Botconf 2023
11th - 14th April 2023, Strasbourg
Schedule
Tuesday 11th April 2023
Gabriel Cirlig 🗣
Abstract (click to view)
This will be a simple and short introduction into Android reverse engineering, taking the student from zero to hero. No previous reversing knowledge is required and all of the tools will be provided in the form of a VM packed with goodies. The course will cover the basics of Android, APK structure, DEX file internals and how this can be exploited in order to decompile and deobfuscate malware. In addition, hands on exercises will be provided with fresh malware samples where the knowledge can be put to good use in extracting C2s and other interesting information.
The course aims to introduce people into the world of Android reversing. It will be a mostly hands on experience with just enough theory to provide the student a solid base upon to build their reversing skills. The course covers spotting suspicious samples, C2 deobfuscation, secondary payload extraction through both static and dynamic analysis.
Vitaly Kamluk 🗣 | Nicolas Collery 🗣
Abstract (click to view)
This workshop aims to share knowledge of live triage and analysis of remote compromised systems to assist incident response, digital forensics, or malware discovery and in-place analysis. There are many other applications of the techniques and tools that the participants are encouraged to explore on their own.
Although the knowledge shared during the workshop can be applied independently of the tools proposed, it starts with the attendees building their own toolkit for remote threat reconnaissance. It features Bitscout, a project based on a collection of free open-source software for Linux, that is extendable with any set of tools the analyst wants to embed before or in the middle of the operation.
Incident response to live cyberattacks requires silent navigation through compromised assets, sometimes in large distributed networks. The popular approach relies on EDR or other live agent-based solutions. However, the activation of security agents and obvious activities on live compromised systems may trigger alerts of advanced threat actors. Once alerted, a clean-up operation and destruction of evidence can happen. Moreover, offline system analysis may not be easy due to the physical distance to the compromised system or scale of the network. This is where remote stealthy threat discovery with “scoutware”, software for threat hunting and instant system analysis, becomes incredibly useful. Bitscout, used for the workshop, is just one such toolkit.
In addition to working with local virtual machines during the workshop, the attendees will be provided with access to 60+ live servers to be analyzed simultaneously to simulate large-scale compromise – online access will therefore be required.
Jonas Wagner 🗣 | Carlos Rubio Ricote 🗣 | David Pastor Sanz 🗣
Abstract (click to view)
YARA is a commonly used tool to detect and identify malware. There are roughly two types of YARA rules used on binary files: 1) based on metadata and strings and 2) based on code.
There are certain benefits by basing YARA rules on code. Since code reuse is frequent amongst binaries of a malware family, it offers plenty of options to base a YARA rule on. If the chosen code is heavily reused amongst the binaries, then it can result in very robust rules.
This approach comes with certain challenges. A key aspect is being able to find heavily reused code amongst many binaries of a malware family. Unless some sort of automation is at play, this quickly becomes difficult and time-consuming. Once suitable reused code is identified, it needs to be turned into a YARA rule, so that it works even when compiler differences, optimizations or instruction set changes are involved.
In this workshop we will create robust YARA rules for a handful of malware families based on automatically identifying shared code between many binaries of a family.
Wednesday 12th April 2023
Seongsu Park 🗣
Abstract (click to view)
Prime suspects behind the Sony Pictures Entertainment cyberattack, Wannacry outbreak are a hacker collective known as Lazarus Group with associations with the Pyongyang regime. This notorious adversary is one of the most active and dangerous hacking groups to date and is known to have conducted cyberattacks for financial profits and cyber espionage in the past. Lazarus is a prolific group with numerous malware clusters, one of which we dubbed DeathNote. After several years of tracking this cluster, we have been able to note its characteristics and latest tactics.
