Botconf 2024

23rd - 26th April 2024, Nice

Last year: 400 participants from 30 countries all over the world

28 presentations and 3 workshops

4 days of exchanges, discussions and making new friends !

 
Botconf2024-Affiche-2048

Schedule

Tuesday 23rd April 2024

12:00 – 13:30
13:00 – 15:30
TLP:GREEN
WS2 – Teams is for C2: Building and Reversing a Teams RAT (5h)
Randy Pargman 🗣 | Kyle Cucci 🗣

Abstract (click to view)

This workshop consists of two parts:
First, we will build a Remote Access Tool with indirect syscalls, shellcode running and COFF running capabilities, and other common features that uses Microsoft Teams as its Command and Control channel. Participants will be provided with a VM for VMWare player or workstation that has all the necessary source code and build environment set up. Participants will need to create a free M365 Developer tenant prior to starting the workshop.

In the second part, we will reverse engineer the Teams RAT binary and a loader, showing how to analyze stack strings, deal with opaque predicates, XOR string obfuscation, and anti-debugging tricks of malware.

If workshop participants were not able to create a free M365 Developer tenant prior to Microsoft changing the policy to limit the program to Visual Studio subscribers, the workshop instructors will provide working accounts in a tenant for those participants to use.

To participate in this workshop, you will need to register for free Microsoft 365 Developer program, which creates your own Azure tenant with Microsoft Teams for the C2 channel. You will also need a laptop with VMWare Player, Workstation, or Fusion installed and at least 30-50GB free disk space. You will be provided with a VM for VMWare that is set up with all tools, or you can build your own Windows 11 VM and install Visual Studio setup for C++ development + vcpkg, libcurl, cJSON, x64dbg, and IDA Free if you prefer not to use a pre-built VM.

13:30 – 15:30
TLP:CLEAR
WS3 – DotNet Malware Analysis (4h)
Max ‘Libra’ Kersten 🗣

Abstract (click to view)

Understanding DotNet malware can be daunting at first, but not so much with a solid knowledge of its fundamentals. The goal of this workshop is to teach the required concepts, as these can be transferred into any language of choice, in many different scenarios. As such, attendees gain a deep(er) understanding of the used techniques and methods.

This class is perfect for aspiring and beginning analysts, while also providing background information and additional techniques for intermediate analysts. The exercises in the workshop are based on actual malware samples, and each exercise consists of several questions for the attendees. The questions become incrementally difficult, ensuring there always is a challenge.

Since the workshop’s materials will consist of actual malware samples, precautions are required, which will be explained in-detail during the workshop, ensuring the safety and integrity of the systems of the attendees.

There are several requirements to join:
• A laptop (x86_64 based) capable of smoothly running one x86_64 Windows 10 VM
• Visual Studio Community Edition (2019 or later) on the VM
• The DotNet Framework runtime for version 3.5 and later (default, version 4 is installed) on the VM
• dnSpyEx, de4dot, DotDumper, and other tools can be downloaded during the workshop as these are insignificant in size.
• Understand VB.NET/C#, and preferably be (somewhat) comfortable writing it. It is possible to join the workshop without the ability to write code, but you will notice this in the later stages of the workshop.

14:00 – 15:30
TLP:GREEN
WS1 – Writing Configuration Extractors Navigating Challenges in Extracting Malware Artifacts (3h)
Souhail Hammou 🗣 | Miroslav Stampar 🗣

Abstract (click to view)

As reverse engineers, a significant part of our daily work involves writing and maintaining artifact extractors for multiple malware families, ranging from stealers and RATs to loaders and banking trojans. Our primary goal is to create C2 protocol emulators when applicable and useful. This requires extracting a broad array of artifacts to accurately emulate bot behavior for each malware sample. While some artifacts are straightforward to extract, others demand a certain level of skill. This workshop zeros in on the latter, providing a hands-on opportunity to delve into the real challenges we encounter in this process and how to navigate them efficiently. The use-cases we explore span various malware families and encompass a range of approaches and techniques, including but not limited to the use of regular expressions, manipulation of PE dumps, utilization of the Unicorn code emulation library and of the Capstone disassembly framework.

Prerequisites: IDA Free (or a disassembler of choice) and Python >= 3.10 installed. Malware samples will be provided by the instructors.

