Botconf 2024

23rd - 26th April 2024, Nice

400 participants from 30 countries all over the world

28 presentations and 3 workshops

4 days of exchanges, discussions and making new friends !

 
Botconf2024-Affiche-2048

Schedule

Tuesday 23rd April 2024

12:00 – 13:30
13:00 – 15:30
TLP:GREEN
WS2 – Teams is for C2: Building and Reversing a Teams RAT (5h)
Randy Pargman 🗣 | Kyle Cucci 🗣

Abstract (click to view)

This workshop consists of two parts:
First, we will build a Remote Access Tool with indirect syscalls, shellcode running and COFF running capabilities, and other common features that uses Microsoft Teams as its Command and Control channel. Participants will be provided with a VM for VMWare player or workstation that has all the necessary source code and build environment set up. Participants will need to create a free M365 Developer tenant prior to starting the workshop.

In the second part, we will reverse engineer the Teams RAT binary and a loader, showing how to analyze stack strings, deal with opaque predicates, XOR string obfuscation, and anti-debugging tricks of malware.

To participate in this workshop, you will need to register for the free Microsoft 365 Developer program, which creates your own Azure tenant with Microsoft Teams for the C2 channel. You will also need a laptop with VMWare Player, Workstation, or Fusion installed and at least 30-50GB free disk space. You will be provided with a VM for VMWare that is set up with all tools, or you can build your own Windows 11 VM and install Visual Studio setup for C++ development + vcpkg, libcurl, cJSON, x64dbg, and IDA Free if you prefer not to use a pre-built VM.

13:30 – 15:30
TLP:CLEAR
WS3 – DotNet Malware Analysis (4h)
Max ‘Libra’ Kersten 🗣

Abstract (click to view)

Understanding DotNet malware can be daunting at first, but not so much with a solid knowledge of its fundamentals. The goal of this workshop is to teach the required concepts, as these can be transferred into any language of choice, in many different scenarios. As such, attendees gain a deep(er) understanding of the used techniques and methods.

This class is perfect for aspiring and beginning analysts, while also providing background information and additional techniques for intermediate analysts. The exercises in the workshop are based on actual malware samples, and each exercise consists of several questions for the attendees. The questions become incrementally difficult, ensuring there always is a challenge.

Since the workshop’s materials will consist of actual malware samples, precautions are required, which will be explained in-detail during the workshop, ensuring the safety and integrity of the systems of the attendees.

There are several requirements to join:
• A laptop (x86_64 based) capable of smoothly running one x86_64 Windows 10 VM
• Visual Studio Community Edition (2019 or later) on the VM
• The DotNet Framework runtime for version 3.5 and later (default, version 4 is installed) on the VM
• dnSpyEx, de4dot, DotDumper, and other tools can be downloaded during the workshop as these are insignificant in size.
• Understand VB.NET/C#, and preferably be (somewhat) comfortable writing it. It is possible to join the workshop without the ability to write code, but you will notice this in the later stages of the workshop.

14:00 – 15:30
TLP:GREEN
WS1 – Writing Configuration Extractors Navigating Challenges in Extracting Malware Artifacts (3h)
Souhail Hammou 🗣 | Miroslav Stampar 🗣

Abstract (click to view)

As reverse engineers, a significant part of our daily work involves writing and maintaining artifact extractors for multiple malware families, ranging from stealers and RATs to loaders and banking trojans. Our primary goal is to create C2 protocol emulators when applicable and useful. This requires extracting a broad array of artifacts to accurately emulate bot behavior for each malware sample. While some artifacts are straightforward to extract, others demand a certain level of skill. This workshop zeros in on the latter, providing a hands-on opportunity to delve into the real challenges we encounter in this process and how to navigate them efficiently. The use-cases we explore span various malware families and encompass a range of approaches and techniques, including but not limited to the use of regular expressions, manipulation of PE dumps, utilization of the Unicorn code emulation library and of the Capstone disassembly framework.

Prerequisites: IDA Free (or a disassembler of choice) and Python >= 3.10 installed. Malware samples will be provided by the instructors.

