a malware reversing class from Mandiant in Washington. During those courses, the main objective was to quickly obtain relevant indicators of compromise and understand static and dynamic malware reversing. My exposure to the famous dissembler IDA was limited compared to OllyDbg or now x64dbg. So over the years, my malware reversing experience grew, but compared to real reversers, like the Kaspersky instructors Denis and Ivan in this training course, there is enough room to grow:).
Course Setup
Before onboarding, in this course, I first requested demo access to understand how the delivery of the course would happen virtually. After the demo access to one of the labs, I decided to onboard for the course. Once registered, you will be onboarded in the learning environment of Kaspersky training.
In the learning environment, you will obtain access to the following:
Training manual of the course with information about the 10 cases used in the wild by powerful APT actors
Access to the 10 powerful APT actors with detailed video instructions given by Denis or Ivan
100 hours of lab time delivered via Cloudshare on a virtual Windows 2019 server with some tools installed like Hiew, x64dbg, and an IDA Pro version.
The total learning time is valid for 6 months. The learning environment works like a charm and is well structured and organized. One of the benefits of virtual videos is that the instructions given by Denis or Ivan are subtitled. I found this particularly useful sometimes when some shortcuts were given in IDA pro. I do miss an overview with often used keyboard shortcuts, though. What I also like is that two non-native English speakers are giving the training. Somehow their slow-paced storytelling resonated really well with me.
After each APT threat actor case, the lab is closed off with some questions after each video that needs to be solved in the virtual lab with IDA Pro. See figure 2.
In most of the 10 threat actor cases, the lab is closed with a new quiz sample where you basically need to repeat your analysis steps in the virtual lab on your own and find the correct answers to the challenging questions.
Course instructors
I already mentioned them briefly, but the course instructors are Denis Legezo and Ivan Kwiatkowski, two experienced members of GReAT (Global Research & Analysis Team), which focuses on APT research. Denis comes from Russia, and Ivan comes from France. As mentioned earlier, both instructors are also responsible for the in-depth analysis publications on the securelist website, including some of the 10 powerful APT threat actors covered in this malware reverse engineering course. Both instructors are different in delivering the learning experience. Denis focuses on the fundamentals of IDA pro and explains really well, where Ivan demonstrates the power of automation in IDA with Python. I learned a new term from Denis, namely malefactors, a person who commits a crime or some other wrongdoing. This term is used to refer to the actors behind the malware. Furthermore, Denis calls IDA, Miss IDA, and the X64dbg, Mr. Debugger, why we will find out later in the Q&A with them.
Course Review and Lessons learned.
I really enjoyed this malware training by Kaspersky as it is a very practical course in which you need to analyze multiple APT malware cases. You have a great lab environment and are free to do extra analysis on the malware cases provided. One of my main learning experiences was getting really familiar with IDA Pro and all its functionalities. Until this track, I only had access to the IDA free addition on my own virtual machine. IDA Pro makes the difference and is very useful. Also, both course instructors are basically doing all their analysis in the end with IDA Pro.
Besides this, I learned about a tool called Hiew, which can be used for all kinds of analysis tasks, but primarily for surface analysis of malware samples. During the 10 malware tracks, I was taught to reverse-engineer programs within different programming or heavily obfuscated scripting languages (C, .NET, Delphi, Powershell, JavaScript, C++). I also analyzed malware samples compiled for 64-bit architecture or different operating systems like Linux and, of course, shellcode.
The tracks start with a basic level but are going to be increasingly complicated toward the end.
Pro and Cons
One of my personal goals during this COVID-19 pandemic was to refresh or even getting better in malware reversing engineering. This course helped me achieve that. That said, you’ll need to really enjoy malware reverse engineering malware samples after taking multiple virtual calls for your work. The whole virtual experience of our current working from the home environment can be exhausting. I was getting a bit tired at the end, so you need to be disciplined and remove all distractions. Disable your messaging agent(s) on your computer and block time for it. I started this training halfway through May and ended it in July 2021.
One of the improvements that the course instructors could make, and I have given them that feedback already, is to make a cheat sheet with all the relevant keyboard shortcuts in IDA or other tools used. Ensure that you read the pre-requisites before onboarding this training and are familiar with scripting languages like Python.
