Botconf 2021/22 final schedule

April 26 2022 • Tuesday
12:00 – 18:30 WS01 – Mastering Advanced Memory Analysis For Fun &Amp; Profit
Author(s): Solomon Sonya
Malware continues to advance in sophistication and prevalence. Well-engineered malware can obfuscate itself from the user, network, and even the operating system running host-based security applications. But one place malware cannot easily hide itself is within volatile computer memory (ram). Although an essential part of detection engineering and exploit development, memory analysis is not trivial to master. Additionally, inefficiencies exist within the current approach of conducting memory analysis resulting in greater consumption of time and resources while reducing analysis accuracy.
This workshop solves this problem delivering a new tool that provides advanced memory analysis and releases a new construct that revolutionizes memory forensics. Additionally, this tool provides new correlation algorithms, user-interaction, and plugin aggregation to enhance analysis, increase accuracy, and completely automate the process for you saving hours of analysis time. Lastly, this tool provides a true snapshot analysis providing a better mechanism to discover and extract indicators of compromise during malware analysis. Exploit developers, reverse engineers, digital forensics experts and incident responders will walk away with a new toolkit that will revolutionize the way we perform memory forensics at the conclusion of this workshop.
14:00 – 18:30 WS02 – mwdb: open source tools to build your malware analysis pipeline
Author(s): Michał Praszmo, Paweł Srokosz, Paweł Pawliński

During almost a decade of our malware analysis experience in, we have tried many different approaches. Most of them failed but we have learned a lot about what works and what does not. Finally, after several years of development, we publicly released a bunch of projects that we are proud of: a complete open-source malware repository and analysis platform.
The workshop will provide practical hands-on introduction to all aspects of the platform:

  • mwdb: community-based online service for analysis and sharing of malware samples. The service is freely available to a white-hat researchers and provides fully-automated malware extraction and botnet tracking.
  • mwdb core: self-hosted repository of samples and all kinds of technical information related to malware configurations.
  • karton: microservice framework for highly scalable and fault-resistant malware analysis workflows. We will explain the installation and configuration quickly and spend the rest of time on adapting workflows to the karton framework.
  • malduck is our library for malware extraction and analysis. We will explain how to use it effectively and how to create your own modules.

All components are already available on our github page:

12:00 – 18:30 WS03 – Remote Threat Reconnaissance
Author(s): Nicolas Collery, Vitaliy Kamlyuk
This workshop aims to share knowledge of live triage and analysis of remote compromised systems to assist incident response, digital forensics, or malware discovery and in-place analysis. There are many other applications of the techniques and tools that the participants are encouraged to explore on their own.
Although the knowledge shared during the workshop can be applied independently of the tools proposed, it starts with the attendees building their own toolkit for remote threat reconnaissance. It features bitscout, a project based on a collection of free open-source software for linux, that is extendable with any set of tools the analyst wants to embed before or in the middle of the operation.incident response to live cyberattacks requires silent navigation through compromised assets, sometimes in large distributed networks. The popular approach relies on edr or other live agent-based solutions. However, the activation of security agents and obvious activities on live compromised systems may trigger alerts of advanced threat actors. Once alerted, a clean-up operation and destruction of evidence can happen. Moreover, offline system analysis may not be easy due to the physical distance to the compromised system or scale of the network. This is where remote stealthy threat discovery with “scoutware”, software for threat hunting and instant system analysis, becomes incredibly useful. Bitscout, used for the workshop is just one such addition to working with local virtual machines during the workshop, the attendees will be provided with access to 60+ live servers to be analysed simultaneously to simulate large-scale compromise – online access will therefore be required.
April 27 2022 • Wednesday
10:45 – 11:25 Behind The Scenes Of Qbot

Author(s): Berk Albayrak, Ege Balci

11:30 – 12:00 Rtm: Sink-Holing The Botnet

Author(s): Rustam Mirkasymov, Semyon Rogachev

Slides Video   
12:05 – 12:25 Private Clubs For Hackers: How Private Forums Shape The Malware Market

Author(s): Olivier Beaudet-Labrecque, Luca Brunoni, David Décary-Hétu, Sandra Langel

Slides Video  Paper
14:00 – 14:30 Insights And Experiences From Monitoring Multiple P2p Botnets

