Botconf Author Listing

The Gh0st Remote Access Trojan is a long-standing threat dating back to 2001 that is still active to this day. Following its release to the public in 2008 as version 3.6 Beta, it garnered the attention of Chinese-speaking threat actors in particular who began forking and upgrading the toolset to suit their needs. Various APT (Advanced Persistent Threat) groups targeting Asian countries incorporated modified versions of Gh0st RAT into their own arsenal: GhostNet as the earliest documented instance and GamblingPuppet as one of the most recent ones.

Our deep dive into the subject started when we traced back the origins of a malware family named PseudoManuscrypt directly to Gh0st RAT. Kaspersky first spotted it in July 2021 as being distributed through a network of websites that offer fake cracked software to unsuspecting victims. We also observed it being directly delivered through the PrivateLoader Pay-per-Install (PPI) service.

Pay-per-install (PPI) services have been an integral part of the e-crime ecosystem for a considerable amount of time. PPI services monetize wide dissemination of malware by providing the malware operators with mass geo-targeted installs (aka loads) in exchange for money. A malware operator provides payment, malicious payloads and targeting information while the PPI service overlooks or outsources the distribution and delivery. The accessibility and moderate costs of these services serves as another weapon in the arsenal of malware operators for rapid, bulk and geo-targeted malware infections.

Our focus in this research has been on the Privateloader, an undocumented downloader connected to an unidentified PPI service that delivers a panoply of malware payloads into infected systems. The loader is distributed by a network of websites that allegedly offer downloads for cracked versions of popular software.

As reverse engineers, a significant part of our daily work involves writing and maintaining artifact extractors for multiple malware families, ranging from stealers and RATs to loaders and banking trojans. Our primary goal is to create C2 protocol emulators when applicable and useful. This requires extracting a broad array of artifacts to accurately emulate bot behavior for each malware sample. While some artifacts are straightforward to extract, others demand a certain level of skill. This workshop zeros in on the latter, providing a hands-on opportunity to delve into the real challenges we encounter in this process and how to navigate them efficiently. The use-cases we explore span various malware families and encompass a range of approaches and techniques, including but not limited to the use of regular expressions, manipulation of PE dumps, utilization of the Unicorn code emulation library and of the Capstone disassembly framework.

Prerequisites: IDA Free (or a disassembler of choice) and Python >= 3.10 installed. Malware samples will be provided by the instructors.