Botconf 2021/22 preliminary programme
Please find below the current list of accepted talks. We will confirm the schedule very soon, however he are is the overall organisation of the conference:
- Workshops (Tue 26th April): From 12:00 to 18:30 for the longer workshops and from 14:00 to 18:30 for the shorter one.
- Start of the main conference: Wednesday 27th April at 10:30, doors will open at 09:30 to welcome attendees
- End of the main conference: Friday 29th April at 16:00
Main conference (Wednesday 27th to Friday 29th 2022)
|Rustam Mirkasymov and Semyon Rogachev||RTM: sink-holing the botnet|
|Yael Daihes and Hen Tzaban||Detecting and Disrupting Compromised Devices based on Their Communication Patterns to Legitimate Web Services|
|Albert Zsigovits, György Lupták and Dorka Palotay||Evolution of the Sysrv mining botnet|
|Souhail Hammou||Privateloader – The malware behind a havoc-wreaking Pay-Per-Install service|
|Marcos Alvares||Smoke and Fire – Smokeloader Historical Changes and Trends|
|Ian Gray, Austin Turecek, Bryan Oliver||Fingerprinting Bot Shops: Venues, Stealers, Sellers|
|Aseel Kayal, Mark Lechtik, Paul Rascagneres and Vasiliy Berdnikov||SandyBlacktail: Following the footsteps of a commercial offensive malware in the Middle East|
|Matthieu Faou and Alexandre Côté Cyr||TA410: APT10’s distant cousin|
|Max ‘Libra’ Kersten||See ya Sharp: A Loader’s Tale|
|Dominika Regéciová||Yara: Down the Rabbit Hole Without Slowing Down|
|Andreas Pfadler, Anastasia Poliakova, Gan Feng, Thanh Nguyen, Ali Fakeri-Tabrizi, Hongliang Liu and Yuriy Yuzifovich||Detecting emerging malware on cloud before VirusTotal can see it|
|Mathieu Tartare||ProxyChaos: a year-in-review of Microsoft Exchange exploitation|
|Sarit Yerushalmi and Vitaly Simonovich||CrimeOps of the KashmirBlack Botnet|
|Philipp Barthel, Sebastian Eydam, Sebastian Manns and Werner Haas||How to Eavesdrop on Winnti in a Live Environment Using Virtual Machine Introspection (VMI)|
|Ege Balci and Berk Albayrak||Behind the Scenes of QBot|
|Beatriz Pimenta Klein and Lidia López Sanz||A fresh look into the underground card shop ecosystem|
|Daniel Lunghi and Jaromir Horejsi||Operation GamblingPuppet: Analysis of a multivector and multiplatform campaign targeting online gambling customers|
|Alexis Dorais-Joncas and Facundo Munoz||Jumping the air-gap: 15 years of nation-state efforts|
Max Mühlhäuser and
|Insights and Experiences from Monitoring Multiple P2P Botnets|
|David Décary-Hétu, Luca Brunoni, Sandra Langel and Olivier Beaudet-Labrecque||Private Clubs For Hackers: How Private Forums Shape The Malware Market|
|Markel Picado Ortiz and Carlos Rubio Ricote||Qakbot malware family evolution|
|Max Kersten and Rens van der Linden||Identifying malware campaigns on a budget|
|Raman Ladutska and Alexey Bukhteyev||How Formbook became XLoader and migrated to macOS|
|Eric Leblond||Suricata (in preview for a workshop in 2023)|
Workshops (Tuesday 26th April 2022)
|Solomon Sonya||Mastering Advanced Memory Analysis for Fun & Profit (6h workshop, 12:00-18:30)|
|Malware continues to advance in sophistication and prevalence. Well-engineered malware can obfuscate itself from the user, network, and even the operating system running host-based security applications. But one place malware cannot easily hide itself is within volatile computer memory (RAM). Although an essential part of detection engineering and exploit development, memory analysis is not trivial to master. Additionally, inefficiencies exist within the current approach of conducting memory analysis resulting in greater consumption of time and resources while reducing analysis accuracy.
This workshop solves this problem delivering a new tool that provides advanced memory analysis and releases a new construct that revolutionizes memory forensics. Additionally, this tool provides new correlation algorithms, user-interaction, and plugin aggregation to enhance analysis, increase accuracy, and completely automate the process for you saving hours of analysis time. Lastly, this tool provides a true snapshot analysis providing a better mechanism to discover and extract indicators of compromise during malware analysis. Exploit developers, reverse engineers, digital forensics experts and incident responders will walk away with a new toolkit that will revolutionize the way we perform memory forensics at the conclusion of this workshop.
|Paweł Srokosz, Paweł Pawliński and one more presenter||MWDB: open source tools to build your malware analysis pipeline (4 h workshop, 14:00-18:30)|
|During almost a decade of our malware analysis experience in CERT.PL, we have tried many different approaches. Most of them failed but we have learned a lot about what works and what does not. Finally, after several years of development, we publicly released a bunch of projects that we are proud of: a complete open-source malware repository and analysis platform.
The workshop will provide practical hands-on introduction to all aspects of the platform:
All components are already available on our GitHub page: https://github.com/CERT-Polska
|Nicolas Collery, Vitaliy Kamlyuk||Remote Threat Reconnaissance (6h workshop, 12:00-18:30)|
|This workshop aims to share knowledge of live triage and analysis of remote compromised systems to assist incident response, digital forensics, or malware discovery and in-place analysis. There are many other applications of the techniques and tools that the participants are encouraged to explore on their own.
Although the knowledge shared during the workshop can be applied independently of the tools proposed, it starts with the attendees building their own toolkit for remote threat reconnaissance. It features Bitscout, a project based on a collection of free open-source software for Linux, that is extendable with any set of tools the analyst wants to embed before or in the middle of the operation.Incident response to live cyberattacks requires silent navigation through compromised assets, sometimes in large distributed networks. The popular approach relies on EDR or other live agent-based solutions. However, the activation of security agents and obvious activities on live compromised systems may trigger alerts of advanced threat actors. Once alerted, a clean-up operation and destruction of evidence can happen. Moreover, offline system analysis may not be easy due to the physical distance to the compromised system or scale of the network. This is where remote stealthy threat discovery with “scoutware”, software for threat hunting and instant system analysis, becomes incredibly useful. Bitscout, used for the workshop is just one such toolkit.In addition to working with local virtual machines during the workshop, the attendees will be provided with access to 60+ live servers to be analysed simultaneously to simulate large-scale compromise – online access will therefore be required.