15:30 – 16:00
16:00 – 17:30
TLP:GREEN
16:00 – 18:30
TLP:GREEN
16:00 – 18:00
TLP:CLEAR

Wednesday 24th April 2024

10:00 – 11:00
11:00 – 11:40
TLP:GREEN
3CX: a “mise en abyme” supply chain attack?
Victorien Fragne 🗣 | Godefroy Galas 🗣

Abstract (click to view)

This talk will look back on the 3CX supply chain attack campaign which occurred in March and early April 2023 and consisted in the use of the VoIP 3CX software to achieve one of the biggest supply chain attack since SolarWinds.
Attributed in open source to the “North Korea-Nexus” intrusion set LABYRINTH CHOLLIMA (a cluster of the well-known Lazarus group), this attack campaign had the potential to cause significant damage since the 3CX software is used by around 600,000 corporate customers (including the NHS, PwC and IKEA) and counts roughly 12 millions users per day.
After a detailed description of the underlying infection chain, the presentation will focus on explaining the code and infrastructure links between this campaign and the intrusion set LABYRINTH CHOLLIMA, and on summarising the actions taken by the Agency to contain it.

11:45 – 12:05
TLP:AMBER
It’s getting cloudy – peering into the recent APT29 activities
CERT Polska 🗣

Abstract (click to view)

As a national CERT, we come across many intriguing malware campaigns targeting Polish organizations and institutions. Last year, we have seen several threat actors targeting a number of European embassies and MFAs, but one group looked especially interesting – APT29. While the selection of attacked institutions was interesting, what really struck a cord was the use of multiple legitimate services as covert C&C servers.
We continued to track the campaigns deployed by the actor for almost a year and gathered enough information to allow us to co-publish several reports on the malware activities and tooling.
In this talk we’ll examine the methods attackers used to stay undetected and go a little behind the scenes of the public reports.

12:10 – 12:40
TLP:GREEN
BYOVD Unveiled: Hunting and Exploring Vulnerabilities in Device Drivers
Nirmal Singh 🗣 | Rajdeepsinh Dodia 🗣

Abstract (click to view)

Malicious program authors often exploit vulnerabilities in popular software programs and employ various methods to circumvent security measures such as antivirus software, sandboxing, and intrusion detection systems. Precisely, threat actors have begun using vulnerable legitimate drivers as a means of infiltrating systems, this attack is known as BYOVD, a short form of Bring Your Own Vulnerable Driver. These drivers are responsible for facilitating communication between physical devices and the operating system, operating at a higher privilege level in kernel mode. In contrast, user mode is a less privileged mode used by various applications. By taking advantage of vulnerable drivers, attackers can execute actions without verifying the process or privileges of the caller. Numerous vulnerable drivers from different software and hardware vendors, such as LOLDrivers[2], have already been identified.
Generally threat actors use malicious payload; these are often detected by antivirus products / anti malware tools. But, by leveraging the known signed drivers from different hardware and software vendors creates less suspicion. Historical instances reveal ransomware groups [3] exploiting driver vulnerabilities to disable antivirus and EDR security tools, with APT groups like Lazarus [4] similarly leveraging these weaknesses.
Our objective is to uncover and examine vulnerable drivers designed to run on different Windows versions ( x86-64 architecture) that may be susceptible to exploitation by malicious individuals. During our investigation, we uncovered several digitally signed vulnerable drivers from reputable vendors, some of which lacked adequate measures to authenticate the calling process. Our research encompasses a range of techniques for manipulating driver functionality from user mode. It includes various approaches for exploiting driver functionality by making calls from user mode.

12:40 – 14:00
14:00 – 14:40
TLP:AMBER
Opera1er: from tracking the threat actor to detaining a criminal behind
Anton Ushakov 🗣 | Hugo Rifflet 🗣

Abstract (click to view)

The topic of this talk covers technical description of tactics, techniques, and procedures (TTPs) of the French-speaking financially motivated threat actor, codenamed OPERA1ER (NXSMS) as well as the details of the threat actor investigation carried out in collaboration with Law Enforcement authorities followed by an arrest of the key figure of the gang.
The presentation takes a deep dive into the operations of the prolific cybercrime syndicate that is confirmed to have stolen at least $11 million since 2019 in 30 targeted attacks describing the kill-chain of the attacks but also ways used to hunt and track malicious infrastructure and also methods used to identify one of the Opera1er members.

14:45 – 15:15
TLP:CLEAR
New Modular Malware RatelS: Shades of PlugX
Yoshihiro Ishikawa 🗣 | Takuma Matsumoto 🗣

Abstract (click to view)

In March 2023, we have observed a new APT malware used by an unknown APT actor in several Japanese companies. The malware is a modular remote access trojan (RAT) like PlugX or ShadowPad which have been shared among China-based APT actors and used in various campaigns. We named this malware “RatelS” based on the strings contained in the file path and window title.

RatelS has 11 malicious modules, including command execution, file manipulation, and keylogging, which can be dynamically loaded and unloaded in response to commands from the C2 server. Also, this RAT has two communication capabilities with different directions: Reverse mode and Listen mode. The former callbacks from the infected host to the C2 server, while the latter opens a port and listens for connections. The C2 communication is performed via TCP, TLS, HTTP, or HTTPS.

