Kyle Cucci
Last known affiliation: Proofpoint
Bio: Kyle Cucci is a malware analyst and detection engineer with Proofpoint’s Threat Research team. Previously, he led the forensic investigations and malware research teams at a large global bank. Kyle is the author of the book “Evasive Malware: A Field Guide to Detecting, Analyzing, and Defeating Advanced Threats” and is a regular speaker at conferences, speaking on topics like malware analysis, offensive security, and security engineering. In his free time, Kyle enjoys contributing to the community via open source tooling, research, and blogging.
Randy Pargman 🗣 | Kyle Cucci 🗣
Abstract (click to view)
This workshop consists of two parts:
First, we will build a Remote Access Tool with indirect syscalls, shellcode running and COFF running capabilities, and other common features that uses Microsoft Teams as its Command and Control channel. Participants will be provided with a VM for VMWare player or workstation that has all the necessary source code and build environment set up. Participants will need to create a free M365 Developer tenant prior to starting the workshop.
In the second part, we will reverse engineer the Teams RAT binary and a loader, showing how to analyze stack strings, deal with opaque predicates, XOR string obfuscation, and anti-debugging tricks of malware.
If workshop participants were not able to create a free M365 Developer tenant prior to Microsoft changing the policy to limit the program to Visual Studio subscribers, the workshop instructors will provide working accounts in a tenant for those participants to use.
To participate in this workshop, you will need to register for free Microsoft 365 Developer program, which creates your own Azure tenant with Microsoft Teams for the C2 channel. You will also need a laptop with VMWare Player, Workstation, or Fusion installed and at least 30-50GB free disk space. You will be provided with a VM for VMWare that is set up with all tools, or you can build your own Windows 11 VM and install Visual Studio setup for C++ development + vcpkg, libcurl, cJSON, x64dbg, and IDA Free if you prefer not to use a pre-built VM.
Kyle Cucci 🗣
Abstract (click to view)
In this session, we’ll delve into the world of DBatLoader and it’s interesting utilization of sandbox evasion techniques. We’ll explore how DBatLoader leverages a variety of anti-sandbox and anti-analysis techniques to frustrate both automated tools and human analysts. From insertion of junk code and memory bombing to its usage of arbitrary memory writes and AMSI unhooking, DBatLoader doesn’t want to be stealthy – it just wants to destroy your sandbox. But it’s not all doom and gloom! We’ll wrap up by discussing strategies for identifying DBatLoader in the wild and mitigating its evasive tactics, offering practical advice and lessons learned along the way.
Kyle Cucci 🗣 | Randy Pargman 🗣
Abstract (click to view)
Ready to dive into the world of malware evasion techniques? This hands-on workshop will give students the tools and skills to spot and defeat evasion tricks used by malicious code. Split into three “modules,” the workshop will take you through a journey of analyzing malware with free, open-source tools. You’ll tackle evasion techniques head-on, learning how to see through the malware’s tricks and gain a deeper understanding of its behavior.
Expect a mix of instructor-created malware (with code to analyze alongside the samples) and real-world malware found in the wild. By the end, you’ll walk away with a collection of malware samples, pages of code, and the expertise to continue your analysis at home. Plus, you’ll have the know-how to bypass common anti-analysis and evasion methods that malware uses to sneak past sandboxes and endpoint defenses. Are you ready to level up your malware analysis skills? Let’s dive in!