One of the things I missed was how to track these powerful real life APT threat actors with a language called Yara, but I believe that is on purpose as Kaspersky also provides training called Hunt APTs with Yara like a GReAT Ninja. So maybe I will onboard on that training the next time to further enhance my tracking skills.
Buy or Not
This course is not aimed at people who have no experience with malware reversing but is especially aimed at people who have already some experience with it but need to improve their game. From my professional background perspective as a manager of teams, I believe this training would help many cybersecurity specialists in their maturity journey. Also, the pricing for the offered learning environment ($1400) is very competitive compared to the SANS malware track, for example, which costs nearly $7000 depending on the delivery method.
So a definite buy, if you are a disciplined person and can systematically work online besides your day job. The learning environment is GReAT, and cases are fascinating to investigate.
Q&A with Denis Legezo and Ivan Kwiatkowski
During the course, students also had the opportunity to ask questions about the course and interact with the course instructors. On the 24th of June 2021, a webinar was offered by Kaspersky where the students could raise questions about the course or any other relating topic. Students were invited to share the questions before the webinar so the instructors could prepare. In the session, Ivan was present. Denis follow-up on questions via e-mail.
Geopolitical questions
Question 1: How do you pick relevant samples for the Securelist blog? The stories usually have a geopolitical background. How do you differentiate between crime, ransomware, and nation-state malware samples?
Answer Ivan: “We do try to cover the whole spectrum of threats. The GReAT team is located all over the world in different countries. By having so many researchers across the globe I (Ivan) for example lives in France,but focus a bit on Chinese-speaking threat actors”
“We have 40 people on the
GReAT
team. Multiple team members work on similar threat actors. Sometimes we work on blog posts on research from our peers. We track actors were we are specialist in. I for example focus on Chinese-speaking threat actors. We have a developed a custom crawler to detect water holes attacks. We have a big list of political or ethnic minority websites which the crawlers monitor. We also do telemetry diving. We do for example some requests for mimikatz executions in the Kaspersky data. We do not attribute to nation-states! We never make this connection as this a political process. We can only lose.”
Question 2: Do you work with the MICTIC framework (Malware, Infrastructure, Control Server, Telemetry, Intelligence, Cui Bono) from Dr. Timo Steffens to attribute certain actors? If not, how does Kaspersky attribute to certain nation-states?
Answer Ivan: “
We’re not utilizing this framework yet as I’m not familiar with it. We have a more collegial approach. We have a review committee and try to be critical about the research papers and raise critical questions.We talk with each other and challenge each other with peer to peer process. As mentioned earlier we do not attribute to nation-states.”
Question 3: Which nation-state actor is, in your opinion, currently the most underestimated one?
Answer Ivan: “The Chinese-speaking threat actors are very underrated. Have a look on what they are doing now from 10 years ago. See their work at the SyScan conference in Singapore. Also, look at the hunting competitions to Zero-days being produced by the teams of Alibaba and Tencent. Similar to IOS jailbreaking. They are very capable. They are doing the most things that we are not even know about. I believe that there are some Chinese-speaking high-profile APT actor groups that we have not even seen before.”
Question 4: What about France's threat actor groups? (Ivan is from France)
Answer Ivan: “That is a nice question. There was an actor which was suspected to originate from France, called Animal farm. We reported about them in 2015. That
Animal farm actor
group is now nowhere to be seen.”
Malware analysis method
Question 5: Do you always start with static analysis, or do you prefer dynamic
Answer Ivan: ”I want to go in-depth. I do not use dynamic analysis too much anymore as I know that I have to do the analysis in IDA later. We are very much focused on research in the GReAT team. For teams working in CERTS, dynamic analysis is likelier due to much more time constraints. We want to really understand how the malware works and IDA is the best for it.”
Question 6: Once you have statically analyzed a sample, you want to extract the malware configuration, but why don’t you do that via sandboxing detonation? Is config extraction preferred?
Answer Ivan: ”
If detonation in sandbox works. Sometimes running the samples in a sandbox is not revealing all the relevant indicators of compromise (IOC). Sometimes, after hunting in our telemetry data we find 200 samples which is just too much for our internal cuckoo sandbox. Python script is just easier and more effective. Whatever works. In the Biodata track of the training for example we found 200 samples.”
Question 7: Why does Denis calls IDA, Miss IDA, and calls a debugger Mr. debugger during the tracks?
Answer Denis: “That is because
IDA is obviously a girl and debugger sounds to me like a boy.