Nirmal Singh 🗣 | Avinash Kumar 🗣 | Niraj Shivtarkar
Abstract (click to view)
In the last few years we have seen a substantial growth in the Malware-as-a-Service (MaaS) market, this revenue model generates a high income revenue stream for the malware developers and also makes it easier for the malicious actors with less technical capabilities to carry out sophisticated attacks and earn multi-million-dollars by targeting large-scale enterprises and government entities. During the last few years, we have observed a MaaS Group selling a sophisticated modular Remote Access Trojan with various features and pricing plans. The most distinctive feature of this RAT is – Ransomware Module – which encrypts the files and demands for a ransom payment in order to decrypt them. The presence of those features in the RAT leads us to believe that the Threat Actors, involved, are attempting to improve their financial gain by using Ransomware.
Larry W. Cashdollar 🗣 | Allen West 🗣
Abstract (click to view)
The presentation will document the KmsdBot discovered and documented by Larry Cashdollar and Allen West. We will discuss the initial discovery, static and dynamic code analysis, some reverse engineering techniques in regard to Go lang static binaries, the command and control protocol, code created to speak with the C2, the attack capabilities, and crypto mining functionality. We will then discuss how the bot spreads and infects targeted hosts. Finally, we will discover the bot crashing due to a lack of error checking and the bot being rebuilt shortly after. The talk will have a recorded demonstration of the bot communicating with our C2 and sending attack traffic, also we will show a demonstration of the bot crashing.
Paul Vixie 🗣 | Ben April
Abstract (click to view)
The Internet has long served as the Web’s communications substrate, and historically that has meant TCP/IP. TCP is a clear text reliable stream protocol which predates the Web by about two decades and is usually implemented in the operating system’s kernel. Starting in 2013, the Web community has reconsidered the use of clear text protocols and kernel resident protocols. The result is QUIC, a fully encrypted protocol intended to be implementable at the application layer. Adoption of QUIC will radically alter the security profile and performance characteristics of managed private edge networks including home and enterprise, for both Web servers and Web clients. Let’s discuss.
Łukasz Siewierski 🗣 | Alec Guertin 🗣
Abstract (click to view)
Over-the-air (OTA) updates are a crucial part of the Android operating system. The updates are signed and applied by the operating system, but the process of checking for new updates, downloading the files and handling the user interactions is done by a preinstalled application – an OTA provider. For the operating system’s update, the OTA application cannot interfere with the contents of the update in any way making the OTA system image update secure.
However, to provide lightweight updates to preloaded applications, OTA applications are often also able to download and install specific applications. Access to these privileges makes OTA applications a potentially interesting target for abuse.
We have identified several cases in which 3rd-party OTA solutions contained code used to secretly download additional apps without user consent during the device’s lifetime. This talk covers examples of the problematic additions, the downloaded applications and the steps we have taken to combat the problem by pre-scanning system images and the future of the Android OTA ecosystem.
Martijn Grooten 🗣
Abstract (click to view)
This presentation will discuss digital threats against civil society groups outside the West: journalists and independent media organizations, human rights activists, defenders of minorities’ rights, women’s rights organizations etc. On top of the digital threats that any organization around the world faces – phishing, malware, business email compromise etc. – these organizations face more targeted threats related to their activities. These vary from the technically very advanced, including zero-day using spyware like Pegasus, from the technically mundane but really impactful, like social media accounts being hacked or banned.
The first part of the presentation will discuss the context in which civil society groups operate in the digital world, then discuss the threats they are facing, including the support they receive in responding to these threats. The second and main part of the presentation will cover real-world examples of such threats and focus on the real-world impact these threats have, including the psychosocial impact. The final part will cover what can be done to support civil society in the rest of the world and in particular what the Botconf audience could do to help.
Pratiksha Ashok 🗣
Abstract (click to view)
In 2014, the Government of India launched its Swachh Bharat Abhiyan (Clean India Mission). Phase 2 of this mission began in 2020 to cement the progress of Phase 1. The mission to clean India was not limited to clean roads, sanitation campaigns, and waste segregation and included safe digital India.
David Álvarez Pérez 🗣
Abstract (click to view)
In November 2022, we discovered a new version of the Syslogk Linux kernel rootkit affecting x86 and x86_64 processor architectures (udis86 disassembler dependency). We were not surprised, as the first version we found was likely still under development in the wild.
