Schedule
Tuesday 26th April 2022
Solomon Sonya 🗣
Abstract (click to view)
Malware continues to advance in sophistication and prevalence. Well-engineered malware can obfuscate itself from the user, network, and even the operating system running host-based security applications. But one place malware cannot easily hide itself is within volatile computer memory (ram). Although an essential part of detection engineering and exploit development, memory analysis is not trivial to master. Additionally, inefficiencies exist within the current approach of conducting memory analysis resulting in greater consumption of time and resources while reducing analysis accuracy.
This workshop solves this problem delivering a new tool that provides advanced memory analysis and releases a new construct that revolutionizes memory forensics. Additionally, this tool provides new correlation algorithms, user-interaction, and plugin aggregation to enhance analysis, increase accuracy, and completely automate the process for you saving hours of analysis time. Lastly, this tool provides a true snapshot analysis providing a better mechanism to discover and extract indicators of compromise during malware analysis. Exploit developers, reverse engineers, digital forensics experts and incident responders will walk away with a new toolkit that will revolutionize the way we perform memory forensics at the conclusion of this workshop.
Michał Praszmo 🗣 | Paweł Srokosz 🗣 | Paweł Pawliński 🗣
Abstract (click to view)
During almost a decade of our malware analysis experience in cert.pl, we have tried many different approaches. Most of them failed but we have learned a lot about what works and what does not. Finally, after several years of development, we publicly released a bunch of projects that we are proud of: a complete open-source malware repository and analysis platform.
The workshop will provide practical hands-on introduction to all aspects of the platform:
mwdb: community-based online service for analysis and sharing of malware samples. The service is freely available to a white-hat researchers and provides fully-automated malware extraction and botnet tracking.
mwdb core: self-hosted repository of samples and all kinds of technical information related to malware configurations.
karton: microservice framework for highly scalable and fault-resistant malware analysis workflows. We will explain the installation and configuration quickly and spend the rest of time on adapting workflows to the karton framework.
malduck is our library for malware extraction and analysis. We will explain how to use it effectively and how to create your own modules.
All components are already available on our github page.
Nicolas Collery 🗣 | Vitaly Kamluk 🗣
Abstract (click to view)
This workshop aims to share knowledge of live triage and analysis of remote compromised systems to assist incident response, digital forensics, or malware discovery and in-place analysis. There are many other applications of the techniques and tools that the participants are encouraged to explore on their own.
Although the knowledge shared during the workshop can be applied independently of the tools proposed, it starts with the attendees building their own toolkit for remote threat reconnaissance. It features bitscout, a project based on a collection of free open-source software for linux, that is extendable with any set of tools the analyst wants to embed before or in the middle of the operation.incident response to live cyberattacks requires silent navigation through compromised assets, sometimes in large distributed networks. The popular approach relies on edr or other live agent-based solutions. However, the activation of security agents and obvious activities on live compromised systems may trigger alerts of advanced threat actors. Once alerted, a clean-up operation and destruction of evidence can happen. Moreover, offline system analysis may not be easy due to the physical distance to the compromised system or scale of the network. This is where remote stealthy threat discovery with “scoutware”, software for threat hunting and instant system analysis, becomes incredibly useful. Bitscout, used for the workshop is just one such toolkit.in addition to working with local virtual machines during the workshop, the attendees will be provided with access to 60+ live servers to be analysed simultaneously to simulate large-scale compromise – online access will therefore be required.
Wednesday 27th April 2022
Rustam Mirkasymov 🗣 | Semyon Rogachev 🗣
Abstract (click to view)
This talk is about how we found the flaw in C&C calculation algorithm in RTM botnet. And used that logical weakness to sinkhole the botnet. This gave us as a result a list of compromised machines and an ability to shutdown disrupt the whole botnet.
