Kevin Ratto
Last known affiliation: CrowdStrike
Bio: Kevin Ratto is Senior Security Researcher at CrowdStrike. He is specialized in reverse engineering and malware intelligence. His current research is focused on evaluating the Latin America (LATAM) threat landscape to identify relevant malware families and emerging threats.
Kevin Ratto 🗣
Abstract (click to view)
In late 2022, an unidentified AutoIt-based eCrime stealer was observed in the wild; it was named Doit. The malware was initially delivered via email spam campaigns targeting users from Chile, Mexico and Peru. In 2023, Doit shifted to exclusively target Mexico using phishing websites and search-engine optimization (SEO) poisoning. Doit aims to steal sensitive user data, install Chrome enrollment tokens, download additional components, and likely install actor-controlled browser extensions.
In the span of two years, Doit has been rewritten twice—from an Autoit-based stealer (version 1.0) to a C++ rewrite (version 2.0)—to be now a convoluted modular C++ malware (version 3.0), which is more technically complex than its earlier versions. The malware now consists of more than 10 modules which are dependent on each other, as the result from the previous module is used to execute the following. While the previous AutoIt and C++ versions are no longer active, the latest modular C++ version is still actively distributed as of this writing.
This presentation covers Doit’s evolution since it was first observed, including:
- A chronological view of the malware evolution from the first AutoIt version to the modular C++ version
- Detailed description of delivery methods to distribute the malware to Latin American (LATAM)-based users
- A deep dive into the convoluted execution process for the modular C++ version, describing several anti-analysis and evasion techniques
The audience will gain a better understanding of Doit technical development, uncommon techniques for LATAM-focused malware, and insights of how a threat actor targeting users in LATAM operates.