Like other rootkits, Syslogk hides from the list of Linux kernel modules, and hides directories containing malicious files, malicious processes, and the listening connections from the bot running in the infected machine (i.ex. Netstat doesn’t show the connections). These features are probably inspired by Adore-Ng. We identified many similarities between both rootkits’ codes.
What makes Syslogk interesting is that the hidden bot does not continuously run in the system. Instead, it starts or stops on-demand, remotely via magic packets. In other words, the attacker can start the bot on-demand by sending a specially crafted packet to the victim’s machine.
The new version we discovered was developed for a newer Linux kernel version (3.10.0-957.el7.x86_64) and uses more complex magic packets, 10 encryption keys, and three different encryption algorithms.
Max ‘Libra’ Kersten 🗣
Abstract (click to view)
Another day, another ransomware-as-a-service provider, or so it seems. The “Read The Manual” (RTM) Locker gang targets corporate environments, forcing their affiliates to follow a strict ruleset. Is this yet another ransomware gang, or is there more to this gang and their locker than meets the eye? This talk investigates the actor, along with a technical deep dive into their Windows ransomware executable.
Whereas some gangs have the desire to become (in)famous, breaking headlines with the group’s name, the RTM Locker gang is different. Their ruleset forces affiliates to operate under the radar, minimising their public exposure and thereby ensuring the group isn’t caught by the prying eyes of law enforcement and malware researchers alike.
Their approach, however, isn’t waterproof. This talk will bring the audience along for a technical deep dive into the Windows ransomware executable, along with an overview of the group’s specific rules. Additionally, the group’s activity is peculiar, given that their locker is being reworked without outlets having reported on their initial version.
Lingming Tu 🗣 | Wenji Qu | Ya Liu
Abstract (click to view)
Fodcha is a new DDoS botnet family targeted Linux IoT devices. After it was firstly detected in January 2022, 4 versions of 250+ samples have been observed by us, from which over 140 C&C domains were extracted. Most of the C&C servers have been successfully contacted by our command tracking system, with over 39K unique victims detected from the 114M received attacking commands.
The data we collected includes various interesting information such as botnet scales, operations exploits, and attack methods. Detailed studies have been carried on the collected data in terms of C&C communications, attack methods, and victims. Attempts of estimating the botnet scales were also done by analyzing real attacking traffic from Fodcha. By reading an accidentally obtained copy of Fodcha C&C panel source, we even had the chance to investigate how the botmasters managed their botnets and sold their attacking service to others. We think the analysis we did would help to better detect and mitigate similar threats in the future.
Thursday 13th April 2023
Jorge Rodriguez 🗣 | Souhail Hammou 🗣
Abstract (click to view)
The Gh0st Remote Access Trojan is a long-standing threat dating back to 2001 that is still active to this day. Following its release to the public in 2008 as version 3.6 Beta, it garnered the attention of Chinese-speaking threat actors in particular who began forking and upgrading the toolset to suit their needs. Various APT (Advanced Persistent Threat) groups targeting Asian countries incorporated modified versions of Gh0st RAT into their own arsenal: GhostNet as the earliest documented instance and GamblingPuppet as one of the most recent ones.
Our deep dive into the subject started when we traced back the origins of a malware family named PseudoManuscrypt directly to Gh0st RAT. Kaspersky first spotted it in July 2021 as being distributed through a network of websites that offer fake cracked software to unsuspecting victims. We also observed it being directly delivered through the PrivateLoader Pay-per-Install (PPI) service.
Daniel Lunghi 🗣
Abstract (click to view)
Iron Tiger, also known as APT27 or Emissary Panda, is an advanced threat actor that has been doing espionage for more than a decade, targeting multiple sensitive industries worldwide.
In the past months, we noticed the threat actor enhancing its toolkit to target all three major platforms – Windows, MacOS and Linux. We found out they obtained access to the backend of a little-known chat application and modified the installers to deliver a remote access tool named rshell to users of the Mac platform. We also observed a new version of the SysUpdate malware family, where in addition to porting the malware to the Linux platform, the threat actor added features such as DNS tunneling for C&C communication protocol.