15:30 – 16:00
16:00 – 17:30
TLP:GREEN
16:00 – 18:30
TLP:GREEN
16:00 – 18:00
TLP:CLEAR

Wednesday 24th April 2024

10:00 – 11:00
11:00 – 11:40
TLP:GREEN
3CX: a “mise en abyme” supply chain attack?
Victorien Fragne 🗣 | Godefroy Galas 🗣

Abstract (click to view)

This talk will look back on the 3CX supply chain attack campaign which occurred in March and early April 2023 and consisted in the use of the VoIP 3CX software to achieve one of the biggest supply chain attack since SolarWinds.
Attributed in open source to the “North Korea-Nexus” intrusion set LABYRINTH CHOLLIMA (a cluster of the well-known Lazarus group), this attack campaign had the potential to cause significant damage since the 3CX software is used by around 600,000 corporate customers (including the NHS, PwC and IKEA) and counts roughly 12 millions users per day.
After a detailed description of the underlying infection chain, the presentation will focus on explaining the code and infrastructure links between this campaign and the intrusion set LABYRINTH CHOLLIMA, and on summarising the actions taken by the Agency to contain it.

11:45 – 12:05
TLP:AMBER
It’s getting cloudy – peering into the recent APT29 activities
CERT Polska 🗣

Abstract (click to view)

As a national CERT, we come across many intriguing malware campaigns targeting Polish organizations and institutions. Last year, we have seen several threat actors targeting a number of European embassies and MFAs, but one group looked especially interesting – APT29. While the selection of attacked institutions was interesting, what really struck a cord was the use of multiple legitimate services as covert C&C servers.
We continued to track the campaigns deployed by the actor for almost a year and gathered enough information to allow us to co-publish several reports on the malware activities and tooling.
In this talk we’ll examine the methods attackers used to stay undetected and go a little behind the scenes of the public reports.

12:10 – 12:40
TLP:GREEN
BYOVD Unveiled: Hunting and Exploring Vulnerabilities in Device Drivers
Nirmal Singh 🗣 | Rajdeepsinh Dodia 🗣

Abstract (click to view)

Malicious program authors often exploit vulnerabilities in popular software programs and employ various methods to circumvent security measures such as antivirus software, sandboxing, and intrusion detection systems. Precisely, threat actors have begun using vulnerable legitimate drivers as a means of infiltrating systems, this attack is known as BYOVD, a short form of Bring Your Own Vulnerable Driver. These drivers are responsible for facilitating communication between physical devices and the operating system, operating at a higher privilege level in kernel mode. In contrast, user mode is a less privileged mode used by various applications. By taking advantage of vulnerable drivers, attackers can execute actions without verifying the process or privileges of the caller. Numerous vulnerable drivers from different software and hardware vendors, such as LOLDrivers[2], have already been identified.
Generally threat actors use malicious payload; these are often detected by antivirus products / anti malware tools. But, by leveraging the known signed drivers from different hardware and software vendors creates less suspicion. Historical instances reveal ransomware groups [3] exploiting driver vulnerabilities to disable antivirus and EDR security tools, with APT groups like Lazarus [4] similarly leveraging these weaknesses.
Our objective is to uncover and examine vulnerable drivers designed to run on different Windows versions ( x86-64 architecture) that may be susceptible to exploitation by malicious individuals. During our investigation, we uncovered several digitally signed vulnerable drivers from reputable vendors, some of which lacked adequate measures to authenticate the calling process. Our research encompasses a range of techniques for manipulating driver functionality from user mode. It includes various approaches for exploiting driver functionality by making calls from user mode.

12:40 – 14:00
14:00 – 14:40
TLP:AMBER
Opera1er: from tracking the threat actor to detaining a criminal behind
Anton Ushakov 🗣 | Hugo Rifflet 🗣

Abstract (click to view)

The topic of this talk covers technical description of tactics, techniques, and procedures (TTPs) of the French-speaking financially motivated threat actor, codenamed OPERA1ER (NXSMS) as well as the details of the threat actor investigation carried out in collaboration with Law Enforcement authorities followed by an arrest of the key figure of the gang.
The presentation takes a deep dive into the operations of the prolific cybercrime syndicate that is confirmed to have stolen at least $11 million since 2019 in 30 targeted attacks describing the kill-chain of the attacks but also ways used to hunt and track malicious infrastructure and also methods used to identify one of the Opera1er members.