Luca Brunoni 🗣 | David Décary-Hétu 🗣 | Olivier Beaudet-Labrecque | Sandra Langel
Abstract (click to view)
Discussion forums are asynchronous communication channels hosted on internet websites. An important component of discussion forums is the marketplace section most forums host. This section enables official and unofficial vendors to post messages about goods and services for sale, and for customers to request certain products as well. The aim of this research is to describe and understand the impacts of the private nature of discussion forums on their participants’ activities. Our driving hypothesis is that private discussion forums are host to more sophisticated participants that will, in turn, offer and have access to more sophisticated tools. More specifically, this paper will compare public and private discussion forums to describe and understand the primary and secondary types of malware their participants advertise, the infrastructure the malware targets, the freshness of the malware being advertised, the quality based on price of the malware being advertised and, finally, the level of trust in the sellers of malware. Our findings suggest that while private discussion forums may not be the place where unknown and more sophisticated malware are offered for sale, but it just may be the place where the most significant and organized threats come from.
Leon Böck 🗣 | Shankar Karuppayah 🗣 | Dave Levin | Max Mühlhäuser
Abstract (click to view)
To this date P2P overlays remain a popular choice for botnet command and control. With the rise of recent IoT botnets, we aimed to monitor multiple IoT P2P botnets at the same time, to compare them against each other and traditional Windows based P2P botnets. During this process we came across several challenges and insights in scaling and maintaining multiple monitoring operations simultaneously. In this talk we want to share our insights and introduce the Botnet Monitoring System, a tool to reduce redundancy and enable collaboration for P2P botnet monitoring.
Alexandre Côté Cyr 🗣 | Matthieu Faou 🗣
Abstract (click to view)
TA410 is a cyber-espionage group that was first described in August 2019 by fellow researchers at Proofpoint. The threat actor shows interesting technical capabilities, with the use of complex implants, but has not received the same level of attention from the threat intelligence community as most major APTs.
TA410’s activity shares some characteristics, such as similar VBA macros, with past APT10 operations, but these are not sufficient to link them as a single entity. As such, some public reports have mis-attributed TA410 activities to APT10. In this presentation, we will clarify what is TA410 and how its activities differ from the current activities of APT10.
Jaromír Hořejší 🗣 | Daniel Lunghi 🗣
Abstract (click to view)
Despite being illegal in some countries, global online gambling industry growths steadily year after year, flourishing in current environment dominated by the global pandemic. This trend was not surprisingly noticed by advanced threat actors as we observed and analyzed campaigns targeting online gambling platforms.
In this research, we will focus on a multiplatform (Windows and Linux) campaign involving known espionage tools as well as new malware families. Operated by individuals with knowledge of Chinese language, the victims of this campaign are mostly online gambling customers in South East Asia.
We noticed some interesting infection vectors, such as backdoored or fake installers for popular applications, or even for a custom chat application, suggesting a very targeted campaign.
Bryan Oliver 🗣 | Austin Turecek 🗣 | Ian Gray
Abstract (click to view)
Carding is one of the earliest forms of cybercrime. Since the 1980s, cybercriminals have developed various fraud tactics to steal and monetize credit card information. To prevent these types of attacks, financial institutions have developed anti-fraud measures to detect and prevent fraudulent transactions. These security precautions include checking various parameters like IP address, operating system, and browser fingerprint. This has spawned a cybercrime ecosystem of marketplaces selling fingerprints, referred to as “bots,” which are sourced from commoditized credential stealing malware.
In the beginning there was Genesis, an underground marketplace associated with “Genesis Security,” a browser plugin developed by the market administrators. On the market, users can buy stolen browser credentials, logins, passwords, and cookies that are harvested from a victim’s device. The Genesis Security plugin allows users to load data purchased from the marketplace and then modify it to create browser fingerprints. Since launching in 2018, several other marketplaces have also materialized: Amigos, Mouse in Box, and Russian Market.
Cybercrime web marketplaces selling bots have grown in the past 4 years. These shops can also provide a turn-key solution to utilizing stolen credentials to bypass browser based online retail or banking authentication mechanisms. In this presentation we perform a large scale analysis of this ecosystem across 4 bot shops. We crawled data and performed manual analysis to provide some insight into overall marketplace trends, overall infection trends, backend infrastructure, and cybercriminal profit.