During the investigation of RatelS incident, we discovered a builder and controller that can build RatelS by simply selection options and remotely operate infected machines. It is notable that RatelS has some similarities with PlugX in its implemented features and code, and moreover this actor also utilized PlugX with P2P communication functionality in the campaign. This suggests the possibility that RatelS is a successor to PlugX.

In this presentation, we are going to share technical details on the analysis result of new malware RatelS, the similarities with PlugX, and the methods to detect and response the malware activity for future prevention. This includes the demonstration of RatelS C2 operation using the builder and controller. In addition to that, we will indicate attribution of APT actors using RatelS based on other similar malware.

15:20 – 15:50
TLP:CLEAR
Parsing the Unparsable: Turning Analyzers into Victims
Yusuf Kocadas 🗣 | Furkan Er 🗣

Abstract (click to view)

While thinking about how to prevent statical analysis on our customers’ applications. I have found myself analyzing publicly available apk parsers on github. I have walked through a bunch of issues to see which apps have broken/crashed their parsers, and collected many of both legit and malicious apps. Then, I started to extract their peculiarities and commonalities. After working on these outputs. I dived into analyzing open source parsers and bumped into many issues and some of them turned out to be crucial security problems. Furthermore, some of these parsers are backbone of many security products. In this talk, I will share my findings and how to turn analyzers into victims.

15:50 – 16:20
16:20 – 17:00
TLP:CLEAR
Everyone Gets a Webshell! Or, Backdooring Web Hosting Companies in Scale
Daniel Frank 🗣

Abstract (click to view)

What happened when a flying-under-the-radar threat actor decided to directly go after web-hosting providers who host thousands of legitimate websites? How and why did they do it? These questions stand at the heart of our talk, in which we’ll explore the evolution of a determined threat actor that has been targeting web hosting providers throughout 2020-2023.

17:05 – 17:45
TLP:CLEAR
Warp’s Enigma: Unraveling a Sophisticated Golang Malware Ecosystem that drops modified Stealerium
Sathwik Ram Prakki 🗣 | Rayapati Lakshmi Prasanna Sai

Abstract (click to view)

The surge in cybercrime ecosystems and underground forums has led to a substantial increase in stealer malware variants, facilitated by Malware-as-a-Service (MaaS) platforms addressing specific needs and vulnerabilities. This talk delves into the intricate details of a modern malware ecosystem named Warp, characterized by its high level of sophistication and multifunctionality. Warp, crafted in the GO programming language, comprises various components such as a loader, dropper, and stealer, typical of a malware ecosystem. This infection process leads to modified version of Stealerium infostealer, which is a potent malware adept at extracting sensitive information while employing anti-analysis techniques.

This paper conducts an in-depth technical analysis of the components comprising the Go-based Warp malware ecosystem and how the infection chain unfolds. The analysis covers the reversal of Go-based binaries using IDA Pro, the utilization of random API calls and various search engines to mask C2 traffic, and an exploration of the Telegram bot used for C2. Additionally, the UAC bypass through RPC requests via the ALPC kernel feature and an overview of the Avast anti-rootkit functionality employed to disable AV/EDR solutions are discussed which are linked to the dropper component. The paper also highlights the distinctions between Warp Stealer’s Telegram and Stealerium’s Discord, both used for C2 communication, shedding light on the diverse functionalities incorporated within this complex malware ecosystem.

17:50 – 18:30
TLP:CLEAR
I’m a Bad Noodle!: An Analysis of Noodle RAT Shared among China-nexus Groups
Hiroaki Hara 🗣

Abstract (click to view)

While investigating several incidents, we encountered the undocumented Linux-based backdoor, we dubbed “Noodle RAT”. This backdoor shares some part of code with “Rekoobe”, which is a Linux-based backdoor widely used by multiple actors, but implements additional backdoor capabilities with a custom C&C protocol. After further analysis, we figured out that Noodle RAT shares some part of code, including custom C&C protocol, backdoor command IDs and C&C configuration format, with Windows-based backdoor used by Calypso APT and Iron Tiger. Based on these overlaps, we concluded that these backdoors should be categorized as Noodle RAT but different architectures. This means that Noodle RAT is originally designed as a multi-platform backdoor targeting Windows and Linux.

Through this presentation, we will introduce the details of code overlaps between Windows/Linux versions of Noodle RAT, and how Noodle RAT for Linux has evolved from Rekoobe. Adding to that, we will show the possibility of malware development ecosystem in Chinese-speaking actors, including espionage-focused groups, behind Noodle RAT. At last, through the findings of Noodle RAT, we would like to point out that tool-based attribution is getting more challenging.

