Sathwik Ram Prakki
Last known affiliation: Seqrite Labs, Quick Heal
Bio: Sathwik Ram Prakki works as Senior Security Researcher at Seqrite Labs, Quick Heal. His areas of research are Threat Intelligence, APT Hunting and delving into Dark Web and Malware Analysis. With a background in Offensive Security & knowledge of OS Internals, he is keen on enhancing detections and infrastructure for threat hunting and CTI. Starting his cybersecurity career at C-DAC, under the Ministry of Electronics & IT in India, Sathwik has shared insights on APTs, ransomware and malware ecosystems at conferences such as AVAR, Botconf, c0c0cn and Virus Bulletin.
Sathwik Ram Prakki 🗣 | Rayapati Lakshmi Prasanna Sai
Abstract (click to view)
The surge in cybercrime ecosystems and underground forums has led to a substantial increase in stealer malware variants, facilitated by Malware-as-a-Service (MaaS) platforms addressing specific needs and vulnerabilities. This talk delves into the intricate details of a modern malware ecosystem named Warp, characterized by its high level of sophistication and multifunctionality. Warp, crafted in the GO programming language, comprises various components such as a loader, dropper, and stealer, typical of a malware ecosystem. This infection process leads to modified version of Stealerium infostealer, which is a potent malware adept at extracting sensitive information while employing anti-analysis techniques.
This paper conducts an in-depth technical analysis of the components comprising the Go-based Warp malware ecosystem and how the infection chain unfolds. The analysis covers the reversal of Go-based binaries using IDA Pro, the utilization of random API calls and various search engines to mask C2 traffic, and an exploration of the Telegram bot used for C2. Additionally, the UAC bypass through RPC requests via the ALPC kernel feature and an overview of the Avast anti-rootkit functionality employed to disable AV/EDR solutions are discussed which are linked to the dropper component. The paper also highlights the distinctions between Warp Stealer’s Telegram and Stealerium’s Discord, both used for C2 communication, shedding light on the diverse functionalities incorporated within this complex malware ecosystem.
Sathwik Ram Prakki 🗣 | Kartik Jivani 🗣
Abstract (click to view)
In the aftermath of the disclosure of vulnerabilities within WinRAR, a concerning trend has emerged wherein multiple advanced persistent threat (APT) groups and malicious actors have leveraged these weaknesses to launch targeted attacks on critical sectors spanning various nations. This presentation delves into the exploitation of a specific WinRAR vulnerability, CVE-2023-38831, offering insights into the vulnerability and the tactics employed by threat actors who disseminate malicious ZIP archives through phishing campaigns.
Focusing on a notable case study involving the SideCopy APT, this talk explores the intricacies of how WinRAR is weaponized to compromise the security of entities in India. The examination includes a deep dive into six different clusters of this APT, a detailed dissection of payloads, strategically deployed in a sophisticated multi-platform attack campaign featuring diverse decoys and a consistent naming convention throughout 2024. Furthermore, this presentation sheds light on the discovery of the infrastructure utilized by SideCopy APT, revealing insights into the group’s modus operandi. Specifically focusing on compromised domains with shared IPs used across multiple campaigns throughout the year; targeting of government, maritime and even education sectors, and tons of correlation like shared code & infra with the parent APT group Transparent Tribe (APT36) and Operation RusticWeb.