Philipp Barthel 🗣 | Sebastian Eydam 🗣 | Werner Haas | Sebastian Manns
Abstract (click to view)
This paper explains how we used VMI to detect an infection with the remote access trojan Winnti, specifically version 3.0, and how to extract and decrypt its communication data with its C&C servers. It should be seen as proof of concept work as we did not use an actual attacker-controlled machine for our experiments. Instead, we simulated real traffic, thus making the malware believe it was connected to a genuine C&C server. We used Virtual Machine Introspection accessed physical memory through the hypervisor. This allowed us to spy on the malware in a manner where even the operating system is unaware about the fact that it is being virtualized. Therefore an attacker would not know that an analyst is monitoring every step. The centerpiece of our approach is a method to extract and decrypt the communication data from in- and output parameters of systemcalls used by the malware, which is explained in detail along the way.
György Lupták 🗣 | Dorka Palotay 🗣 | Albert Zsigovits
Abstract (click to view)
Sysrv-hello, or shortly Sysrv, is a botnet, which was first discovered in late December of 2020. The malware is written in Golang and targets both Linux and Windows endpoints. Based on its propagation style, it is a malicious worm, with one end-goal in mind: to spread and mine the Monero cryptocurrency. It targets vulnerable Windows and Linux-based servers using numerous exploits.
We have closely followed the development of the Sysrv botnet from the defender’s perspective and gained insights into its operation. The botnet is still active as of today and new variants are released every couple of days, introducing either a new mining pool or an added feature. In this presentation, we would like to share our general findings of the botnet and shed some light on the development cycle of the Sysrv family. We will go into details like propagation methods, utilized exploits, the evolution of first-stage scripts, and the overall development of the malicious binary.
For our analysis, we used the Ghidra reverse engineering framework and simultaneously developed many custom scripts to aid in our Go binary analysis. We will share these scripts during our talk and explain how the Sysrv botnet helped us improve our malware-fighting toolset.
Thursday 28th April 2022
Max ‘Libra’ Kersten 🗣 | Rens van der Linden 🗣
Abstract (click to view)
Malware campaigns plague enterprises, entrepreneurs, and individuals. Platforms and tools have been deployed to gain insight into the ongoing situation. Unfortunately, many of these platforms are rather pricey, which is a problem for me, as a student.
This talk will explain several concepts that will provide insight into campaigns, whilst keeping the total cost below $50. Analysts and students alike can use and expand upon these techniques in their own research.
Max ‘Libra’ Kersten 🗣
Abstract (click to view)
Simply distributing malware is not a viable strategy anymore for criminal actors. To combat the ever increasing defense mechanisms, malicious loaders are used. These loaders are meant to conceal the final payload from the prying eyes of anti-virus and anti-malware scanners. Even though these loaders are used over and over, they are often overlooked.
For this exact reason, as well as the fact that the CyaX-Sharp loader (also known as ReZer0) has interesting capabilities, this research focuses on a loader. Whilst being able to load any type of Windows executable, CyaX-Sharp is most often used to drop stealers. This talk provides insight into the loader’s inner workings, the flaw in its payload decryption routine, and an automatic payload and configuration extraction program. After the more technical segment, information will be given about the found samples, and the observed trends within the data.
Yuta Sawabe 🗣 | Ryuichi Tanabe 🗣 | Fumio Ozawa | Rintaro Koike
Abstract (click to view)
Since December 2019, Zloader had revived as “Silent Night”, and it has been used various attack campaigns. It has especially been used in two attack campaigns (PseudoGate and Malsmoke). These attack campaigns are aimed at users in Japan, Canada, or U.S. to obtain banking related information. Zloader connects to its C&C servers with HTTPS and domain names generated by DGA. Therefore, it is difficult to detect Zloader’s attack on network.
We developed a system that collects information of infected hosts from logs on Zloader’s C&C server. To find the C&C servers, we collected Zloader samples and extracted their internal config data by using several public services. We have been making use of the system since March 2021. This system observes all Zloader’s C&C servers for various attack campaigns, and we know the Zloader infection scale of each campaign on a daily basis.
