Cybersecurity consultancy Context Information Security has released a new open source tool designed to reverse engineer sophisticated nation state malware.
Cape is apparently an extension to the Cuckoo malware analysis platform which automates much of the heavy-lifting when it comes to taking apart specific malware types.
It has been built to extract payloads and configuration data from APT malware including PlugX, EvilGrab, HttpBrowser, Sakula.
It extracts any malware that uses process hollowing and process injection as well as custom packers like modified versions of UPX, which are often seen in nation state attacks, Context said.
Head of threat, Kevin O’Reilly, argued that the time and skills required to reverse engineer new malware as quickly as possible is one of the biggest challenges facing the industry.
What’s more, automated tools are often limited in their ability, he added.
“Cape complements the underlying malware analysis platform Cuckoo with additional techniques designed specifically to extract the malware payload and configuration, allowing analysts to get straight to the heart of the threat and extract the indicators of compromise (IOCs),” said O’Reilly.
“We hope that the security community will make use of Cape and contribute to further package development to cover more malware families, packers and techniques.”
Context will also release a Windows-compatible Cape virtual appliance and set up an online Cape instance where people can submit samples without having to set it up themselves.
Nation state targeted attacks continue to be a major threat to organizations – but it’s not just a challenge for firms in the West.
A Chinese group targeting organizations in Russia with the information-stealing NetTraveler trojan was discovered in July, for example.
In June, the ScarCruft APT began targeting over two dozen victims in Asia and Russia.
In its M-Trends report of February, FireEye’s Mandiant business warned that APT malware is becoming increasingly sophisticated, outstripping IT’s ability to respond.