Botconf Author Listing

Carlos Rubio Ricote

Last known affiliation: Threatray
Bio: Carlos Rubio is a malware researcher at Threatray, where he is mainly responsible for reverse engineering malware to automate the detection process of new threats. In addition to researching new applications for code reuse technology that can help in different areas such as threat hunting, incident response, tracking the evolution of malware families, among others. He previously worked on reverse-engineering malware at Blueliv, S21sec Counter Threat Intelligence Unit and in the Panda Security Adaptive Defense team. He has previously spoken at Botconf (2022, 2019), Virus Bulletin localhost 2020, as well as many closed-door private conferences.
Date: 2023-04-11
Using systematic code reuse analysis to create robust YARA rules
Jonas Wagner 🗣 | Carlos Rubio Ricote 🗣 | David Pastor Sanz 🗣

Abstract (click to view)

YARA is a commonly used tool to detect and identify malware. There are roughly two types of YARA rules used on binary files: 1) based on metadata and strings and 2) based on code.
There are certain benefits by basing YARA rules on code. Since code reuse is frequent amongst binaries of a malware family, it offers plenty of options to base a YARA rule on. If the chosen code is heavily reused amongst the binaries, then it can result in very robust rules.
This approach comes with certain challenges. A key aspect is being able to find heavily reused code amongst many binaries of a malware family. Unless some sort of automation is at play, this quickly becomes difficult and time-consuming. Once suitable reused code is identified, it needs to be turned into a YARA rule, so that it works even when compiler differences, optimizations or instruction set changes are involved.
In this workshop we will create robust YARA rules for a handful of malware families based on automatically identifying shared code between many binaries of a family.

Slides Icon
Date: 2022-04-29
Qakbot malware family evolution
Markel Picado Ortiz 🗣 | Carlos Rubio Ricote 🗣

Abstract (click to view)

The goal of this presentation is to study and analyse the evolution of the code and the capabilities of Qakbot. In particular, we’ll identify new features being added over time, features that remain stable, and features that are removed over the observation period. The analysis shall also give us information on the evolution of the attacker’s goals and tactics.

All this research is based on the study of the binary code of the Qakbot payload. The level of presentation shall contain high level insights accessible to a broader audience and also contain explanations at assembly level appealing to a more technically inclined audience. By analysing the binaries distributed on the Qakbot botnets, it is clear how the botnet updates the version of Qakbot it is distributing to always have the latest version running on infected machines.

In the following we’re outlining some preliminary data and findings which we’ll evolve further towards our presentation.

Slides Icon
Date: 2019-12-05
BackSwap Malware Campaign Evolution
Carlos Rubio Ricote 🗣 | David Pastor Sanz 🗣

Abstract (click to view)

This article will explain in detail the follow-up since the BackSwap malware was discovered in May 2018, as well as the different campaigns that the group behind BackSwap has carried out towards financial institutions from different countries, cryptocurrency exchanges, and its new evolution after a few months of inactivity.

Scroll to Top