14:45 – 15:15
TLP:CLEAR
New Modular Malware RatelS: Shades of PlugX
Yoshihiro Ishikawa 🗣 | Takuma Matsumoto 🗣

Abstract (click to view)

In March 2023, we have observed a new APT malware used by an unknown APT actor in several Japanese companies. The malware is a modular remote access trojan (RAT) like PlugX or ShadowPad which have been shared among China-based APT actors and used in various campaigns. We named this malware “RatelS” based on the strings contained in the file path and window title.

RatelS has 11 malicious modules, including command execution, file manipulation, and keylogging, which can be dynamically loaded and unloaded in response to commands from the C2 server. Also, this RAT has two communication capabilities with different directions: Reverse mode and Listen mode. The former callbacks from the infected host to the C2 server, while the latter opens a port and listens for connections. The C2 communication is performed via TCP, TLS, HTTP, or HTTPS.

During the investigation of RatelS incident, we discovered a builder and controller that can build RatelS by simply selection options and remotely operate infected machines. It is notable that RatelS has some similarities with PlugX in its implemented features and code, and moreover this actor also utilized PlugX with P2P communication functionality in the campaign. This suggests the possibility that RatelS is a successor to PlugX.

In this presentation, we are going to share technical details on the analysis result of new malware RatelS, the similarities with PlugX, and the methods to detect and response the malware activity for future prevention. This includes the demonstration of RatelS C2 operation using the builder and controller. In addition to that, we will indicate attribution of APT actors using RatelS based on other similar malware.

15:20 – 15:50
TLP:CLEAR
Parsing the Unparsable: Turning Analyzers into Victims
Yusuf Kocadas 🗣 | Furkan Er 🗣

Abstract (click to view)

While thinking about how to prevent statical analysis on our customers’ applications. I have found myself analyzing publicly available apk parsers on github. I have walked through a bunch of issues to see which apps have broken/crashed their parsers, and collected many of both legit and malicious apps. Then, I started to extract their peculiarities and commonalities. After working on these outputs. I dived into analyzing open source parsers and bumped into many issues and some of them turned out to be crucial security problems. Furthermore, some of these parsers are backbone of many security products. In this talk, I will share my findings and how to turn analyzers into victims.

15:50 – 16:20
16:20 – 17:00
TLP:CLEAR
Everyone Gets a Webshell! Or, Backdooring Web Hosting Companies in Scale
Daniel Frank 🗣

Abstract (click to view)

What happened when a flying-under-the-radar threat actor decided to directly go after web-hosting providers who host thousands of legitimate websites? How and why did they do it? These questions stand at the heart of our talk, in which we’ll explore the evolution of a determined threat actor that has been targeting web hosting providers throughout 2020-2023.

17:05 – 17:45
TLP:CLEAR
Warp’s Enigma: Unraveling a Sophisticated Golang Malware Ecosystem that drops modified Stealerium
Sathwik Ram Prakki 🗣 | Rayapati Lakshmi Prasanna Sai

Abstract (click to view)

The surge in cybercrime ecosystems and underground forums has led to a substantial increase in stealer malware variants, facilitated by Malware-as-a-Service (MaaS) platforms addressing specific needs and vulnerabilities. This talk delves into the intricate details of a modern malware ecosystem named Warp, characterized by its high level of sophistication and multifunctionality. Warp, crafted in the GO programming language, comprises various components such as a loader, dropper, and stealer, typical of a malware ecosystem. This infection process leads to modified version of Stealerium infostealer, which is a potent malware adept at extracting sensitive information while employing anti-analysis techniques.

