Botconf 2018 schedule

Tuesday December 4th 2018


11:00-13:00 & 14:00-18:00 Workshop 1
ExtREme Malware Analysis
Reverse Engineering is not an easy task, especially when dealing with malware. A bug hunter may spend some quality time with a nice functions, but a malware researcher that deals with tens or hundreds of samples in a short time frame cannot get distracted and must be able to cut fast and precisely into the heart of the malware! This training is aimed to teach our approach to fast and effective malware reversing, demonstrating some not-so-cutting-edge technologies and tricks that are drastically speeding up a reversing process. After a completion of this course, attendees should be able in matter of hours assess if given malware is a new thing or belongs to some known family (and say to which one), what data it does carry, and how it communicates with its C&C.

Maciej KOTOWICZPoland

14:00-18:00 Workshop 2
Introducing a new Cyber Threat Detection System: How Threat Intelligence Halts Tomorrow’s Botnets
The cyber attack landscape is constantly evolving. Botnets are increasingly pervasive to detect and irradiate. This is because malicious adversaries have advanced techniques used to exploit enterprise networks. Previous paradigms have failed to adequately prevent, detect, respond, and recover from new attacks. As such, the paradigm we use to hunt and eradicate new threats must adapt as well. The purpose of this talk is to introduce a new cyber threat detection system that merges threat intelligence with advanced host, network, and memory forensics to create a better protection paradigm at detecting and preventing new botnet and network command and control activity.Developing a robust framework as this one is not trivial, nor is understanding how to engineer a real-life actionable cyber threat intelligence engine that we will create during the course. In fact, this requires a holistic approach in order to understand how to enhance the paradigm. This hands-on workshop first teaches the participant how to perform host and network forensics. We will learn how to create new distributed network sensors and work with a new tool I am releasing called Themis Network Analyzer. We move into hands-on exercises to learn advanced memory forensics and work with another new tool I am releasing to the community called Xavier Memory Forensics Framework. From here, we pivot into malware analysis to extract pertinent artifacts from the infected host. Next, we take this knowledge into engineering a new threat intelligence engine and intrusion detection that validates our new concept. We finally conclude this workshop with a robust hands-on capstone exercise.

Many new tools are created and released for this workshop. Participants will walk away from this workshop with new concepts and capabilities to better hunt for malicious actors and botnet activity across the protected enterprise network.

Solomon SONYA United States of America

14:00-18:00 Workshop 3
Detect, Investigate and Respond using MISP, TheHive & Cortex
This workshop will take participants through a journey to familiarise themselves with common activities related to incident response, digital forensics, and cyber threat intelligence using the popular FOSS stack composed of MISP, the Malware Information Sharing Platform, TheHive, a Security Incident Response Platform, and Cortex, a powerful observable analysis and automated response engine.The workshop organisers will briefly walk participants through the guiding principles of DFIR and CTI and describe the software stack that will be used throughout the workshop. Participants will then have to work on an incident and try to investigate and respond to it by analyzing various artifacts and leveraging cyber threat intelligence.

Participants are expected to bring laptops running either VMware Workstration/Fusion or VirtualBox. Laptops must be powerful enough to run two VMs simultaneously. Limited familiarity with Python is a plus to work on advanced case where automation will be used to speed up the investigation.

Danni CO, Raphaël VINOT and Saâd KADHI France
Training material

If you’d like to give it a try on your own, you will need:

  • familiarity with TCP/IP, Linux (including editing configuration files), SSH & incident response
  • the joint MISP, TheHive & Cortex training VM (SHA256 checksum)
  • a powerful laptop with virtualization software (either VMware Workstation, VMware Fusion or VirtualBox)
  • the ability to give the training VM 6GB of RAM and 2 processor cores. If that’s not possible, we consider 4GB and 1 processor core the bare minimum
  • the training instructions and cheatsheet
  • Case Study 1
  • Case Study 2

Before undertaking the workshop, we highly recommend reading the following slides in the specified order:

Important Note: you won’t be able to do case study 3 as it requires access to the instructors’ MISP instance which is only available during the workshops and trainings. You must also skip the steps which ask you to synchronize your MISP instance with the instructors’ (unless you have access to an instance pre-populated with events) or configure TheHive to leverage the instructors’ Cortex instance.