Jeremie Destuynder 🗣 | Alexandre Matousek 🗣
Abstract (click to view)
We Incident Responders from CERT Orange CyberDefense often face the same proven TTPs over and over by threat actors. Similar initial entry, privilege escalation, lateral movements, exfiltration, etc. techniques are seen in the numerous forensics cases we handled per year. Known ransomware gangs in particular follow scripted playbooks, as training documents from the Conti leaks and abundant public incident response reports already showed.
So when a victim came to us for help last November, our analysts expected to run into “Yet Another Ransomware” case. But it turned out way more interesting than initially thought. We’ll walk you into this case, that surprised in some ways even our most experienced analysts and reversers.
Dominika Regéciová 🗣
Abstract (click to view)
You probably know this scenario – you spent a while analyzing new samples, which was not easy, but you’re finally done. You also created a neat Yara rule to match the samples, and you’re ready to send it off and move on to your next task (or lunch). But oopsie – the Yara rule is warning of slowed scanning. Or your colleague comments they do not like a particular part and wants to be sure the rule is effective.
While working with Yara, I consulted with many analysts about this problem. They knew what they wanted to detect, but Yara was not always helping them write the rules more effectively. Based on my experience with algorithms used in Yara, we worked together to find a solution to improve scanning speed and limit potential hurdles for future usage.
This paper presents five studies with descriptions of the five problems, an explanation of why Yara does not like the first solution, and tips on what can be improved. Note that no sensitive information is disclosed in this paper. All studies were anonymized, so the general problem is the same, but there is no direct link to a specific malware family mentioned, nor can it be tracked.
Daniel Plohmann 🗣 | Daniel Enders | Manuel Blatt
Abstract (click to view)
Ever since launching Malpedia [1] at Botconf 2017, we continuously maintained and expanded our community-driven data set with the vision of exploring new ways to leverage it effectively for the research of and defense against malware. A primary research scope for us was working towards enabling efficient one-to-many code similarity analysis. After almost 4 years of research and development, we now finally want to share our results. With this presentation, we will publicly release MCRIT, the MinHash-based Code Relationship & Investigation Toolkit [2]. After giving a short overview of the underlying techniques and implementation, we will explain in a series of practical examples how to apply MCRIT for the three primary use cases it has been geared towards so far:
- Malware family and library code differentiation to accelerate triage and analysis
- Isolation of unique family code to provide means for hunting towards their characteristics
- Lead generation for discovering potentially unknown links between samples and families
Federico Valentini 🗣 | Alessandro Strino 🗣
Abstract (click to view)
During the last three years, we have tracked and closely analyzed a specific TA, intending to infect Windows workstations on corporate environments trying to alter legitimate banking transfers performed by the victims. The main technique leveraged was the Automated Transfer System (ATS), enabled via custom web injects for changing the beneficiary and transferring money to an illegitimate bank account (money mule) controlled by themself or affiliates, which is then responsible for handling and laundering the stolen funds. The critical component behind those fraud operations was one of the most advanced banking trojans, Ramnit.
Even if Ramnit has already been described in the literature, because of our forefront position, it was possible to understand TA behavior deeply and reconstruct the whole infection chain that goes through the initial malspam campaign, an accurate selection of victims during the botnet construction, the Automatic Transfer System (ATS) technique for cash-out through wire transfers, and the final money laundering.
Nick Dai 🗣 | Vickie Su | Sunny W Lu
Abstract (click to view)
We have been monitoring a wave of spear-phishing attacks targeting the government, academic, foundations, and research sectors around the world. Based on the lure documents we observed in the wild, this is a large-scale cyberespionage campaign that began around March. After months of tracking, the seemingly wide outbreak of targeted attacks includes but not limited to Myanmar, Australia, the Philippines, Japan and Taiwan. We analyzed the malware families used in this campaign and attributed the incidents to a notorious advanced persistent threat (APT) group called Earth Preta (also known as Mustang Panda and Bronze President).
