Nyetya Malware & MeDoc Connection

The 27th of June 2017, a new wormable malware variant has surfaced. Talos is identifying this new malware variant as Nyetya. The sample leverages EternalBlue, EternalRomance, WMI, and PsExec for lateral movement inside an affected network. The presentation will be divided in two parts:

  • the first part will describe Nyetya: how it works, the integrated exploits, Doublepulsar modifications, the “encryption” of the infected systems… This part will be focused on the analysis of the malware (reverse engineering)
  • the second part will describe the incident response performed by Cisco Advanced Services Incident Response in Ukraine focused on M.E.Doc software. This part will contains the techniques used by the attackers to massively compromised M.E.Doc users. A timeline will be exposed and detailed

Paul is a security researcher within Talos, Cisco’s threat intelligence and research organization. As a researcher, he performs investigations to identify new threats and presents his findings as publications and at international security conferences throughout the world. He has been involved in security research for 7 years, mainly focusing on malware analysis, malware hunting and more specially on Advanced Persistence Threat campaigns and rootkit capabilities. He previously worked for several incident response team within the private and public sectors.

Print Friendly, PDF & Email
Paul Rascagnères

Paul Rascagnères

Security research at CISCO Talos
Paul Rascagnères

@r00tbsd

Security Researcher, Malware analyst, Reverser at Talos - Opinions are my own and not the views of my employer - 3d hobbyist
RT @TheHive_Project: Looking for a pretence (er, reason) to visit France? Then come to the joint workshop we’ll be giving with @MISPProject - 5 hours ago
Paul Rascagnères
Paul Rascagnères

Latest posts by Paul Rascagnères (see all)

David Maynor

@dave_maynor

Security Researcher at Talos, Pentesting, Reverse Engineering, Threat Intel, SDRs, weapons. My opinions are my own. https://t.co/izFvwpETXS
@aloria @ErrataRob They will survive after being trapped in a fatal situation and will live on after being placed in a hopeless position? - 51 mins ago
David Maynor
David Maynor

Latest posts by David Maynor (see all)