Wednesday December 5th 2018


Swimming in the Cryptonote Pools
In the world of cryptocurrency-related malware, mining currencies based on cryptonote technology like Monero (XMR) is a growing threat for organizations. We can observe that interest in such cryptocurrencies has increased dramatically for malicious actors those past months because of the specificities of this technology.

In this talk we will explain why such cryptocurrencies are appealing for malicious actors, and how to leverage publicly available sources for hunting of such related activities.

Emilien LE JAMTEL, CERT-EU European Union


APT Attack against the Middle East: The Big Bang
Over the past few weeks, we discovered the comeback of an APT attack against the Middle East, and specifically against the Palestinian Authority.
The APT group behind this attack launched a campaign over a year ago, and very little of this operation was seen in the wild since. The renewed Big Bang campaign incorporates improved capabilities, wider functionalities, and a more offensive infrastructure. It also seems to have very specific targets in mind.

Shared interests and malware features with campaigns belonging to the Gaza Cybergang that emerged in both 2017 and 2018 show that the infamous threat group is most likely behind this attack.

Although the APT has gone through significant upgrades over the last year, the conductors maintained evident and peculiar fingerprints. Both the delivery methods and the malicious artifacts had unique traces which helped us link the current wave to past attacks.

Among the techniques attributed to the APT group, one could find fake news websites containing up-to-date articles, well-formulated e-mails with malicious attachments or embedded links, and mobile applications posing as legitimate services. All of these methods are meant to filter-in targeted victims that meet predefined characteristics and lead to a custom-made reconnaissance malware.

During our investigation, we were able to spot only three instances of the renewed operation, but distinctive characteristics in the command and control websites revealed a wider infrastructure that may serve unknown samples. While our analysis covered the capabilities of the malware, we are certain that this is a part of an ongoing multi-staged attack, the full infection chain of which has not been completed yet.

The campaign earned its name due to the authors’ affection for the successful TV series “The Big Bang Theory” as reflected in their function naming standard. The malware code is decorated with the character names of the popular series, but also actors of the Turkish series “Resurrection: Ertugrul”.

In our presentation we will cover the operation of this group, focusing on the recent improvements and tactics, as well as the techniques and procedures (TTPs) that identified this group both in previous attacks and in the current one.

Aseel KAYAL and Lotem FINKELSTEINIsrael


Code Cartographer’s Diary
At last year’s Botconf, we have launched Malpedia [1], our community-driven approach to create a free and independent resource for rapid identification and actionable context when investigating malware. While only touching the surface of analysis possibilities last time (mostly surveying PE header characteristics), we want to take a deep dive in this talk, showing the results of more than two years of ongoing in-depth analysis efforts. This time, the focus will be set on the unpacked representatives of more than 700 families of Windows malware.

In the first part of this presentation, we will investigate the usage patterns of the Windows API as exposed by malware. For this, we extend ApiScout [2] with a method to extract API usage fingerprints. We will demonstrate how this information can be used to reliably identify and characterize malware families and that this information seems to capture habits of their respective authors to some degree.

In the second part, we will introduce SMDA [3], a minimalist recursive disassembler library that is optimized for accurate Control Flow Graph (CFG) recovery from memory dumps. SMDA’s output allows us to create a function index, which can be used to identify similar code. On the one hand, we can use this similarity information to recognize and measure how commonly 3rd party libraries are used in malware. On the other hand, we can also isolate the unique, characteristic code for families in order to derive detection signatures for them.




Daniel PLOHMANN, Steffen ENDERS and Elmar PADILLA Germany


Cutting the Wrong Wire: how a Clumsy Attacker Revealed a Global Cryptojacking Campaign
We have seen a massive spike in malicious crypto mining campaigns killing themselves for the chance to have their victim’s CPU. The shorter and shorter time window between vulnerability disclosure and cryptojacking opportunistic attacks taking advantage of them may help us to understand how profitable they are to the point of getting priority over ransomware attacks. This article consists of a walk-through on a remarkable incident caused by an eager and clumsy attacker which ended up revealing multiple cryptojacking campaigns targeting large organizations across the world in early 2018.

