Botconf Author Listing

Félix Aimé


Last known affiliation: None

Date: 2017-12-07
KNIGHTCRAWLER, « Discovering Watering-holes for Fun, Nothing. »
Félix Aimé 🗣

Abstract (click to view)

How to find watering holes (aka. Strategic Web Compromise – SWC) from your bedroom? At the intersection between geopolitics and technology, « KNIGHTCRAWLER » is a personal project developed to find some malicious activities on several thousand of strategic websites (Govs, NGOs, companies, newpapers etc.). Dozens of watering holes related to APT and cybercrime stuff has been discovered using this project, including several exploit kits and actors not yet published in open source.

Slides Icon
PDF
Video
Date: 2017-12-07
TLP:CLEAR
Date: 2024-04-25
Unplugging PlugX: Sinkholing the PlugX USB worm botnet
Félix Aimé 🗣 | Charles Meslay 🗣

Abstract (click to view)

In March 2023, Sophos published an article entitled “A border-hopping PlugX USB worm takes its act on the road” putting the light on a PlugX variant with worming capabilities. According to the Sophos blogspot, all of these PlugX samples communicate to only one IP address. In September 2023, we managed to take ownership of this IP address to sinkhole that botnet.

Hundreds of thousands of unique IP addresses sent PlugX distinctive requests to our sinkhole server in the first weeks of sinkholing. Even if the botnet can be considered as “dead”, anyone with interception capabilities or taking the ownership of this server can send arbitrary commands to the infected computers, repurposing the botnet for malicious activities.

This presentation aims to explain the roots of this campaign, our sinkholing methodology, the PlugX internals with some reversing and the legal issues of disinfection leading us to think about the sovereign disinfection concept.

Scroll to Top