Max ‘Libra’ Kersten
Last known affiliation: Trellix
Bio: Max Kersten is a malware analyst, blogger, and speaker who aims to make malware analysis more approachable for those who are starting. In 2019, Max graduated cum laude with a bachelor in IT & Cyber Security, during which Max also worked as an Android malware analyst. Currently, Max works as a malware analyst at Trellix. Over the past few years, Max spoke at several international conferences, such as Black Hat (USA, Europe, MEA, and Asia), atHack, Botconf, Confidence-Conference, HackYeahPL, and HackFestCA.
Max ‘Libra’ Kersten 🗣
Abstract (click to view)
Finding malware is not the difficult part, as it is prevalent due to the widespread malware campaigns which target consumers and companies alike. Samples are available in multitudes on sample sharing websites, but it is impossible to manually sift through all available samples. This is why the ideal process is streamlined using a pipeline. The malware is collected, after which it is scanned to detect known patterns and behaviour. Lastly, interesting samples can be reverse engineered manually.
The creation of such a pipeline is relatively straight-forward. The majority of the issues are encountered when setting everything up in a scalable manner. An example would be the scanning of files. If this cannot be done concurrently (enough), this will strain the whole system. The throughput of the pipeline then poses as a bottleneck. Additionally, or alternatively, the scaling of scanning requires improved and more hardware, which is often costly.
This talk focuses on setting up a pipeline on a budget, where the analyst will have access to malware samples of the last 60 days, all of which are scanned with Yara rules for known patterns. Additionally, all samples are executed in a sandbox to obtain heuristic data. Lastly, tools to analyse samples that the analyst deems interesting are referenced. This pipeline can be executed on a Raspberry Pi 3B, paired with a USB (or external hard) drive. Needless to say, more performance-oriented hardware ensures a smoother experience, but this is the lower limit of the hardware with which the pipeline was tested.
Max ‘Libra’ Kersten 🗣
Abstract (click to view)
Another day, another ransomware-as-a-service provider, or so it seems. The “Read The Manual” (RTM) Locker gang targets corporate environments, forcing their affiliates to follow a strict ruleset. Is this yet another ransomware gang, or is there more to this gang and their locker than meets the eye? This talk investigates the actor, along with a technical deep dive into their Windows ransomware executable.
Whereas some gangs have the desire to become (in)famous, breaking headlines with the group’s name, the RTM Locker gang is different. Their ruleset forces affiliates to operate under the radar, minimising their public exposure and thereby ensuring the group isn’t caught by the prying eyes of law enforcement and malware researchers alike.
Their approach, however, isn’t waterproof. This talk will bring the audience along for a technical deep dive into the Windows ransomware executable, along with an overview of the group’s specific rules. Additionally, the group’s activity is peculiar, given that their locker is being reworked without outlets having reported on their initial version.
Max ‘Libra’ Kersten 🗣 | Rens van der Linden 🗣
Abstract (click to view)
Malware campaigns plague enterprises, entrepreneurs, and individuals. Platforms and tools have been deployed to gain insight into the ongoing situation. Unfortunately, many of these platforms are rather pricey, which is a problem for me, as a student.
This talk will explain several concepts that will provide insight into campaigns, whilst keeping the total cost below $50. Analysts and students alike can use and expand upon these techniques in their own research.
Max ‘Libra’ Kersten 🗣
Abstract (click to view)
Simply distributing malware is not a viable strategy anymore for criminal actors. To combat the ever increasing defense mechanisms, malicious loaders are used. These loaders are meant to conceal the final payload from the prying eyes of anti-virus and anti-malware scanners. Even though these loaders are used over and over, they are often overlooked.
For this exact reason, as well as the fact that the CyaX-Sharp loader (also known as ReZer0) has interesting capabilities, this research focuses on a loader. Whilst being able to load any type of Windows executable, CyaX-Sharp is most often used to drop stealers. This talk provides insight into the loader’s inner workings, the flaw in its payload decryption routine, and an automatic payload and configuration extraction program. After the more technical segment, information will be given about the found samples, and the observed trends within the data.
Max ‘Libra’ Kersten 🗣
Abstract (click to view)
Unsuspecting online shoppers risk credit card fraud by shopping on legitimate websites due to online credit card skimming. The COVID-19 pandemic forced many to shop online, unwillingly helping the criminals behind the online credit card skimmer operations. Aside from covering different skimmers and the accompanying modus operandi, this talk will focus on the hunt for live skimmers, as well as the results of such a hunt. Additionally, it goes into the research methodology and the economic implications of a digital skimmer infection. The latter two aspects are often left out of reports and investigations, whilst they are equally important.
Max ‘Libra’ Kersten 🗣
Abstract (click to view)
Mobile phones are used more and more in our daily lives. Purely based on someone’s phone, one can find a lot of information: GPS data, chat history, photos, notes, and online banking applications. Because of this, mobile phones are a valuable target for criminals, causing a rise in Android malware.
This workshop will provide an introduction into static Android malware analysis for beginning analysts. For more experienced analysts, the methods to effectively analyse the application will improve their analytical skills. In either case, the time that is required to decompile and analyse applications is reduced.
Max ‘Libra’ Kersten 🗣
Abstract (click to view)
Understanding DotNet malware can be daunting at first, but not so much with a solid knowledge of its fundamentals. The goal of this workshop is to teach the required concepts, as these can be transferred into any language of choice, in many different scenarios. As such, attendees gain a deep(er) understanding of the used techniques and methods.
This class is perfect for aspiring and beginning analysts, while also providing background information and additional techniques for intermediate analysts. The exercises in the workshop are based on actual malware samples, and each exercise consists of several questions for the attendees. The questions become incrementally difficult, ensuring there always is a challenge.
Since the workshop’s materials will consist of actual malware samples, precautions are required, which will be explained in-detail during the workshop, ensuring the safety and integrity of the systems of the attendees.
There are several requirements to join:
• A laptop (x86_64 based) capable of smoothly running one x86_64 Windows 10 VM
• Visual Studio Community Edition (2019 or later) on the VM
• The DotNet Framework runtime for version 3.5 and later (default, version 4 is installed) on the VM
• dnSpyEx, de4dot, DotDumper, and other tools can be downloaded during the workshop as these are insignificant in size.
• Understand VB.NET/C#, and preferably be (somewhat) comfortable writing it. It is possible to join the workshop without the ability to write code, but you will notice this in the later stages of the workshop.