Yarin Ozery 🗣
Abstract (click to view)
Data exfiltration and detection has been the subject of lots of research in recent years. DNS exfiltration is the process of abusing the DNS protocol, originally designed for hostname resolving, to send data from a querying machine to a remote nameserver. While DNS exfiltration is commonly associated with free DNS tunneling applications, it’s also used by bots (e.g., Feederbot, Morto) to steal sensitive data from compromised enterprises and communicate with their command and control servers.
In this talk, we present a new real-time DNS exfiltration detection solution designed to be deployed on recursive DNS resolvers, based on estimating the amount of data that is transferred to registered domains via DNS requests FQDN. The algorithm is designed to be light-weight in both memory requirements and execution run time and allows real-time mitigation of DNS exfiltration campaigns.
Suweera De Souza 🗣
Abstract (click to view)
In March 2022, a new buzz called Bumblebee appeared in the eCrime scene. This loader is built to execute tasks from its command-and-control (C2), and deliver payloads such as CobaltStrike. But its development doesn’t stop there. In the span of less than a year, Bumblebee has been through several incremental updates, to such an extent, that this malware may be one of the most actively maintained malware families out there.
This presentation aims to get a sense of the operator’s development process behind Bumbleebee – how it changes and adapts in response to current endpoint defense efforts– and how its techniques compare to other botnet families.
Max ‘Libra’ Kersten 🗣
Abstract (click to view)
Finding malware is not the difficult part, as it is prevalent due to the widespread malware campaigns which target consumers and companies alike. Samples are available in multitudes on sample sharing websites, but it is impossible to manually sift through all available samples. This is why the ideal process is streamlined using a pipeline. The malware is collected, after which it is scanned to detect known patterns and behaviour. Lastly, interesting samples can be reverse engineered manually.
The creation of such a pipeline is relatively straight-forward. The majority of the issues are encountered when setting everything up in a scalable manner. An example would be the scanning of files. If this cannot be done concurrently (enough), this will strain the whole system. The throughput of the pipeline then poses as a bottleneck. Additionally, or alternatively, the scaling of scanning requires improved and more hardware, which is often costly.
This talk focuses on setting up a pipeline on a budget, where the analyst will have access to malware samples of the last 60 days, all of which are scanned with Yara rules for known patterns. Additionally, all samples are executed in a sandbox to obtain heuristic data. Lastly, tools to analyse samples that the analyst deems interesting are referenced. This pipeline can be executed on a Raspberry Pi 3B, paired with a USB (or external hard) drive. Needless to say, more performance-oriented hardware ensures a smoother experience, but this is the lower limit of the hardware with which the pipeline was tested.
Lightning talks
Félix Guyard 🗣
Abstract (click to view)
Félix won the Botconf 2023 Lightning talk prize for the quality of his demonstration
Friday 14th April 2023
Ronan Mouchoux 🗣 | François Moerman 🗣
Abstract (click to view)
This presentation describes a system ingesting natural language threat report using Natural Language Processing to generate a graph-based model using the STIXv2 structured language and a relational database. The natural language expressions are normalized using MITRE structured vocabularies and industry recognized threat actor catalogs. To uncover potentially missing threat report information, we apply the association rule learning Apriori algorithm on a threat report based on the structured knowledge we model.
Luca Brunoni 🗣 | Olivier Beaudet-Labrecque 🗣 | Renaud Zbinden
Abstract (click to view)
This presentation discusses employee liability in the context of cyber-attacks, with a focus on ransomware cases. We aim to present a series of case studies in which we detail cyberattacks committed against private and public actors: we analyze the possible behavior and involvement of employees, identify the applicable criminal law rules, and evaluate whether the employees can be held directly liable. We also touch on the topic of civil liability in relation to the damages caused by the attack. Although our case studies will be presented though the scope of Swiss law, a comparative approach focused on legal solutions from other countries, such as France and the US, will also be included.
Matthieu Faou 🗣
Abstract (click to view)
Asylum Ambuscade is a threat group that came under research scrutiny after it targeted European government personnel in late February 2022, just after the beginning of the Russia-Ukraine war.