Renato MARINHO Brazil

14:00-15:00 Keynote 1
Chess with Pyotr
Abstract withheld [TLP:RED]

Tillmann WERNER and Brett STONE-GROSS United States of America

In-depth Formbook Malware Analysis
Form-grabber malware are nowadays quite common. They provide simple yet effective methods for stealing infected users’ credentials. They are named thereby since they target HTML forms’ submissions, made by web-browsers. Sometimes, they also provide classical password stealer capabilities such as key-logging, or modules designed to take screenshots. Also, they can embed code for harvesting users applications’ passwords, stored on the file-system.

Formbook is a ‘ready-to-use’ form-grabber malware, sold illegally on hacking forums. Thus, it can be used by cyber-criminals who don’t necessary own skills in malware development, although it can still be used by more advanced actors. It comes with a PHP web-application, used to implement the C&C server. It also offers a panel, used to graphically manage infected computers, and visualize stolen data.

In order to evade anti-viruses detection, to detect automated malware analysis environments or to complicate its reverse-engineering, Formbook implements many tricks. It also uses interesting code injection techniques, based on APC injection and thread hijacking, to perform actions like process-creation, from within the context of legitimate windows processes such as explorer. Its ability to migrate from a 32-bit process, running in wow64 compatibility mode, to a native 64-bit process also makes it worth looking at.

Rémi JULLIAN France

How Much Should You Pay for your own Botnet ?
Cloud computing provides scalable and on-demand infrastructure, which seems to be the perfect way to host a botnet. This paper focuses on cloud-based botnets to perform legal DDoS resilience tests. We model the cost of such botnets and provide both technical and economical insights into their usage for controlled DDoS attacks. While these purpose-built botnets appear to be more expensive than online DDoS booter services, they remain affordable in the context of legal audits.

Antoine REBSTOCK, Pierre-Edouard FABRE, Emmanuel BESSON France


Collecting Malicious Particles from Neutrino Botnets
Neutrino Bot (also known and detected as Win/Kasidet) is a rapidly changing threat. It first became known around December 2013. It has been actively developed ever since resulting in version 5.4 at the very beginning of 2018. From the early times, when the bot’s commands were focused on various DDoS attacks, it evolved into something quite different. Its current state allows to remotely execute commands, files, scan the infected system and both modify and monitor network traffic while keeping some of the old tricks as well.

In the talk, we would like to look at different versions of the bot and their specifics and describe the changes that are being made. We will also explain its current functionality and transition into a fully functional banking trojan.

The malware is affordable and relatively cheap which leads to many independent actors operating their botnets in a very different way. That said, it is much more interesting to learn what each group leverages the bot for rather than tracking it as a whole.

Identifying similar configurations is not always easy, but there are several ways to do so. We want to demonstrate the methods of how to detect which samples belong to each other in order to identify different botnets. We will show the botnets that have been discovered during the last year, what is typical for them, how do they use the bot and what have they delivered through it. We will also lighten the mood with several examples of situations, when operators failed to execute their malicious activities properly by utilizing wrong configuration or harmless webinjects.

No centralized distribution method is offered, that means every botnet operator has to distribute the bot on his own. The discovered methods include malvertising, trojanized installers or the Ammyy supply chain attack.

Jakub SOUČEK, Jakub TOMANEK and Peter KÁLNAI Czechia


Trickbot The Trick is On You!
Bot malware landscape always changes with both new and old families being updated with new techniques to perform cybercrime. And due to their sheer number, manually analysing and tracking them is a tedious affair. This entails delayed response to the threat. Because of this, automated systems have become an integral part of malware research to learn more about these commonly on-and-off malware operations. Data obtained from these systems can be indispensable for planning and implementing counter moves against the threat. In this way, we can lessen the gap between threat discovery and mitigation.

With the same motivation, we have conducted research on Trickbot family, which has become one of the most popular botnet families since its first discovery in 2016. It has evolved with new modules being added to its arsenal for spreading and stealing more information from its victims. Up to this day we are seeing new campaigns and modules being distributed in the wild.

