Six months ago, Okta’s Infosec team built on the work of Riordan and Schneier to create an open source, environmentally-targeted keying solution, EBOWLA, for the security community to research, tear apart and learn from. Today, we’re pleased to share an update on the project we presented at the Ekoparty Security Conference in Buenos Aires.
Our hope is that defenders and reverse engineers can make use of the project updates to validate their preparedness and techniques against highly targeted malware. As discussed in our presentation, detection of malicious code in runtime interpreted languages is error prone and difficult. Shortly after our initial presentation at INFILTRATE, Kaspersky created an AV signature that flagged as malicious many of the most popular GO language applications such as Docker, a Bitcoin wallet and the actual Golang installer in an attempt to flag EBOWLA binaries – oops.
We’ve updated the project to include a new loader for PowerShell. This ubiquitous Windows scripting language is widely used in offensive testing and by defenders for incident response. Now the incident responder will need to be proficient in PowerShell debugging to begin the task of decrypting targeted malware that could also end up being more PowerShell! Post-Ekoparty, the team is working on a traditional loader using C++ compiled code, so stay tuned and visit our EBOWLA GitHub page for future updates.