New Vectors, New Keys – Updated EBOWLA

Josh Pitts and Travis Morrow

Six months ago, Okta’s Infosec team built on the work of Riordan and Schneier to create an open source, environmentally-targeted keying solution, EBOWLA, for the security community to research, tear apart and learn from. Today, we’re pleased to share an update on the project we presented at the Ekoparty Security Conference in Buenos Aires.

Our hope is that defenders and reverse engineers can make use of the project updates to validate their preparedness and techniques against highly targeted malware. As discussed in our presentation, detection of malicious code in runtime interpreted languages is error prone and difficult. Shortly after our initial presentation at INFILTRATE, Kaspersky created an AV signature that flagged as malicious many of the most popular GO language applications such as Docker, a Bitcoin wallet and the actual Golang installer in an attempt to flag EBOWLA binaries – oops.

We’ve updated the project to include a new loader for PowerShell. This ubiquitous Windows scripting language is widely used in offensive testing and by defenders for incident response. Now the incident responder will need to be proficient in PowerShell debugging to begin the task of decrypting targeted malware that could also end up being more PowerShell! Post-Ekoparty, the team is working on a traditional loader using C++ compiled code, so stay tuned and visit our EBOWLA GitHub page for future updates.

Josh Pitts
Principal Hacker, Offsec Team

Josh Pitts is a Principal Hacker at Okta on our offsec team. He has over 15 years' experience conducting physical and IT security assessments, IT security operations support, penetration testing, malware analysis, reverse engineering, and forensics. Josh also served in the US Marines working in SIGINT.

Travis Morrow
Security Architect and Sr. Manager of Offensive Security

As the leader of Okta’s Offensive Security Team, Travis Morrow specializes in application penetration testing, reverse engineering, malware analysis, and security architecture. With over 15 years of industry experience, he enjoys researching mechanisms that automate the attacker’s job and make the defender's life more challenging. Travis has spoken on topics ranging from mobile security to genetic malware at events such as Black Hat, Immunity Infiltrate, and Amazon ZonCon. When he isn’t breaking things, he spends his free time tinkering, snowboarding, drinking coffee, and learning the hardware side of RE.