What got us really interested in this malware is its refined network behaviour and more importantly its wide variety of modules that it distributes to its victims. Its rotating C2 servers and by-command delivery of its modules make manual analysis and monitoring extremely tedious. We thought this is a good opportunity to create a tracker system to monitor the malware

Trickbot’s infrastructure relies in its modular infection distributed via its own network protocol under TLS. This eventually became our entry point in gathering data from its own servers.

In this presentation, we will discuss Trickbot’s behaviour. More importantly, we will also be focusing on the procedures we took to design and build the monitoring system including the challenges we encountered along the way. This will rely heavily on reverse engineering its network communication and how we were able to use its own protocol to obtain specific artefacts from its servers.

As a result of the data we gathered, we will share statistics and the information generated from the tracker and how they can be used to help mitigate the threat automatically.

Floser BACURIO Jr. and Joie SALVIO Singapore

Automation, structured knowledge in Tactical Threat Intelligence
The connected societies facing ever evolving risks, traditional cyber security solutions have been charged by the popular jury for incompetence. Yet they are working for what they have been designed for, the rise of targeted attacks as well as the maturation of advanced cybercrime force defenders to find new ways of fighting the ghosts in the machines. Cyber Threat Intelligence has emerged for about a decade now, bringing new mind-set, tools and methods to the overall InfoSec community. After reminded what composed this activity, this conceptual presentation will focus on Tactical Threat Intelligence. By diagnosing that adversaries’ behaviour analysis has been mainly hijack to provide technical indicators and strategic feedback, we will review today’s methods and tools used

for cyber threat profiling and express the limitation or problematics they brought to Intelligence Tradecraft specialist. Moves by the impression that today’s Tactical Threat Intelligence is rarely as a say derived into action, we will finally explore new leads that could bring the discipline more operational concretisation and will help tactical analyst is the difficult path to automate tasks in a very psychological influenced domain.


Thursday December 6th 2018

Internals of a Spam Distribution Botnet
Cybercriminals use different methods to distribute malware like malicious advertisements, Exploit Kits, loaders or spam campaigns. Unless an attack is really targeted the bad guys will try to infect as many computers as possible and they need some automation for that. It is well-known that they use botnets to distribute malware and create spam campaigns. Popular malware families like Necurs, Cutwail, Onliner Spambot or Emotet are examples of this kind of botnets, which are not usually analyzed deeply because we tend to focus on the final malware families which are spread, like bankers, stealers or RATs. This talk will focus on one these malware families used to send spam, Onliner Spambot, explaining internal details about its different modules, its control panel, how it is checking and misusing stolen credentials, and about the threat actors who are operating it and selling it. Malware distribution is an interesting part of the cybercrime ecosystem and it is important to pay attention to those distribution botnets too.

Jose Miguel ESPARZA Spain

Botception: Botnet distributes script with bot capabilities
Monitoring botnets is a crucial component of cybersecurity, but it’s not everyday we see a botnet spreading scripts with bot capabilities. At the end of April 2018, while monitoring one of the branches of the Necurs botnet, we observed new scripts being distributed by the botnet.

In our presentation we will dive into the results of our analysis of scripts with bot capabilities, spread by a botnet. The analyzed scripts were spread by the Necurs botnet through spam emails, and while the initial infection chain was rather short, the multiple stages thereafter included capabilities to make it a fully fledged botnet.

The distribution of the these scripts is an interesting step out from the standard behavior of the Necurs botnet, and we will therefore share information about the Necurs’ branch we are monitoring, the changes it underwent in a year, and detailed analysis of the script bot itself. As the code involved in the infection chain was not heavily obfuscated, the analysis will be interlaced with code examples.

Our analysis provides detailed information about the function and behavior of the scripts, the origin of the information and a comparison of the scripts’ versions over time. After we explore the scripts’ whereabouts, we will again dive more deeply into the Ammyy-like malware infection chain.