In this presentation, we will share characteristics of Zloader first. Then, we will introduce the Zloader investigation system in detail. Furthermore, we will share the data obtained by the system and the consideration from the data. Therefore, SOC, CSIRT and security researchers who research Zloader will be able to have deeper understanding and to take countermeasure against them.
Beatriz Pimenta Klein 🗣 | Lidia López Sanz 🗣
Abstract (click to view)
Law enforcement has seized multiple card shops during recent years. However, every time there is a gap in the card shop business due to law enforcement countermeasures, exit scam from the market operators, or simply closure, new threat actors come into the space to fill the gap. This presentation will focus on our investigations on the current card shop ecosystem, from active shops that could grow in the vacuum left by Joker’s Stash’s withdrawal as well as other recently shuttered card shops. We will provide insights on some of the most relevant underground card shops nowadays, which types of products are offered, their prices, and related threat actors and business models. After this talk, the audience will have a clear idea of the current status of the underground card shop ecosystem.
Dominika Regéciová 🗣
Abstract (click to view)
Terry and John are two malware analysts working for an unnamed antivirus company. Terry has worked there for many years, and he is helping John, who started recently, to learn more about their work. John is starting to use Yara — an excellent tool for the description and detection of malware families. With Terry, they are analyzing potentially malicious samples, and they are creating so-called Yara rules. This is not a simple task to do — Yara may be easy to use, but it is difficult to master. How to write the best rule possible? The rule that is good in detection, precise, but also fast? Luckily, they have help – a researcher Caitlin, who is not scared to get really deep into Yara. Today, all three of them will go deeper into Yara than ever before — the journey to the rabbit hole can begin.
Anastasia Poliakova 🗣 | Andreas Pfadler 🗣 | Yuriy Yuzifovich | Ali Fakeri-Tabrizi | Gan Feng | Hongliang Liu | Thanh Nguyen
Abstract (click to view)
In this session, we will present our approach for detecting newly emerging malware on a cloud platform and predicting its behavior, and doing so before VirusTotal or any other 3rd party detection engine can report it.
We will specifically describe our methodology for detecting emerging malware and predicting its behavior by combining an anomaly detection engine (we refer to as ‘GAD’ – General Anomaly Detection system), and a graph pattern-learning machine.
Alexey Bukhteyev 🗣 | Raman Ladutska 🗣
Abstract (click to view)
In this talk we analyze a prevalent malware family Formbook and its successor XLoader from different angles, including OSINT and technical sides. XLoader is a logical step in Formbook’s evolution, it is now able to target not only Windows but macOS as well.
Our aim is to help the listeners understand how the malware topped up prevalence lists, which approaches and tools to use for the analysis of this and other cases and how to stay protected from this threat.
Marcos Alvares 🗣
Abstract (click to view)
Smokeloader (aka Sharik or SmokeBot) turned 10 in 2021! Few malware families make to this mark without collapsing or getting caught by law enforcement. For over a decade, Smokeloader has been deployed as part of distribution schemes of many high-profile financially motivated malware families, such as Dridex, Trickbot, ISFB and SilentNight. Its simplicity and business model have contributed to this longevity. This presentation intends to provide (i) a technical overview on key changes implemented over the past 10 years, (ii) statistics on customers and infrastructure and (iii) highlights on tactics that helped smokeloader survive all this time.
Lightning talks
Friday 29th April 2022
Alexis Dorais-Joncas 🗣 | Facundo Munoz 🗣
Abstract (click to view)
Air-gapping is used to protect the most sensitive of networks: voting systems, ICSes running power grids, or SCADA systems operating nuclear centrifuges just to name a few. In the first half of 2020 alone, three malicious frameworks devised to breach air-gapped networks emerged, making a grand total of 17 since Stuxnet in 2010. This prompted us to step back and reanalyze all those frameworks from the vantage point of having discovered and analyzed three of these in the past six years. We put the frameworks in perspective to see what history could teach us in order to improve air-gapped network security and our abilities to detect future attacks.
