Botconf Author Listing

Maciej Kotowicz


Last known affiliation: MalwareLab.pl

Date: 2020-12-01
Your *aaS is on fire, or how threat actors (ab)use cloud providers
Maciej Kotowicz 🗣

Abstract (click to view)

In order to make a successful espionage campaign we need a couple things, one of them is infrastructure for both infection and exfiltration. Nowadays everyone was, is or will be moving their infra to the cloud so why not APTs?. Why set up a costly dedicated server when we can use free PaaS hosting? Why not use a cloud-storage service for exfiltration with all of it unlimited quota and backups?Want to host some malware? Guess who gets you covered?

There are quite a few threat actors that went that way, some of them were never talked about publicly and for some their operations that used cloud services somehow slipped through cracks, and those ones we would like to present to you.

While usage of such services is a great pain for defenders, it also creates some great opportunities – and we will show them!

Slides Icon
PDF
Video
Date: 2018-12-04
Date: 2017-12-07
Date: 2016-12-02
ISFB, Still Live and Kicking
Maciej Kotowicz 🗣

Abstract (click to view)

Also known as Gozi2/Ursnif, sometimes Rovnix, ISFB reappeared in early 2013 attracting some attention from the research community and a lot of confusion in the naming convention and to what was being analyzed. Then suddenly, it went dark again.
However, dark does not mean dead. With attention of the world focused on Dridex and Dyre, ISFB silently evolved, hiding from the spotlight to become one of the most complex and fully featured banking trojans out there. In this paper, we want to break the silence surrounding ISFB, giving a full description of the capabilities of this malware which are beyond those of the average banking trojan: 4 ways of communicating with the C&C, half a dozen tricks to steal your money, the ability to create movies of your activity and naturally numerous ways of manipulating your web traffic.
It all comes as a very nicely designed piece of software, with a custom configuration format, beautifully fitted into the malware itself, uncommonly used crypto and rather clean code, making it an interesting target for an analyst.
While it’s perfect target for a an analyst, it’s broad capabilities make it a weapon of choice for a bad guys, making it a one the most popular bankers alongside vawtrak and ZeuS derivatives.
But, in today’s world, malware is more than just a binary sitting on your computer, but an entire infrastructure supporting it in the backend. We will therefore also provide an overview of the architecture used for that purpose, including the whole chain of tiers that lead us to the C&C server,
The paper will be backed up by a set of scripts and signatures (IoCs) that will help in hunting for this threat, extracting interesting pieces of configuration and webinjects it self.

Slides Icon
PDF
Video
Paper Link Icon
Article
Date: 2014-12-05
ZeuS Meets VM – Story so Far
Maciej Kotowicz 🗣

Abstract (click to view)

At the beginning of the year we observed shift of malware chosen by criminals. Old Citadel starts losing market pushed out by new versions of KINS. The threat was important enough to be added to ZeusTracker. After this the game changed, new encryption schema came to play, confusing researches.

Following this, some AV companies rediscover other, rather stealth branches of KINS and start giving them fancy names confusing us even more. But who can blame them when there are so many mutations floating around?

We’ll demonstrate methods how to distinguish variants of ZeuS-like malware, how to determine their version and show some other juicy stuff that they have in common that we can take advantage of. We start this journey with digging into ZeuS internals showing how important parts evolved and that there are things that survive all mutations. Along the way we show how to deal with most recent mutations to extract configurations details. At the end we show that we don’t really need to know what mutation/version we are dealing with to get most the important pieces.

The talk will be accompanied with release of tools to parse and print BinStruct, yara signatures to distinguish mutations that we use, tricks that make analysis faster and last but not least service that can crack most zeus-like malware (zdump).

External link: Github
Date: 2013-12-05
Malware Calling
Maciej Kotowicz 🗣 | Tomasz Bukowski | Łukasz Siewierski

Abstract (click to view)

Zitmo (ZeuS in the MObile) is a mutation of ZeuS that appeared for the first time in early 2011, targeting bank customers in Poland and Spain, infecting unknown numbers of users. Zitmo consists of two parts: spyware installed od PC and an application installed on mobile device. At the time the PC app is capable to run on all modern Windows systems (2000-8) both 32 and 64 bits, while the mobile part runs on Android, (although it’s prepered for Symbian and Blackbery as well).

We have recently discoverd that the banker used in malware is a strange mixture of ZeuS and Spy-Eye, served as a module, and it’s only one of functionalities offered by malware. It also incorporates a sophisticated communication schema used to trasport stolen data from mobile phones which we are still investigating. We will show how malware operates on both PCs and mobiles to stealing money. In addition, we will release tools that aid analysis.

External link: Github
Slides Icon
PDF
Video
Date: 2019-12-05
Scroll to Top