Jan SIRMER and Adolf STREDA Czechia

Stagecraft of Malicious Office Documents – A Look at Recent Campaigns
Malicious office documents have become a favorite malware delivery tool for malware authors. We have observed an increase in use of malicious documents over past 4 years. 30% of the malware blocked by Zscaler Cloud Sandbox since 2017 are malicious office documents. Malicious office documents are used for the delivery of crimeware payloads and are also often involved in Advanced Persistent Threats (APT) attacks. Over the time, these malicious office documents have used various obfuscation, encryption and evasion techniques to prevent detection. In this paper, we will provide a detailed analysis of different obfuscation, encryption, exploits and evasion techniques used in these malicious documents. We have analyzed over one thousand malicious documents from fifty different campaigns for this study. This research paper also lists the different malware samples delivered by these malicious documents and the use of powershell as well as other scripting languages.

Dr. Nirmal SINGH India, Deepen DESAI United States of America and Tarun DEWAN India


Hunting and Detecting APTs using Sysmon and PowerShell Logging
Many security professionals and Blue Team members appreciate a good and detailed written APT report by any renowned security company. This is especially true, if they document and explain some new and stealthy technique that was used and not well known yet by defenders.

One such technique is “WMI event subscription” for persistence, which has been used by APT29.

Another one is the “Logon Script” technique (“UserInitMprLogonScript” reg key) used by APT28.

A third technique that is discussed very often is (ab-)using Powershell and “living off the land” (LOL).

To even top this one, attackers are using “unmanaged Powershell” (e.g. using PowerPick) to evade command line based detection. But thanks to the Powershell logging features available since version 5, even this can be detected.

I will discuss and show how to detect all of these techniques by using Sysmon data and Powershell logging (with Splunk as a SIEM).

Tom UELTSCHI Switzerland

Hunting for Silence

Rustam MIRKASYMOV Russia

14:00-14:40 Keynote 2
Cybercrime fighting in the Gendarmerie

Colonel Jean-Dominique NOLLET, Head of the C3N – Gendarmerie’s national cybercrime fighting unit France

Everything Panda Banker
The Panda Banker malware was first spotted in the wild in early 2016. It has since seen consistent development, gained a significant threat actor user base, and has become one of the most advanced and persistent banking malwares in the current threat landscape. This presentation compiles together the author’s research and tracking of Panda Banker complemented with the prior work of other malware researchers studying the threat. Its aim is to provide a detailed survey of everything Panda Banker: what it is, where did it come from, what it does, how it works, who’s using it, how effective they are, who is being targeted, and where is it going. The hope is for researchers and defenders to walk away with a better understanding of Panda Banker and maybe some ideas on how to better detect and mitigate it.

Dennis SCHWARZ United States of America

Judgement Day
Abstract withheld.

Thomas SIEBERT Germany

The Dark Side of the ForSSHe
In February 2014, ESET researchers from Montreal published a report on a group who compromised more than 40,000 Linux servers worldwide since 2011. ESET named this campaign Windigo. At the centre of this operation, Ebury, an OpenSSH backdoor which allowed the attackers to remotely take control of compromised servers as well as stealing login credentials (passwords, keys) which were then used to connect to other servers. This simple yet effective method allowed them to extend their network of compromised servers.

Romain DUMONT and Hugo PORCHER Canada

Lightning talks
Lightning talks are 3 minute presentations selected during the conference on any topic that could be interesting for the participants.

Friday December 7th 2018

WASM Security Analysis Reverse Engineering
WebAssembly (WASM) is a new technology designed for browers. It aims to define a portable, size- and load-time-efficient binary format to serve as a compilation target which can be compiled to execute at native speed by taking advantage of common hardware capabilities available on a wide range of platforms, including mobile and IoT.
Our presentation will cover a brief introduction of this technology, analysis with or without access to the source code. It will also cover security issues and how it can be used by a botnet.

Guangyuan ZHAO and Wu TIEJUN China

Red Teamer 2.0: Automating the C&C Set up Process
This talk follows the amazing documentation provided by Steve Borosh (@424f424f) and Jeff Dimmock’s (@bluscreenofjeff) on their dedicated repo.

Besides, it follows several experiences of red team operations leveraging the tips issued by these authors.

