During the last couple of years there has been an important surge on the use of HTTPs by malware. The exact reason for this increase is not completely understood yet, but it is hypothesized that it was forced by organizations only allowing web traffic to the Internet and that using

We propose and implement a novel method of discovering botnet activities by identifying new core domains (domains that are directly below a TLD) that appear in real-time DNS query traffic as suspicious, and discovering botnet C&C groups using a domain correlation machine learning model. This method discovers botnet C&C groups

Email threats have always been a major part of the threat landscape. As the use of exploit kits and other malware distribution techniques have decreased, malicious spam campaigns play an even greater role in the distribution of malware to organizations around the globe. Enter Necurs, the biggest player in the

During an incident, CERT Sekoia investigated fraudulent money transfers. These transfers were made from a French firm account to other bank accounts based in different places in Europe. The fraud has been valued at 800 000 euros. Initially, the bank of the French firm indicted an accountant officer of this

Botnets enable various cyber-criminal activities, like DDoS, banking fraud, data theft and extortion. Current botnet detection approaches face many challenges, for example, peer-to-peer infrastructures and domain fast-flux or encrypt the command and control information, in order to prevent signature based detection. In the recent years an increasing number of approaches

Cybercriminals employ websites to infect victims with malware using techniques such as drive-by-download or social engineering. On the other hand, several approaches (e.g. client honeypots) exist to detect malicious websites. Nonetheless, this is a time-consuming task, and thus, computational resources should be spent on targets that are more prone to

[To be completed]

Manual processing of malware samples became impossible years ago. Sandboxes are used to automate the analysis of malware samples to gather information about the dynamic behaviour of the malware, both at AV companies and at enterprises. Some malware samples use known techniques to detect when it runs in a sandbox,

Conficker was the first to introduce Domain Generation Algorithms to the malware world. Today’s modern malware practically use it as a basic building block.  Malware researchers have tackled this problem with various tools and techniques with varying degrees of success. In this talk, we will present a method which allows

What does a botnet do when it gets bored? Make every infection second count – even if it means to use the infection time for brute forcing. This presentation aims to show a complete sandbox infection cycle, which started with a seemingly Gamarue infection and end up with an automated