Botconf Author Listing

Raman Ladutska


Last known affiliation: Check Point
Bio: Raman Ladutska has been interested in exploring the world’s internals since childhood. He had a solid start, with a bunch of encyclopedias for reading, Lego bricks for building, and even a microscope for exploring. Raman’s family still have fond memories of the reverse-engineered things he left in his wake. Next came perusing hacker magazines, learning to reverse engineer programs, university studies in computer security, graduation and being an all-around jolly good fellow to this very day. Check Point Research team presents great opportunities for Raman to take on different challenges, channeling his energy and determination to a peaceful course of development and sharing the results with fellow researchers and the community.
Date: 2022-04-28
How Formbook became XLoader and migrated to macOS
Alexey Bukhteyev 🗣 | Raman Ladutska 🗣

Abstract (click to view)

In this talk we analyze a prevalent malware family Formbook and its successor XLoader from different angles, including OSINT and technical sides. XLoader is a logical step in Formbook’s evolution, it is now able to target not only Windows but macOS as well.

Our aim is to help the listeners understand how the malware topped up prevalence lists, which approaches and tools to use for the analysis of this and other cases and how to stay protected from this threat.

Video
TLP:GREEN
Date: 2024-04-25
Eastern Asian Android Assault – FluHorse.
Alexandr Shamshur 🗣 | Raman Ladutska 🗣

Abstract (click to view)

The FluHorse malware features several malicious Android applications that mimic legitimate applications each with more than 100,000 installs. These malicious apps steal the victims’ credentials and Two-Factor Authentication (2FA) codes. FluHorse targets different sectors of Eastern Asian markets and is distributed via emails. In some cases, the emails used in the first stage of the attacks belong to high-profile entities. The malware can remain undetected for months making it a persistent, dangerous, and hard-to-spot threat.
Quite surprisingly, no custom implemented tricks are used inside FluHorse, as the malware authors relied solely on an open-source framework for the development process of malicious functionality. It is implemented with Flutter – an open-source UI software development kit created by Google and is used to develop cross-platform applications for various platforms, including Android and iOS for mobile devices, with a single codebase. What makes Flutter an appealing choice for malware developers is the use of a custom virtual machine to support different platforms and its ease of use for creation of GUI elements. Analyzing such applications is complicated, due to the custom VM, which makes this framework a perfect solution for Android phishing attacks, as it turned out to be.
In our research, we describe different targeted markets in several countries and compare phishing applications with the legitimate ones – differences are pretty hard to spot at first glance. We give credits to the available tools for Flutter-application analysis while also providing the enhancements that resulted in our open-source contribution: https://github.com/Guardsquare/flutter-re-demo/pull/4. We go through all the pitfalls encountered during our research and provide solutions on how to bypass them. Finally, we give an overview of Command-and-Control communication of the malware as well as dive deeply into the details of the network infrastructure analysis.

Slides Icon
PDF
Video
TLP:GREEN
Date: 2024-04-25
Evasions Fest of Korean Android Financial Menace – FakeCalls
Raman Ladutska 🗣 | Bohdan Melnykov

Abstract (click to view)

When malware actors want to enter the business, they can choose markets where their profit is almost guaranteed to be worth the effort – according to past results. The malware does not need to be high profile, just careful selection of the audience and the right market can be enough.

This is the exact case that we observed in South Korea when we encountered an Android Trojan named FakeCalls. This malware can masquerade as one of more than 20 financial applications and imitate phone conversations with bank or financial service employees – perform the attack called voice phishing, or vishing.

Vishing attacks have a long history in the South Korean financial market. The problem was so serious that it even drew the attention from the government that resulted in a careful investigation and subsequent report: financial losses due to voice phishing constituted approximately 600 million USD in 2020, with the number of victims reaching as many as 170,000 people in the period from 2016 to 2020. Knowing these facts, we understand why exactly this country and this market were chosen by FakeCalls.

We discovered more than 3500 samples of the FakeCalls malware that used a variety of combinations of mimicked financial organizations and implemented several new anti-analysis techniques. In our presentation we describe all of the encountered anti-analysis techniques, and show how to mitigate them, refer to the history of South Korean vishing attacks and speak about the key details of the malware functionality.

Slides Icon
PDF
Video
Scroll to Top