We will describe a new open source tool, whose name will be revealed during the presentation. That tool aims at managing red teams’ operations, and, in particular enables Command and Control infrastructure set up automation.

Charles IBRAHIM France

Mirai: Beyond the Aftermath
Two years have passed since Mirai unleashed its wrath to the world by targeting high profile victims. Many things have happened since then, the good, the author responsible has already been convicted, the bad, source code was released to the public, and the not so bad, organizations became aware of the threat and geared up their defences for the possible next attack. Question is now, what’s next after Mirai? Ever since the release of its source code, many have used, experimented, and modified the code for their own liking and purpose. These so called Mirai copycats all want to have a piece of the IoT pie, battling to compromise more vulnerable IoT devices to grow their own army of bots and become Mirai’s possible heir. This research on the aftermath of Mirai will focus on three technical aspects: Mirai variants with their significant modifications, a genealogy of all Mirai variants identified so far, and if whether other botnets have reuse some of Mirai’s code.

To begin with, we will talk on the added techniques implemented to the variants to infect more IoT devices, like an exhaustive factory default credentials set, the use of both known and unknown exploits and targeting more architectures. We will also present the new ways it monetizes IoT bots like by targeting miners or using them as proxy.

The research as of now identified already 100 variants and still counting. We will discuss on how we automatically decrypt and dump the configuration for easy family identification and C2 extraction. Additionally, to have a better overview and understanding of the variants we will compare all of them and see how they relate to each other.

A botnet that we observed reusing Mirai’s code is Hide ‘N Seek. We will take a look at its modules and compare it to Mirai whether the configuration encryption algorithm is still the same.

To finish the presentation, we will share interesting insights, findings and lessons learned in the research and how these can help researchers in their threat Intel tasks.

Rommel JOVEN, David MACIEJAK and Jasper MANUEL Singapore


Leaving no Stone Unturned – in Search of HTTP Malware Distinctive Features
When we analyze malware C&C network traffic we often see that it contains HTTP protocol. Sometimes the messages are obfuscated and sometimes sent as plain text. They can be intentionally crafted to look like sent by a web browser. But in many cases they are sent using standard libraries and tools. Intuition suggests that there should be some distinct features, which can help to distinguish between malware and benign applications sending HTTP requests. In our presentation we want to present results of our analysis in search of such features.

Analyzed features include headers’ appearance (misspellings, unusual names), header values, general payload analysis (entropy, character analysis etc.) and header sequence order. In our search we have analyzed more than 35 000 pcap files from CERT Polska’s sandbox environment and Malware Capture Facility Project. They include network traffic of about 190 malware families, splitted into common categories like bankers, ransomware, downloader, spambot etc. To identify distinct features, we have compared the results against browser traffic to Alexa’s top 500 popular domains worldwide. The outcome was surprising even for us.

The presentation won’t be academic. We want to share main conclusions which can help you when dealing with malware HTTP traffic. To provide even more operational knowledge, we want to compare the results with traffic generated by popular Windows HTTP libraries and tools. Also we will present particularly interesting examples of HTTP anomalies, both in malware and benign traffic.

Piotr BIAŁCZAK Poland

Let’s Go with a Go RAT!
The Go language (GoLang) is an open source programming language developed by Google Inc. in 2009, and it can be run on various platforms such as Linux, Mac, Windows, Android.

Speaking of malware using Golang, Mirai is one of the famous one (they use it for the C2 program), but malware such as Encriyoko, Lady, GoARM.Bot, Go Athena RAT and others are also confirmed.

However, we can’t say that Golang malware is commonly used as development basis for malware coding when looking at the ratio of popular malware.

In this presentation, we would like to introduce the analysis result of a new malware, we called it as “WellMess” that was coded on Golang on multiple platform operating systems. This malware was used by several incident cases that we confirmed from January 2018, we recognize it as a new malware according to our team’s analysis and the traffic generated on its communication to the C2 servers.

Additionally, we will perform reverse engineering explanation of the WellMess malware and perform demonstration on its botnet operation.

