On Monday, at Blackhat 2020, BlackBerry released PE Tree, a free open-source, malware reverse engineering tool to help fight cybersecurity attacks. Initially developed as an internal tool, PE Tree is now widely available to the reverse engineering community battling increasingly inventive computer security threats.
This comes at a crucial time, when businesses are facing increased security risks with the normalization of flexible work arrangements. Employees logging in from home are now accessing corporate data from various, unchecked personal devices, potentially exposing company data to risk. In data published by Symantec, approximately 24,000 malicious mobile apps are blocked every day. According to network security company RSA, attacks from rogue mobile apps have increased by 300%.
PE Tree was made public by BlackBerry’s Research and Intelligence team which “examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve,” proving BlackBerry’s commitment to the “cybersecurity community in the fight against constantly evolving cyber threats”.
As further confirmation of BlackBerry’s firm stance against cyber threats, Eric Milam, Blackberry’s Vice President of Research Operations, shared that "as cybercriminals up their game, the cybersecurity community needs new tools in their arsenal to defend and protect organizations and people. We've created this solution to help the cybersecurity community in this fight, where there are now more than one billion pieces of malware with that number continuing to grow by upwards of 100 million pieces each year.”
The existence of PE Tree will significantly reduce the time and effort necessary to reverse engineer malware. PE Tree has the capability of supporting Windows, Linux, and Mac operating systems with the possibilities of being installed as a standalone application or IDA Python plugin. Utilizing pefile - a multi-platform Python module that works with PE files - and PyQt5, a module that creates graphical user interfaces, PE Tree enables users to view Portable Executable (PE) files in a tree-view.
With a range of features available to ensure ease of use, PE Tree allows easy navigation of PE structures, import reconstruction and the ability to dump in-memory PE files through the integration of HexRays’ IDA Pro decompiler. For complex cases, certain portions of the PE file can be saved or exported to CyberChef for further processing.
Despite the extensive features of this first iteration, PE Tree will be under active development in order to improve on its functionality, as well as enable the tool to remain agile and up to speed with the fast-moving landscape of cyber security attacks.