This exhaustive analysis allowed us to isolate several major similarities in all of them, even those 10 years apart. We pinpoint the specific areas of air-gapped networks constantly leveraged by malware and provide objective advice on how to best prioritize the deployment of resources to increase security.
Yael Daihes 🗣 | Hen Tzaban 🗣
Abstract (click to view)
Data breaches of enterprises have been one of the most destructive and prominent security threats that enterprises have been facing in recent years. Some well-known APT groups as well as cybercriminals leverage legitimate web services such as GitHub, Twitter, Google Storage, and many more, in order to achieve their attack goals and breach an enterprise. Even supply chain attacks include the usage of the same original legitimate web service, just in a malicious manner.
Many network mechanisms rely on signatures to block outgoing communication from enterprise devices to malicious destinations for defending against such attacks. But, what happens when you can’t simply block that destination? You’re not going to block all outgoing communication to Github, are you?
We suggest applying UEBA, User and Entity Behavior Analytics for detecting such botnet malicious activities and using other mitigation options such as monitoring/blocking specific sessions or devices.
Mathieu Tartare 🗣
Abstract (click to view)
Hundreds of thousands of Microsoft Exchange servers are exposed to the internet, making this Microsoft’s on-premises email server solution the target of choice for attackers. Since the beginning of 2021, Exchange has been subject to several critical vulnerabilities, including the ProxyLogon, ProxyShell vulnerability chains and their variations. We have been closely monitoring malicious activities related to these vulnerabilities since they were made public and discovered multiple APT groups exploiting them. This presentation will revisit the whole timeline of events and show how attackers systematically exploited these vulnerabilities and for what purpose.
On March 2nd, 2021, Microsoft released out-of-band patches for Exchange. These security updates fixed a pre-authentication remote code execution (RCE) vulnerability chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) allowing an attacker to take control of any reachable Exchange servers without valid credentials. This vulnerability chain was first discovered by Orange Tsai, a well-known vulnerability researcher, who named it ProxyLogon and reported it to Microsoft on January 5th.
We discovered that this vulnerability was exploited by more than ten APT groups, starting on February 28th, 2021. They breached high profile organizations, including governments, all around the world.
Erlc Leblond 🗣
Abstract (click to view)
Suricata is a well known open source network threat detection engine. As such it combines network security monitoring capabilities with advanced intrusion detection mechanisms. Dataset is one of the features that is at the border of these two worlds. This presentation will introduce the feature and its advanced matching capabilities and it will explain how it can be used to do real time check of various IOCs (IPs, user agent, file hash) and to build sightings databases to alert on newly observed communication artifacts in the defended network.
Souhail Hammou 🗣
Abstract (click to view)
Pay-per-install (PPI) services have been an integral part of the e-crime ecosystem for a considerable amount of time. PPI services monetize wide dissemination of malware by providing the malware operators with mass geo-targeted installs (aka loads) in exchange for money. A malware operator provides payment, malicious payloads and targeting information while the PPI service overlooks or outsources the distribution and delivery. The accessibility and moderate costs of these services serves as another weapon in the arsenal of malware operators for rapid, bulk and geo-targeted malware infections.
Our focus in this research has been on the Privateloader, an undocumented downloader connected to an unidentified PPI service that delivers a panoply of malware payloads into infected systems. The loader is distributed by a network of websites that allegedly offer downloads for cracked versions of popular software.
Markel Picado Ortiz 🗣 | Carlos Rubio Ricote 🗣
Abstract (click to view)
The goal of this presentation is to study and analyse the evolution of the code and the capabilities of Qakbot. In particular, we’ll identify new features being added over time, features that remain stable, and features that are removed over the observation period. The analysis shall also give us information on the evolution of the attacker’s goals and tactics.
All this research is based on the study of the binary code of the Qakbot payload. The level of presentation shall contain high level insights accessible to a broader audience and also contain explanations at assembly level appealing to a more technically inclined audience. By analysing the binaries distributed on the Qakbot botnets, it is clear how the botnet updates the version of Qakbot it is distributing to always have the latest version running on infected machines.
In the following we’re outlining some preliminary data and findings which we’ll evolve further towards our presentation.