Chetan Raghuprasad
Last known affiliation: Cisco Talos
Bio: Chetan Raghuprasad is a cyber threat researcher with the Cisco Talos, focusing on hunting and researching the latest threats in the cyber threat landscape and generating actionable intelligence. He seeks to uncover threat actors’ tactics, techniques, and procedures by reversing and analyzing the threats. Chetan also publicly represents Cisco Talos by writing blogs and talking at cybersecurity conferences worldwide. Chetan Raghuprasad has 15 years of professional experience with expertise in Threat research and Malware analysis, cyber incident response, and digital forensic analysis. He has worked in technology, consulting, and financial institutions. He is a CISSP-certified and SANS-certified Malware Reverse Engineer and Cyber threat Intelligence.
Chetan Raghuprasad 🗣
Abstract (click to view)
This presentation details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants.
Supershell is a relatively new C2 framework with a WEB-based command and control (C2) server written in Python and an administration panel in Chinese language. Throughout the presentation, I will detail the Supershell C2 framework and what a threat actor can achieve using the Supershell C2 and its implants. We will see one of many techniques the threat actors use to deliver the Supershell implants to the victim’s machine and register them to Supershell C2 by establishing the botnet. We also see how widespread the supershell infection is and what countries and business verticals are infected by Supershell. We also share the details of our research approach to finding the active Supershell C2 by pivoting some of the indicators of various attacks we analyzed.
Finally, I will discuss the possible indications of Chinese-speaking threat actors conducting the supershell infections along with the other tools, including reconnaissance, asset management, and cobalt strike beacons.
Chetan Raghuprasad 🗣
Abstract (click to view)
In recent years, Vietnamese cybercrime groups have significantly advanced their capabilities, acquiring sophisticated tools and tactics that have enhanced their operational success. The pandemic era marked a turning point, as these groups expanded their credential theft operations to a global scale, discovering innovative methods to breach corporate firewalls worldwide, thereby facilitating further criminal activities such as ransomware and information-stealing attacks.
Since the close of 2023, our research has unveiled at least three hacking groups, originating from Vietnam, that are targeting a majority of Asian countries and select European nations. Driven by financial motivations, these groups are primarily focused on stealing credentials, financial data, and social media accounts, including those related to business and advertising. This presentation will expose the vast criminal enterprise these groups have constructed, detailing their comprehensive software stacks, networks, and their sophisticated techniques, tactics, and procedures (TTP). Through multiple case studies, we will illustrate the execution of information stealer attacks by Vietnamese cybercriminals, including the deployment of infostealers, the use of rare living-off-the-land binaries (LoLBins), data exfiltration strategies, and the exploitation of legitimate services for hosting command and control (C2) configuration files.
Additionally, we will reveal several newly discovered malware families, such as RotBot (a modified version of QuasarRAT), the XClient stealer, and the PXA_BOT stealer. The presentation will conclude with strategic approaches to mitigating info stealer attacks, equipping attendees with actionable insights to fortify defenses against these emerging threats. This compelling exploration not only highlights the evolving landscape of Vietnamese cyber threats but also underscores the critical need for proactive cybersecurity measures.