18:30 – 19:50

Thursday 25th April 2024

08:30 – 09:00
09:00 – 09:30
TLP:CLEAR
Unplugging PlugX: Sinkholing the PlugX USB worm botnet
Félix Aimé 🗣 | Charles Meslay 🗣

Abstract (click to view)

In March 2023, Sophos published an article entitled “A border-hopping PlugX USB worm takes its act on the road” putting the light on a PlugX variant with worming capabilities. According to the Sophos blogspot, all of these PlugX samples communicate to only one IP address. In September 2023, we managed to take ownership of this IP address to sinkhole that botnet.

Hundreds of thousands of unique IP addresses sent PlugX distinctive requests to our sinkhole server in the first weeks of sinkholing. Even if the botnet can be considered as “dead”, anyone with interception capabilities or taking the ownership of this server can send arbitrary commands to the infected computers, repurposing the botnet for malicious activities.

This presentation aims to explain the roots of this campaign, our sinkholing methodology, the PlugX internals with some reversing and the legal issues of disinfection leading us to think about the sovereign disinfection concept.

09:35 – 10:05
TLP:GREEN
Eastern Asian Android Assault – FluHorse.
Alexandr Shamshur 🗣 | Raman Ladutska 🗣

Abstract (click to view)

The FluHorse malware features several malicious Android applications that mimic legitimate applications each with more than 100,000 installs. These malicious apps steal the victims’ credentials and Two-Factor Authentication (2FA) codes. FluHorse targets different sectors of Eastern Asian markets and is distributed via emails. In some cases, the emails used in the first stage of the attacks belong to high-profile entities. The malware can remain undetected for months making it a persistent, dangerous, and hard-to-spot threat.
Quite surprisingly, no custom implemented tricks are used inside FluHorse, as the malware authors relied solely on an open-source framework for the development process of malicious functionality. It is implemented with Flutter – an open-source UI software development kit created by Google and is used to develop cross-platform applications for various platforms, including Android and iOS for mobile devices, with a single codebase. What makes Flutter an appealing choice for malware developers is the use of a custom virtual machine to support different platforms and its ease of use for creation of GUI elements. Analyzing such applications is complicated, due to the custom VM, which makes this framework a perfect solution for Android phishing attacks, as it turned out to be.
In our research, we describe different targeted markets in several countries and compare phishing applications with the legitimate ones – differences are pretty hard to spot at first glance. We give credits to the available tools for Flutter-application analysis while also providing the enhancements that resulted in our open-source contribution: https://github.com/Guardsquare/flutter-re-demo/pull/4. We go through all the pitfalls encountered during our research and provide solutions on how to bypass them. Finally, we give an overview of Command-and-Control communication of the malware as well as dive deeply into the details of the network infrastructure analysis.

10:10 – 10:40
TLP:GREEN
Evasions Fest of Korean Android Financial Menace – FakeCalls
Raman Ladutska 🗣

Abstract (click to view)

When malware actors want to enter the business, they can choose markets where their profit is almost guaranteed to be worth the effort – according to past results. The malware does not need to be high profile, just careful selection of the audience and the right market can be enough.

This is the exact case that we observed in South Korea when we encountered an Android Trojan named FakeCalls. This malware can masquerade as one of more than 20 financial applications and imitate phone conversations with bank or financial service employees – perform the attack called voice phishing, or vishing.

Vishing attacks have a long history in the South Korean financial market. The problem was so serious that it even drew the attention from the government that resulted in a careful investigation and subsequent report: financial losses due to voice phishing constituted approximately 600 million USD in 2020, with the number of victims reaching as many as 170,000 people in the period from 2016 to 2020. Knowing these facts, we understand why exactly this country and this market were chosen by FakeCalls.

We discovered more than 3500 samples of the FakeCalls malware that used a variety of combinations of mimicked financial organizations and implemented several new anti-analysis techniques. In our presentation we describe all of the encountered anti-analysis techniques, and show how to mitigate them, refer to the history of South Korean vishing attacks and speak about the key details of the malware functionality.

10:40 – 11:10
11:10 – 11:40
TLP:GREEN
LightSpy2: feature-rich mobile surveillance tool set
Victor Chebyshev 🗣

Abstract (click to view)

Mobile malware poses a significant threat to user privacy and security, with the potential to carry out a wide range of malicious actions on infected devices. Beyond the familiar capabilities such as SMS message theft, call log recording, and location tracking, this session delves into the lesser-known, but equally alarming, functionalities that modern mobile threats can employ.

