Context Information Security is launching its new open-source tool for reverse engineering nation state malware today at 44CON 2016 in London. CAPE, an extension to the open-source malware analysis platform Cuckoo, automates many of the complex tasks performed by skilled analysts when dissecting nation state malware families or particular malware techniques.
CAPE has been designed to extract payloads and configuration data from APT (Advanced Persistent Threat) malware such as PlugX, EvilGrab, HttpBrowser, Sakula and many more, via a single intuitive malware analysis platform. It also extracts malware which uses techniques such as process hollowing, process injection as well as extracting custom packers such as modified or hacked versions of UPX, which are commonly seen in nation state attacks
“In the fields of malware research and threat intelligence, one of the biggest challenges faced by the security analysts is the significant time and skill required to reverse engineer new malware samples as quickly as possible,” said Kevin O’Reilly, Principal Consultant at Context Information Security. “There are systems designed to automate this process but they are often limited in their ability or usefulness. CAPE complements the underlying malware analysis platform Cuckoo with additional techniques designed specifically to extract the malware payload and configuration, allowing analysts to get straight to the heart of the threat and extract the indicators of compromise (IOCs). We hope that the security community will make use of CAPE and contribute to further package development to cover more malware families, packers and techniques.”
Context’s O’Reilly will be presenting CAPE today at 44Con in London. It will also be released as an open-source project on the same day on the Context GitHub website: https://github.com/ctxis/CAPE. This will be followed with a series of blog posts about CAPE and how it can be used and extended.
Context will also be releasing a Windows-compatible CAPE virtual appliance and set up an online CAPE instance where people can submit samples without having to set it up themselves.