Botconf Author Listing

Matthieu Faou


Last known affiliation: ESET
Bio: Matthieu Faou is a senior malware researcher at ESET where he specializes in researching targeted attacks. His main duties include threat hunting and reverse engineering of APTs. He finished his Master’s degree in computer science at École Polytechnique de Montréal and at École des Mines de Nancy in 2016. In the past, he has spoken at multiple conferences including BlueHat, Botconf, CYBERWARCON, RECON and Virus Bulletin.
Date: 2023-04-14
Asylum Ambuscade: Crimeware or cyberespionage?
Matthieu Faou 🗣

Abstract (click to view)

Asylum Ambuscade is a threat group that came under research scrutiny after it targeted European government personnel in late February 2022, just after the beginning of the Russia-Ukraine war.
During the intervening months, dozens of different threat actors have been caught by the security community attacking Ukrainian institutions and their allies. So what makes Asylum Ambuscade different from the others?

Slides Icon
PDF
Video
Date: 2022-04-27
TA410: APT10’s distant cousin
Alexandre Côté Cyr 🗣 | Matthieu Faou 🗣

Abstract (click to view)

TA410 is a cyber-espionage group that was first described in August 2019 by fellow researchers at Proofpoint. The threat actor shows interesting technical capabilities, with the use of complex implants, but has not received the same level of attention from the threat intelligence community as most major APTs.

TA410’s activity shares some characteristics, such as similar VBA macros, with past APT10 operations, but these are not sufficient to link them as a single entity. As such, some public reports have mis-attributed TA410 activities to APT10. In this presentation, we will clarify what is TA410 and how its activities differ from the current activities of APT10.

Slides Icon
PDF
Date: 2020-12-02
Turla operations from a front row seat
Matthieu Faou 🗣

Abstract (click to view)

Our research team at ESET has tracked the infamous Turla espionage group for many years. By leveraging unique telemetry data, forensic analysis of infected machines and in-depth malware reverse-engineering, we gained a quite comprehensive knowledge of their operations. Since our last talk in 2018, Turla procedures have evolved and we would like to share fresh information about the group Tools, Techniques and Procedures.
This presentation will first introduce the Turla group. We will present the main attacks publicly attributed to the group, which is mainly interested in high-profile targets such as government bodies and defense companies. We will also share what the attackers are looking for on compromise machines and try to reveal their motives.
Then, we will go more technical and showcase Turla’s implementation of the three classic steps of an APT campaign: infection, lateral movement and long-term persistence in order to reach their espionage objectives.

External link: Blog post
Video
Date: 2018-12-07
The Snake Keeps Reinventing Itself
Matthieu Faou 🗣

Abstract (click to view)

After having tracked Turla’s activities for several years, we now have a unique understanding of their Tools, Tactics and Procedures (TTPs). In this talk, we would like to share this knowledge to help defenders protect their networks.

Turla is an espionage group known for targeting governments, diplomats and militaries all around the world. One of their first documented campaign was against the US military ten years ago and they are still very active. During this presentation, we will discuss some recent public cases involving Turla operators. This threat actor targets very specific group of people and, as such, use advanced targeting techniques such as spear phishing and watering hole to go after them.

We will present an in-depth analysis of currently undocumented components, such as a highly resilient Outlook backdoor, allegedly used in the early-2018 attack against the German government. We will also provide an overview of the different changes in their TTPs that occurred in the past few months.

Slides Icon
PDF
Date: 2017-12-07
Stantinko: a Massive Adware Campaign Operating Covertly since 2012
Matthieu Faou 🗣 | Frédéric Vachon 🗣

Abstract (click to view)

Stantinko is a botnet that we estimate infects around half a million machines mainly located in the Russian Federation and Ukraine. In addition to its prevalence, Stantinko stands out because of its use of advanced anti-analysis techniques, the heavy usage of encryption to hide malicious code and the use of anti-virus evasion tricks that allowed them to stay under the radar for the past five years. While its main purpose is to commit advertisement fraud, Stantinko also installs a backdoor allowing them to run arbitrary code on the victim’s machine.

The Stantinko malware family dates back to at least 2012. We noticed a significant change in the group’s toolset that occured at the beginning of 2015, which made it way more difficult to track them and to gather all the pieces necessary to conduct a complete analysis of this notably undocumented threat.

When we began our analysis, we were not sure at what kind of malware we were looking at. It took us some time to understand Stantinko’s purpose because of its fileless modular architecture. After reverse-engineering its network protocol, we were able to collect the modules that contain the actual malicious code and were able to slowly draw the big picture. We found out that its malicous activities include advertising fraud, Facebook fraud and brute-forcing administrator credentials of Joomla and WordPress Content Management Systems. At this point, it became clear to us that we were looking at a crimeware botnet.

This presentation will cover the findings from our six-month hunt after this large-scale stealthy botnet.

Slides Icon
PDF
Date: 2018-12-06
Scroll to Top