During this session, we will provide an in-depth exploration of our discovery of the sophisticated mobile threat known as LightSpy, including its core components and a staggering fourteen associated plugins. These plugins extend LightSpy’s capabilities by implementing a variety of unique techniques.

One of the highlights of this presentation will be the revelation of novel techniques employed by threat actors to exfiltrate private information from victims’ WeChat Pay transaction histories. Additionally, we will detail how the LightSpy plugin demonstrated the ability to record VOIP calls made through WeChat, all without requiring root access to the target device.

We will shed light on the intricate workings of LightSpy and its plugins, offering insights into the evolving landscape of mobile malware and the advanced methods employed by malicious actors to compromise user data and privacy.

11:45 – 12:15
TLP:CLEAR
The Supershell and its widespread Botnet
Chetan Raghuprasad 🗣

Abstract (click to view)

This presentation details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants.

Supershell is a relatively new C2 framework with a WEB-based command and control (C2) server written in Python and an administration panel in Chinese language. Throughout the presentation, I will detail the Supershell C2 framework and what a threat actor can achieve using the Supershell C2 and its implants. We will see one of many techniques the threat actors use to deliver the Supershell implants to the victim’s machine and register them to Supershell C2 by establishing the botnet. We also see how widespread the supershell infection is and what countries and business verticals are infected by Supershell. We also share the details of our research approach to finding the active Supershell C2 by pivoting some of the indicators of various attacks we analyzed.

Finally, I will discuss the possible indications of Chinese-speaking threat actors conducting the supershell infections along with the other tools, including reconnaissance, asset management, and cobalt strike beacons.

12:15 – 12:45
TLP:GREEN
Unveiling the Shadows: The Dark Alliance between GuLoader and Remcos
Alexey Bukhteyev 🗣 | Arie Olshtein

Abstract (click to view)

In the ever-evolving landscape of cyber threats, seemingly legitimate tools have taken a dark turn, emerging as potent weapons in the hands of cybercriminals. Notable examples include the Remcos RAT and GuLoader (also known as CloudEyE Protector). Our recent study establishes a strong link between these dual-use agents. While Remcos is easily detected by antivirus solutions, rendering it challenging for criminal purposes, GuLoader provides a means to bypass anti-virus protection seamlessly.

GuLoader, recognized as a shellcode-based loader, facilitates malware evasion of antivirus defenses and utilizes cloud services for encrypted payload storage. In 2020, we exposed a direct connection between GuLoader and CloudEyE Protector, initially presented as a legitimate software protection tool. Subsequently, CloudEyE advertisements nearly vanished from the web, prompting us to question whether CloudEyE Protector reemerged under a new guise.

12:45 – 14:00
14:00 – 14:40
TLP:AMBER
Gozi ISFB – Memoirs of a banking trojan
Fred Harrison 🗣

Abstract (click to view)

Gozi ISFB has been a persistent banking trojan that has gone through many changes over its lifetime. Being observed for generic and banking fraud campaigns but also now slowly pivoting into the ransomware as a service world it doesn’t seem to be slowing down.

Within this presentation we will outline the different observed use cases of Gozi ISFB going into detail about the actors, operations and the relationships observed between the threat actors behind it.

Pulling back the curtains on the banking trojan, the presentation describes some of the interesting campaigns ran by threat actors using the banking trojan and how they have used the features of it to steal and defraud both private and public entities. We’ll also be touching on Gozi ISFB operators that have close relationships with the current developers, as well as their relationships to other strains of the malware.

14:45 – 15:25
TLP:CLEAR
GenRex Demonstration: Level Up Your Regex Game
Dominika Regéciová 🗣

Abstract (click to view)

GenRex is a unique tool for detecting similarities in artifacts from executable files and the generation of regular expressions.

This paper demonstrates how to use GenRex to maximize the usage of regular expressions automatically created from behavioral reports and other potential use cases.

GenRex will be open-sourced, and additional resources, such as a dataset of behavioral reports and an extension to the YARA tool, will be provided.

15:30 – 16:00
16:00 – 16:30
TLP:GREEN
Telegram-as-a-C2 or a Fourfold Tale of Bad OPSEC
Pol Thill 🗣

Abstract (click to view)

In recent times, Telegram Bots have emerged as a prominent Command and Control (C2) mechanism, gaining popularity among threat actors for their resilience against takedowns, user-friendly setup, and versatile configuration options. Both Advanced Persistent Threats (APTs) and cybercrime actors have started incorporating Telegram-as-a-C2 into their arsenal, deploying it in innovative and distinctive ways.

From DarkPink to Neo_Net, YoroTrooper to DuckTail, threat actors across the spectrum have embraced Telegram-as-a-C2, often at the expense of sound operational security (OPSEC) practices. Unique characteristics in the functioning of Telegram Bots combined with weak threat actor OPSEC provides cybersecurity researchers with a unique opportunity to gain insights into malicious operations and the individuals orchestrating them.

