Reversing the Gophe Spambot

This course is a part of BSides Huntsville 2020, a 8-course Paths series from Pluralsight.

Unobfuscated malware can still be overwhelming to analyze. Even accomplished reverse engineers may feel hand-wavey about STL and COM code. Take for example Gophe, a spambot associated with Dyre campaigns and Trickbot C2, which weighs in around 2.6 MB with a 10 KB WinMain, three embedded binaries, copious STL template-generated code, and multiple flavors of atypical COM usage. COM is 27 years old, and plugins are starting to materialize to automate its analysis, but Gophe presents a strong case for understanding COM directly and applying that knowledge to decompilation instead of assembly listings. Meanwhile, C++ reversing is well-covered, but the literature is largely orthogonal to STL code. In this talk, Michael Bailey of FireEye's FLARE Team will share how to tame STL code with knowledge of a few key structures and how to investigate COM usage that doesn't conform to the norm. This will include a guided tour of a Gophe sample to focus on tactics for effective STL and COM reversing by enriching decompilation in Hex-Rays. We'll examine what Gophe is doing with Outlook.Application, Microsoft's Messaging API (MAPI), and one other COM interface that it uses to hide from view. This reverse engineering case study is all ham and no spam, so bring your appetite!