During the intervening months, dozens of different threat actors have been caught by the security community attacking Ukrainian institutions and their allies. So what makes Asylum Ambuscade different from the others?
Erwan Chevalier 🗣 | Guillaume Couchard 🗣
Abstract (click to view)
Infection chains used by commodity malware are frequently evolving and are using various tricks to bypass security measures and/or user awareness. BumbleBee, QNAPWorm, IcedID, and Qakbot, all of these wicked threats are frequently used as a first stage malicious code allowing to drop other more specific payloads.
This presentation will be in three parts, an overview of the infection chains and common detection methods used against them, how generic detection rules on these infection chains can help in the fight against botnets and finally how threat intelligence at scale combined with the rest creates a solid defense.
Paweł Srokosz 🗣 | Michał Praszmo 🗣
Abstract (click to view)
Responding to the incidents as a Polish national CERT, we very often come across attackers using proxies and/or VPNs to hide their identity. While distinguishing well-known IP sources such as NordVPN or TOR has become pretty straightforward, residential proxies are often overlooked and due to their nature, they are much harder to be recognized properly. This challenge has been especially important lately when a particular threat actor started utilizing several residential proxy providers to hide behind normal Internet users and conduct false flag operations.
In this talk, we’ll describe how we have approached this problem, what we managed to achieve and what we are still struggling with.
Josh Hopkins 🗣 | Thibault Seret 🗣
Abstract (click to view)
This talk provides an insight into Team Cymru’s tracking of IcedID over the past 24 months, following its transition from banking trojan to all-round loader malware. We will demonstrate how we identify potential bot and loader C2 infrastructure through our network telemetry data, and provide confirmation of these findings through config extraction.
IcedID (also referred to as BokBot) first appeared in early 2017 as a ‘traditional’ banking trojan leveraging webinjects to steal financial information from victims. Since this time, it has evolved to include dropper functionality, and is now primarily used as a vehicle for the delivery of other tools, such as Cobalt Strike, and the eventual deployment of ransomware.
IcedID itself is commonly delivered in phishing (spam) campaigns, leveraging an assortment of lure types and execution processes.
Alexandre Côté Cyr 🗣 | Mathieu Lavoie 🗣
Abstract (click to view)
RedLine Stealer, first observed in 2020, is one of the most widely known infostealer malware. It operates on a Malware-As-A-Service (MaaS) model and is sold via forums and Telegram where affiliates can buy an all-in-one Control Panel. This panel can generate stealer samples, function as a C&C (Command and Control) server for these samples, and manage the stolen information. Many of these affiliates then sell the collected logs on dedicated marketplaces and Telegram channels.
Yohann Sillam 🗣
Abstract (click to view)
Nowadays, advanced bad bots constitute a plague on the Internet. Their threat landscape is very diverse, ranging from massive account creation aimed at influencing state elections to DDoS bots.
Advanced bots are software that mimic human behavior to programmatically solve captcha challenges. For example, they simulate human-like mouse motion and follow a flow of webpages as a human would.
This speech discusses concrete examples of automated nefarious actions (Credential stuffing, Carding, Scalping…), as well as how bots can be analyzed in the same way as malicious software.
The analysis of such software is a valuable asset for better understanding their behavior and discovering new detection strategies.
Additional paper(s)
This paper was not presented during the conference but was deemed, by the programme committee, interesting to publish for the community.
Ludovic Robin 🗣 | Corentin Jannier 🗣 | Jean-Yves Marion 🗣
Abstract (click to view)
Packer detection is an important topic because most malware is packed and this allows it to avoid detection based on static analysis. Identifying classes of packers is the key to effective detection because it makes it easier to determine from a static analysis whether further analysis is needed or whether a decision is already possible. Thus in this work we propose new features to cluster packers from their unpacking function. This method makes it possible to effectively cluster packers, and is able, by clustering, to identify packer classes used by malware. It is a step towards a larger data clustering allowing to identify custom packers.
Our official partners
Our sponsors
Diamond
Platinum
Gold
Silver