Yoshihiro ISHIKAWA and Shinichi NAGANO Japan

Tracking Actors through their Webinjects
Webinjects have been a feature of banking malware ever since they were popularised with great success by early families such as Zeus. In that time writing Webinjects has become a highly specialized skill with off-the-shelf Webinjects systems becoming as popular as the banking malware itself.

Webinjects are used to deploy Automated Transfer Systems, payment card data harvesters, session hijackers, and even to deploy web based crypto-currency miners. With some vendors in operation for over five years, the area of Webinjects development appears to be a lucrative and potentially long-lived occupation.

This presentation explores prevalent Webinjects systems, their capabilities and which malware families are deploying them, and how we can use Webinjects to track actors as they switch between using different malware families. We present details of the criminal groups we have discovered this way.

James WYKE United Kingdom of Great Britain and Northern Ireland

Triada: the Past, the Present, the (Hopefully not Existing) Future
Triada is an Android threat known within the malware research field for a couple of years. Despite that, it still remains a very interesting threat as their authors did something very rarely seen in any malicious software – instead of evading detection they embraced it. Triada was first detected preinstalled on the system image of some Android low-end devices in mid-2017.

As soon as we detected these applications, we reached out to OEM partners to address this threat and we gained a unique insight into Triada’s evolution and tactics. This presentation will cover Google Play Protect’s findings and present previously unrevealed aspects of Triada and the extent to which it backdoored OEM system images. We will also cover how our unprecedented coordination with OEMs led us to update system images across the Android ecosystem.

Łukasz SIEWIERSKI United Kingdom of Great Britain and Northern Ireland

The Snake Keeps Reinventing Itself
After having tracked Turla’s activities for several years, we now have a unique understanding of their Tools, Tactics and Procedures (TTPs). In this talk, we would like to share this knowledge to help defenders protect their networks.

Turla is an espionage group known for targeting governments, diplomats and militaries all around the world. One of their first documented campaign was against the US military ten years ago and they are still very active. During this presentation, we will discuss some recent public cases involving Turla operators. This threat actor targets very specific group of people and, as such, use advanced targeting techniques such as spear phishing and watering hole to go after them.

We will present an in-depth analysis of currently undocumented components, such as a highly resilient Outlook backdoor, allegedly used in the early-2018 attack against the German government. We will also provide an overview of the different changes in their TTPs that occurred in the past few months.

Matthieu FAOU and Jean-Ian BOUTIN Canada


How many Mirai variants are there?
Mirai was soon open-sourced after overwhelming several high-profile targets including Krebsonsecurity, OVH, and DYN in Autumn 2016, which leads to a proliferation of Mirai variants in the past 2 years. For better fight against Mirai botnets, effective variant classification schemes are very necessary. Currently, Mirai variants are usually classified with their branch names (e.g., JOSHO, OWARI, MASUTA) which come from a command line of “/bin/busybox <branch >” found in the Mirai sample. While the default name is “MIRAI”, the <branch> was usually replaced with an author interested one (e.g., MASUTA, SATORI, SORA) in later variants.

However, we think branch-based classification scheme is too coarse-grained to reveal: 1) the variances in single variant of different stages, and 2) the connections among different branches. In this talk, we would like to present our classification schemes concluded from 32K+ collected samples and 1,000+ extracted CNCs. Our schemes are mainly based on the data of configurations, supported attack methods, and credential dictionaries, which are all extracted from the samples. For example, we successfully classify Mirai samples into 106 variants based on the combination of supported attack methods. We also successfully connected multiple branches based on the keys used in configuration encryption. To summarize, the content of this talk is as follows:

1)We will demonstrate the idea of automatically extracting configurations, supported attack methods, and credential dictionaries from samples for classification purpose.

2)We will propose a fingerprint technique to recognize Mirai attack methods (e.g., syn_flood, http_flood) with information extracted from samples without reverse engineering work.

3)We will introduce a set of classification schemes based on the extracted data, and will investigate popular Mirai branches with proposed schemes.

It’s worth mentioning that since the used data is processor-independent (e.g., x86, x64, ARM, MIPS, SPARC, PowerPC), our schemes can classify the same variant’s samples even if they are for different CPU architectures.

Ya LIU and Hui WANG China


Print Friendly, PDF & Email