This talk aims to delve deeper into the inner workings of the Telegram-as-a-C2 mechanism, shedding light on its functionalities and its use in current malware ecosystems. Moreover, we will explore how researchers can leverage Telegram Bots to acquire valuable intelligence on victim targeting, Tactics, Techniques, and Procedures (TTPs), and the identities of threat actors. Join me in uncovering the hidden facets of Telegram-as-a-C2 and harnessing this knowledge to bolster cybersecurity defenses against this emerging threat landscape.

16:30 – 17:15
TLP:GREEN
Caviar Scammers: Uncovering the SturgeonPhisher APT Group
Damien Schaeffer 🗣

Abstract (click to view)

SturgeonPhisher is a cyberespionage group active since at least October 2021 and that is also known as YoroTrooper. The group targets government officials, think-tanks, and employees of state-owned companies mostly in countries bordering the Caspian Sea – the Russian Federation being one of the most targeted countries.

SturgeonPhisher has carried out spearphishing and webmail-credential stealing operations, and they also use a recently updated arsenal including some custom reverse shells, password stealers, multiple remote access trojans, and some Telegram-based backdoors as a way of performing espionage campaigns on selected targets.

We will describe numerous techniques SturgeonPhisher employs to compromise its targets. In their phishing operations, this threat actor used clever techniques to trick users to provide their credentials. We’ve also put in place a monitoring of their infrastructure and observed their operations over time. This gave us valuable insights about their TTPs and modus operandi.

In this presentation, we will describe a few typical compromise chains with some examples of phishing websites and analysis of multi-stage malware. We will also highlight their network infrastructure, talk about the victimology and post-compromise activities. Finally, we will provide hints about the group’s attribution and operating location based on our research.

17:15 – 18:15
19:30 – 23:00
Lightning talks
No Presentations Found for this Schedule

Friday 26th April 2024

09:00 – 09:30
09:30 – 10:10
TLP:AMBER
IcedID’s Icy Depths: A Year in Infrastructure and Trends
Rachelle Goddin 🗣 | Josh Hopkins 🗣

Abstract (click to view)

This talk is a continuation on the subject of IcedID, which we presented at Botconf 2023. In our previous talk we covered methodologies for hunting IcedID infrastructure, subsequently explaining how we use these findings to pivot to the management of IcedID using network telemetry data. In doing so we were able to explore the threat actors’ pattern of life, as well as uncovering the tools and services they utilize on a day to day basis.

In this talk we will provide an in-depth overview of IcedID infrastructure and activity behind-the-scenes, covering the intervening period since we last met in Strasbourg. Broken down into key infrastructure elements we will examine how the threat actors have adapted and evolved, to both improve their capabilities and in reaction to changes in the threat landscape.

We will show that during periods of apparent “quiet”, the threat actors continue to access and update their infrastructure, in preparation for an inevitable return. Finally, we will consider the impacts of events such as Operation Duck Hunt on the botnet ecosystem, as well as highlighting potential connections to other emerging threats such as DarkGate (reloaded) and PikaBot.

10:10 – 10:30
TLP:GREEN
Rhadamanthys: The new stealer making WAVs in the eCrime landscape
Bea Venzon 🗣

Abstract (click to view)

In September 2022, Rhadamanthys first appeared in the eCrime landscape, with detailed forum posts that continue to capture the attention of both threat actors and security researchers. The malware itself is technically complex, utilizing a multi-stage infection chain, compression, encoding, steganography, and encryption to make analysis and detection more difficult.

This presentation provides a summary of Rhadamanthys’ components. The talk will also dive into how the Rhadamanthys developer positions themselves in the market, focusing on their early efforts to develop a customer base by focusing on ease of use and customer support. Using CrowdStrike telemetry, we will also look at statistics on the various distribution vectors for Rhadamanthys.

The audience will gain a better understanding of Rhadamanthys’ technical workings, and gain insights on how to hunt for the malware and reduce potential impact.

10:30 – 11:00
11:00 – 11:35
TLP:CLEAR
Monitoring 1st stage samples used by APTs and crime actors using images
Jose Luis Sanchez Martinez 🗣

Abstract (click to view)

Images are a common feature of documents, but they can also be a valuable source of intelligence for security analysts. By tracking the images that threat actors use in their documents or emails, analysts can gain insights into their procedures, as well as their potential targets and impersonated companies.

This presentation will discuss a new approach to tracking threat actors using images in office documents, PDFs and emails.