”
Question 8: When will the Advanced Reversing course will be offered?
Answer Ivan: “Somewhere at the end of this year or the beginning of the next year. The goal of this course is geared towards people that are already familiar with IDA.”
Question 9: Why is there no certification challenge after the end of the track?
Answer Ivan: “It is complicated. We need to have a wider catalogue of training first. Certification is also very difficult with online training. There is that element of cheating. We do not want to police for our students. More an honor system. With the OSCP exam, there was so much cheating, that you know need to have a webcam online. We find that a bit crazy. We would like to expand our training portfolio and hare as much knowledge as possible.”
Question 10: I sometimes notice poor malware analysis in publications on the company website. How do you detect flawed malware research?
Answer Denis: “There are unlimited options to spoil the research: don't provide any indicators of compromise, mark something like TOR exit nodes as C2, too much politic-related hype, do only a surface analysis, and skip something unusual and interesting in operators tactics. Could I also mention that there are some trade-offs in incident response - outstanding actors coverage and the deepness of technical details are barely achievable at the same time with a limited amount of experts, right?”
Answer Ivan: “In my opinion, it’s actually quite simple: good research needs to be reproducible so that other people can confirm the findings. Whenever information that would allow us to verify the work on our own is absent (no IOCs, information explicitly left off for confidentiality reasons, etc.), I usually interpret it as a sign that something is off. I’m also wary of publications that do not provide a confidence level with their conclusions: threat intelligence is not an exact science and the information we release needs to be assessed critically. It is also crucial to me that the author’s reasoning can be followed from start to end, without any gaps. Unexplained leaps are always suspicious to me.”
Question 11: A lot of other research is presented on new actors. What do you find reliable sources for malware reversing? Can it be other companies or researchers?
Answer Denis: “Like any other colleagues in the threat intelligence industry, we are monitoring the reports of each other and check them against our own telemetry. Sometimes our research is a starting point for new valuable add-ons with links to original research and vice versa.”
Answer Ivan: “Our competitors (who often happen to be good friends of us) do a great job and we follow their work assiduously. National CERTs are usually a good source of information too, and finally, there are a number of specialized or independent blogs which are often worthy of interest. Apart from this, a lot of information gets dumped on Twitter “as-is”, but requires a little more filtering. It’s really a matter of curating trusted sources over time, whatever they are.”
Question 12: How do you see the future of malware reversing? Do you expect new threats or methods?
Answer Denis: “In terms of hardware platforms now I see some shift to the ARM architecture and it obviously would affect malware analysis. For how long this shift would be? Who knows, maybe the next Intel processor would be a prodigy. But in a short term, I suppose for the reversers the significance of ARM would grow up.
Also "the clouds" are upon us even here. The automated tools like the Copilot plugin for the VSCode would make the third-party code reuse even easier, so on the analyst side also should be tools to detect code similarities and share the analysis results
In terms of compilers - obviously, the Go language is already here in a malware world. I would expect any new popular compilers to be applied for the malware as well, the malicious developers are still developers, aren't they?”
Answer Ivan: ”The cat and mouse game between malware authors and defenders isn’t going to stop anytime soon, but at the same time, we don’t really see that many technological leaps (or maybe it’s me being short-sighted). I expect that the future will bring us more obfuscation, more packing, and also more “fragmented” malware (where components are split into a lot of different files) – but at the end of the day, it will always be a matter of watching instructions being fed to a CPU. I’m distantly worried about DRM technology, which is developed as a safeguard against software piracy and whose very purpose is to prevent reverse-engineering or tampering of legitimate software. Such technologies might also, in the future, prevent us from accessing malware. It’s a problem that we’re already facing, in a way, with “walled garden systems” such as mobile devices of a certain fruit-related brand where the very architecture prevents owners from inspecting files and processes running.”
I think it is a very bad course. It is overestimated and overvalued. There are inconsistencies between proposed solution in videos and actual content (malware). It is practical, but practice comes first before theory; bad english from one of the instructors. I would not suggest anyone purchasing such course. Disappointing. At least they could provide the malware samples and give life access to training material at this cost.
I do think not providing the samples to students who take the course was a negative on their part (Almost any malware analysis courses I can think of, provide samples to students to further work on them outside of the course).
otherwise I can see how its a great course and has a lot of good content.