Botconf Author Listing

This workshop takes us into the world of banking malware, and more specifically into researchers’ chase after configurations – the attack books that dictate which banks are targeted and how. These precious ever-changing fragments of data and the continuous change in the encryption methods, keeps us alert and on our tows.

In this workshop we learn about banking malware modus operandi and we play the role of the researcher, by going through a hands-on guided process of analyzing encrypted configurations and studying how data is protected. We shall study the way it is encrypted, eventually formulating a simple method of decryption. Our study case will be the infamous Dridex malware. Participants will be introduced to the world of banking fraud, gain an understanding of the process of researching encryption methods, acquire basic tools for addressing encrypted data of unknown format and enjoy the thrill of a live challenge.

In January 2016, we discovered a new modus operandi launched by Evil Corp, the organization that owned and operated Dridex banking Trojan. A new build was released to the wild, using Andromeda botnet platform, mainly targeting users in the UK. We studied the attacks linked with the new Dridex infection campaigns and learned that the malware’s operators have made considerable investments in a new attack methodology. Dridex started to perform redirection attacks instead of the original web-injections, sending the victim to an entirely fake site mimicking the original site of the user’s bank, while presenting the authentic certificate.