This type of approach has helped us find and track the Russian cyber espionage group Gamaredon and others such as the group known as Blind Eagle that is suspected to be from Latin America and other APTs/Crime groups. It will also discuss the challenges and limitations of the approach.

11:35 – 12:10
TLP:CLEAR
IoT Malware and Rookit Detections Using Electromagnetic Insights: Unveiling the Unseen
Duy Phuc Pham 🗣 | Damien Marion 🗣 | Annelie Heuser

Abstract (click to view)

The Internet of Things (IoT) is a network of interconnected devices, becoming increasingly complicated and suffering from inadequate security measures. Cybercriminals, especially those who specialise in malware and rootkits, recently target them because they often use outdated technology without taking security risks into account.

In this session, we will discuss two challenges: rootkit detection and malware classification in the help of leveraging electromagnetic (EM) side channels. EM allows us to operate outside of the “box” (literary device), with no resource requirement on the target device. Our approach focuses on the ARM and MIPS architectures of Raspberry Pi and Creator CI20 real-world devices. The solution employs multiple data preprocessing methods, allowing analysts to select a variety of machine learning and deep learning models based on their specific requirements. Both approaches resulted in high accuracy (upto 100%) for multiple malware classification and real-time detection scenarios.

12:10 – 12:40
TLP:CLEAR
Malware distribution at scale – The ecosystem of TA577
Fabian Marquardt 🗣

Abstract (click to view)

TA577, also known as Tramp or TR is a prolific cybercrime actor that has specialized in distributing initial access malware to conduct ransomware attacks. Our talk at Botconf will be structured as follows.

First, we give an overview about the past and present activities of TA577, in particular the different malware payloads that TA577 has distributed and their connection to ransomware and big game hunting, specifically through the Black Basta ransomware operation.

Secondly, we will focus on the capabilities and infrastructure that TA577 has obtained to distribute different malware payloads at scale. We will share our findings about how the threat actor obtains compromised infrastructure, what scripts they use to distribute malware via the compromised systems, and what functionality they have implemented to hinder researchers from analyzing their tools and payloads. Finally, we will provide some recommendations about how defenders can detect, identify and mitigate infrastructure and payloads of TA577.

12:40 – 13:40
13:40 – 14:10
TLP:CLEAR
A Taxonomic Overview of Prevalent Malware Communication Strategies
Steffen Enders 🗣 | Daniel Plohmann 🗣 | Manuel Blatt

Abstract (click to view)

The consistently large volume and diversity of malware poses a substantial threat to network security. In response, it is crucial to develop systematic strategies and countermeasures. This involves not only detecting and identifying malware (networking) but also taking appropriate actions to mitigate its impact.

In the first section of our presentation, we present a taxonomy for malware C&C communication. This taxonomy is based on a 2006 Trend Micro report, which was improved to cover new developments of C&C mechanisms, but also to include more specific details about both the communication protocol for message transfer and the malware’s internal C&C protocol. Additionally, we have incorporated elements from other relevant research to create a more thorough and unified taxonomy. Overall, the taxonomy encompasses the following six aspects: C&C Model, Rally Mechanism, Communication Behavior, Carrier Communication Protocol, C&C Protocol, and Evasion Techniques.

In the second section, our focus shifts to evaluating the distribution of C&C mechanisms within the current malware landscape. We undertake a detailed analysis using both the Malpedia dataset, as well as tracking sites such as MalwareBazaar. This part will involve an in-depth discussion of currently prevalent malware families and their C&C communication, as classified by our taxonomy. The findings from this analysis will provide insights into the characteristics for methods presently used by threat actors.

14:10 – 14:50
TLP:CLEAR
Evasive Panda touring in Asia: AitM opening act followed by a duet of MgBot and Nightdoor
Facundo Munoz 🗣 | Anh Ho 🗣

Abstract (click to view)

Evasive Panda, a China-aligned APT group engaged in cyberespionage since 2012, has recently introduced a not yet publicly documented backdoor, which we’ve named Nightdoor.

Prior to this discovery, Evasive Panda was well-known for distributing and operating MgBot, a full-featured backdoor with a modular architecture. In our blogpost from April 2023 titled “Evasive Panda APT group delivers malware via updates for popular Chinese software”, we described how Evasive Panda might leverage adversary in the middle (AitM) capabilities to deliver MgBot through legitimately initiated Tencent QQ software updates, targeting China from 2020 to 2022. In 2023, we found more victims in Turkey and Kyrgyzstan under similar AitM attacks. We were able to extract the compromise chain, which began with legitimate update requests from IObit or CorelDraw software that were answered with a malicious downloader specifically designed for AitM attacks. Subsequent stages included a dropper that iteratively executes 12 pieces of shellcode and a multistage loading chain for MgBot.

