Botconf Author Listing

The first reference to Fluxxy is due to N. Summerlin and B. Porter in 2013 [1]. They describe a network of proxy dedicated to cybercrime operations. While this rogue hosting service has been running for nine years, its intelligence coverage remains low. Fluxxy is a notorious bulletproof hosting network that has been in operation for ten years. Notably, many high-end cyber-crime actors were or are still Fluxxy customers such as Nymaim, GandCrab, TheFreshstuff, or UncleSam. Rival to Avalanche, its design is more evolved and gained traction after the takedown of the Avalanche botnet. Fluxxy has been named Dark cloud, SandiFlux, or Furtim in different research. However, detailed intel on its inner workings remains sparse. The present research improves the understanding of this threat through several contributions.

The complexity of the Regin malware underlines the importance of reverse engineering in modern incident response. The present study shows that such complexity can be overcome: substantial information about adversary tactics, techniques and procedures is obtained from reverse engineering. An introduction to the Regin development framework is provided along with an instrumentation guidelines. Such instrumentation enables experimentation with malware modules. So analysis can derectly leverage malware’s own code without the need to program an analysis toolkit. As an application of the presented instrumentation, the underlying botnet architecture is analysed. Finally conclusions from different perspectives are provided: defense, attack and counter intelligence.