Alexey Bukhteyev
Last known affiliation: Check Point
Bio: Alexey Bukhteyev is a security researcher at Check Point Software Technologies, driven by a lifelong passion for exploring the inner workings of software systems and cybersecurity. With extensive experience in malware analysis and security research, Alexey focuses on uncovering hidden threats and enhancing the security of digital ecosystems. His interests encompass a wide range of challenges, including malware research automation, operating systems security, and safeguarding user privacy. Alexey’s work has been featured at prominent security conferences, including Virus Bulletin and BotConf.
Alexey Bukhteyev 🗣 | Raman Ladutska 🗣
Abstract (click to view)
In this talk we analyze a prevalent malware family Formbook and its successor XLoader from different angles, including OSINT and technical sides. XLoader is a logical step in Formbook’s evolution, it is now able to target not only Windows but macOS as well.
Our aim is to help the listeners understand how the malware topped up prevalence lists, which approaches and tools to use for the analysis of this and other cases and how to stay protected from this threat.
Alexey Bukhteyev 🗣 | Arie Olshtein
Abstract (click to view)
In the ever-evolving landscape of cyber threats, seemingly legitimate tools have taken a dark turn, emerging as potent weapons in the hands of cybercriminals. Notable examples include the Remcos RAT and GuLoader (also known as CloudEyE Protector). Our recent study establishes a strong link between these dual-use agents. While Remcos is easily detected by antivirus solutions, rendering it challenging for criminal purposes, GuLoader provides a means to bypass anti-virus protection seamlessly.
GuLoader, recognized as a shellcode-based loader, facilitates malware evasion of antivirus defenses and utilizes cloud services for encrypted payload storage. In 2020, we exposed a direct connection between GuLoader and CloudEyE Protector, initially presented as a legitimate software protection tool. Subsequently, CloudEyE advertisements nearly vanished from the web, prompting us to question whether CloudEyE Protector reemerged under a new guise.
Alexey Bukhteyev 🗣
Abstract (click to view)
Careful monitoring of malicious campaigns can sometimes uncover surprising discoveries. Our latest research revealed that even skilled cybercriminals, despite their meticulous efforts to stay in the shadows, can commit critical security blunders. This presentation unveils the discovery and analysis of Styx Stealer, a new malware variant derived from the infamous Phemedrone Stealer. Our investigation not only dissects the technical capabilities of Styx Stealer but also exposes significant missteps by its developer, leading to the unmasking of associated cybercriminals and their operations.
Styx Stealer emerged in early 2024 as a powerful malicious tool capable of exfiltrating sensitive information, including saved browser credentials, data from browser extensions, cryptocurrency wallet data, and sessions from messaging platforms like Telegram and Discord. Technically, Styx Stealer retains the core functions of its predecessor while incorporating new features such as a clipboard monitor, crypto-clipper, advanced sandbox evasion, and anti-analysis techniques. Despite its relatively recent appearance, we observed its deployment in spam campaigns targeting various sectors throughout 2024.
This investigation helps us better understand the inner workings of cybercriminal operations, both from the perspective of malware developers and distributors. It also serves as a warning to cybercriminals: they can never be certain where and what traces they leave behind, what mistakes they make, and that even over time, their actions and identities can be uncovered.