Within the same timeline, Evasive Panda conducted another operation involving the new Nightdoor backdoor. The victims included an engineering and chip manufactory company in South Korea (2022–2023), a religious organization in Taiwan (2022), and a government entity in Vietnam (2020). These attacks tended to happen at nighttime, which inspired us to name the backdoor Nightdoor.

In this presentation, we provide an overview of Evasive Panda operations, victimology, and TTPs. Following this, we describe the compromise chains for both MgBot and Nightdoor and address some overlaps with the GIMMICK malware. Subsequently, we present our hypothesis regarding the method used to achieve AitM capability, based on our analysis of the victim’s environments and the incidents. Finally, we delve into the features of Nightdoor, including the set of 32 commands, network protocols, and configuration extraction.

14:50 – 15:30
TLP:AMBER
Pikabot’s Sophisticated Evasion: We Catch Em All
Kelsey Merriman 🗣 | Pim Trouerbach 🗣

Abstract (click to view)

The proliferation of sophisticated malware has posed exceptional challenges to the cybersecurity landscape with Pikabot emerging as a notable and evasive malware. We endeavor to provide a comprehensive and consumable analysis of the Pikabot malware.

Utilizing a combination of threat intelligence, behavioral analysis, reverse engineering, botmulation, this research aims to provide actionable insights for cybersecurity analysts, enabling defenders to understand the capabilities, harden defenses, devise countermeasures, and contribute to the community’s efforts to mitigate the evolving threat of Pikabot.

15:30 – 16:10
TLP:GREEN
Into the Vapor to Tracking Down Unknown Panda’s Claw Marks
Suguru Ishimaru 🗣 | Yusuke Niwa 🗣 | Motohiko Sato

Abstract (click to view)

In August 2023, TrendMicro published a blog post announcing a new sophisticated Advanced Persistent Threat (APT) campaign known as “Earth Estries.” The campaign specifically targeted government-related organizations and technology companies in the Philippines, Taiwan, South Africa, Germany, and the United States.

From this information and open source intelligence, we identified several characteristics within the attack infrastructure. These included the watermark of Cobalt Strike and WHOIS registration details of the C2 servers, which allowed us to discover concealed C2 domains and IP addresses associated with further hidden attack infrastructure.

After further detailed analysis of the unknown malware, we concluded by reverse engineering that this malware is a new form of malware that shares code similarities and data structures with Deed RAT, a variant of ShadowPad. Therefore, we strongly believe that this is a new variant of Deed RAT.

The purpose of this presentation is to share a comprehensive analysis of Cobalt Strike Beacon and an analysis of BLOODALCHEMY characteristics not covered in the Elastic Security blog, based on a survey of APT activity in 2023.

In addition, we will describe the methodology for identifying Deed RAT variants, thereby revealing the associated attack infrastructure, with the aim of tracking the activities of these threat actors, which can be applied to botnet actors as well as APTs.

Additional paper(s)

This paper was not presented during the conference but was deemed, by the programme committee, interesting to publish for the community.


Streamlining Memory Forensics with VolWeb
🗣 | Félix Guyard

Abstract (click to view)

While open-source memory forensics tools have become more prevalent in recent years, there are still a lot of challenges associated with its use. Current opensource memory forensics tools lack of consistency in terms of automation, user interface, data visualization and collaboration. As criminals and hacker methods become ever more sophisticated, memory forensics has emerged as a crucial method for identifying cyber threats and analyzing malware.

However, traditional opensource memory analysis tools used alone can be time-consuming, and difficult to use for one who seek to investigate and collaborate on a memory image. The increasing complexity of attacks means that investigators need to centralize and process more data than ever before, making it even harder to keep up. The need to automate and make memory forensics more human friendly is crucial and should not be a luxury.

VolWeb is an open-source digital memory forensic web platform. The goal of this tool is to improve the efficiency of memory forensics by providing a centralized, collaborative, visual and enhanced platform dedicated to investigators. It gives the opportunity to work together on cases, use visualization tools to quickly identify anomalies, tag interesting elements, dump processes and files to later perform malware analysis, generate technical reports and more. The core memory analysis engine is based on the volatility3 framework which is still under active development to replace the previous stable version of volatility written in python2 (deprecated). Using the Django framework in combination with this engine, this interconnection allows for the creation of user-friendly interfaces, making the tool more accessible even to those who may not have extensive knowledge of the command-line interfaces. This can save time and effort on the part of the forensic investigator by automating the entire data extraction process of a memory image and presenting the data in a standardized way.

The tool initial configuration, deployment and update in a digital investigation lab is made easier with the use of docker. In this proposal, we will explore the development and implementation of VolWeb, highlight its benefits for investigators in the digital forensics’ community.

Scroll to Top