Author(s): Leon Böck, Shankar Karuppayah, Dave Levin, Max Mühlhäuser

Slides Video   
14:35 – 15:05 Ta410: Apt10’S Distant Cousin

Author(s): Alexandre Côté Cyr, Matthieu Faou

15:00 – 15:30 Operation Gamblingpuppet: Analysis Of A Multivector And Multiplatform Campaign Targeting Online Gambling Customers

Author(s): Jaromir Horejsi, Daniel Lunghi

Slides Video   
16:00 – 16:50 Fingerprinting Bot Shops: Venues, Stealers, Sellers

Author(s): Ian Gray, Bryan Oliver, Austin Turecek

16:55 – 17:35 How To Eavesdrop On Winnti In A Live Environment Using Virtual Machine Introspection (Vmi)

Author(s): Philipp Barthel, Sebastian Eydam, Werner Haas, Sebastian Manns

Slides Video   
17:40 – 18:30 Evolution Of The Sysrv Mining Botnet

Author(s): György Lupták, Dorka Palotay, Albert Zsigovits

Slides Video   
April 28 • Thursday
09:05 – 09:25 Identifying Malware Campaigns On A Budget

Author(s): Max ‘Libra’ Kersten, Rens Van Der Linden

09:30 – 10:00 See Ya Sharp: A Loader’S Tale

Author(s): Max ‘Libra’ Kersten

10:35 – 11:00 Into The Silent Night

Author(s): Yuta Sawabe, Ryuichi Tanabe

  Video  Paper
11:00 – 11:30 A Fresh Look Into The Underground Card Shop Ecosystem

Author(s): Beatriz Pimenta Klein, Lidia López Sanz

Slides Video   
11:35 – 12:05 Yara: Down The Rabbit Hole Without Slowing Down

Author(s): Dominika Regéciová

Slides Video  Paper
12:10 – 12:40 Detecting Emerging Malware On Cloud Before Virustotal Can See It

Author(s): Ali Fakeri-Tabrizi, Gan Feng, Hongliang Liu, Thanh Nguyen, Andreas Pfadler, Anastasia Poliakova, Yuriy Yuzifovich

Slides Video  Paper
14:00 – 14:40 Warning! Botnet Is In Your House…

Author(s): Vitaly Simonovich, Sarit Yerushalmi

Slides Video Video   
14:45 – 15:15 How Formbook Became Xloader And Migrated To Macos

Author(s): Alexey Bukhteyev, Raman Ladutska

16:00 – 16:40 Sandyblacktail: Following The Footsteps Of A Commercial Offensive Malware In The Middle East

Author(s): Vasiliy Berdnikov, Aseel Kayal, Mark Lechtik, Paul Rascagneres

16:45 – 17:25 Smoke And Fire – Smokeloader Historical Changes And Trends

Author(s): Marcos Alvares

Slides Video   
17:30 – 18:00 Pareto: Streaming Mimicry (Sponsor Technical Talk)

Author(s): Inna Vasilyeva

18:00 – 19:00 Lightning Talks

Moderator: Eric Freyssinet

  • LT01 – Patrice Auffret
  • LT02 – Tom Ueltschi
  • LT03 – Ivan Kwiatkowski
  • LT04 – Austin Turecek
  • LT05 – Rémi Dubourgnoux
  • LT06 – Max Kersten
  • LT07 – Jonathan Thielleux
  • LT08 – Charlie Cullen
  • LT09 – Hugo Rifflet
  • LT10 – Tom Mounet
  • LT11 – Konstantin Klinger
  • LT12 – Frédéric Baguelin
April 29 2022 • Friday
09:30 – 10:00 Jumping The Air-Gap: 15 Years Of Nation-State Efforts

Author(s): Alexis Dorais-Joncas, Facundo Munoz

Slides Video   
10:55 – 11:15 Detecting And Disrupting Compromised Devices Based On Their Communication Patterns To Legitimate Web Services

Author(s): Yael Daihes, Hen Tzaban

Slides Video   
11:20 – 12:00 Proxychaos: A Year-In-Review Of Microsoft Exchange Exploitation

Author(s): Mathieu Tartare

Slides Video   
12:00 – 12:35 Suricata (In Preview For A Workshop In 2023)

Author(s): Eric Leblond

14:00 – 14:40 Privateloader – The Malware Behind A Havoc-Wreaking Pay-Per-Install Service

Author(s): Souhail Hammou

Slides Video   
14:45 – 15:15 Qakbot Malware Family Evolution

Author(s): Markel Picado Ortiz, Carlos Rubio Ricote

Slides Video   


Print Friendly, PDF & Email