This paper conducts an in-depth technical analysis of the components comprising the Go-based Warp malware ecosystem and how the infection chain unfolds. The analysis covers the reversal of Go-based binaries using IDA Pro, the utilization of random API calls and various search engines to mask C2 traffic, and an exploration of the Telegram bot used for C2. Additionally, the UAC bypass through RPC requests via the ALPC kernel feature and an overview of the Avast anti-rootkit functionality employed to disable AV/EDR solutions are discussed which are linked to the dropper component. The paper also highlights the distinctions between Warp Stealer’s Telegram and Stealerium’s Discord, both used for C2 communication, shedding light on the diverse functionalities incorporated within this complex malware ecosystem.

17:50 – 18:30
TLP:CLEAR
18:30 – 19:50

Thursday 25th April 2024

08:30 – 09:00
09:00 – 09:30
TLP:CLEAR
09:35 – 10:05
TLP:GREEN
Eastern Asian Android Assault – FluHorse.
Alexandr Shamshur 🗣 | Raman Ladutska 🗣

Abstract (click to view)

The FluHorse malware features several malicious Android applications that mimic legitimate applications each with more than 100,000 installs. These malicious apps steal the victims’ credentials and Two-Factor Authentication (2FA) codes. FluHorse targets different sectors of Eastern Asian markets and is distributed via emails. In some cases, the emails used in the first stage of the attacks belong to high-profile entities. The malware can remain undetected for months making it a persistent, dangerous, and hard-to-spot threat.
Quite surprisingly, no custom implemented tricks are used inside FluHorse, as the malware authors relied solely on an open-source framework for the development process of malicious functionality. It is implemented with Flutter – an open-source UI software development kit created by Google and is used to develop cross-platform applications for various platforms, including Android and iOS for mobile devices, with a single codebase. What makes Flutter an appealing choice for malware developers is the use of a custom virtual machine to support different platforms and its ease of use for creation of GUI elements. Analyzing such applications is complicated, due to the custom VM, which makes this framework a perfect solution for Android phishing attacks, as it turned out to be.
In our research, we describe different targeted markets in several countries and compare phishing applications with the legitimate ones – differences are pretty hard to spot at first glance. We give credits to the available tools for Flutter-application analysis while also providing the enhancements that resulted in our open-source contribution: https://github.com/Guardsquare/flutter-re-demo/pull/4. We go through all the pitfalls encountered during our research and provide solutions on how to bypass them. Finally, we give an overview of Command-and-Control communication of the malware as well as dive deeply into the details of the network infrastructure analysis.

10:10 – 10:40
TLP:GREEN
10:40 – 11:10
11:10 – 11:40
TLP:GREEN
11:45 – 12:15
TLP:CLEAR
12:15 – 12:45
TLP:GREEN
12:45 – 14:00
14:00 – 14:40
TLP:AMBER
14:45 – 15:25
TLP:CLEAR
15:30 – 16:00
16:00 – 16:30
TLP:GREEN
16:30 – 17:15
TLP:GREEN
17:15 – 18:15
19:30 – 23:00
Lightning talks
No Presentations Found for this Schedule

Friday 26th April 2024

09:00 – 09:30
09:30 – 10:10
TLP:AMBER
10:10 – 10:30
TLP:GREEN
10:30 – 11:00
11:00 – 11:35
TLP:CLEAR
11:35 – 12:10
TLP:CLEAR
12:10 – 12:40
TLP:CLEAR
12:40 – 13:40
13:40 – 14:10
TLP:CLEAR
14:10 – 14:50
TLP:CLEAR
14:50 – 15:30
TLP:AMBER
15:30 – 16:10
TLP:GREEN

Additional paper(s)

This paper was not presented during the conference but was deemed, by the programme committee, interesting to publish for the community.


Our official partners

comcybergend
evenement_CECyF_en

Our sponsors

Diamond

CERT-CM-EI-sans
HUMAN_logo_vert_black-1
proofpoint-logo-64BEA4E41A-seeklogo.com
logo_LightBG1_tagline

Platinum

OCD-2lines (1)
SANS-GIAC-Blue-5
cisco_talos_color_CMYK

Gold

Airbus-Protect-vertical-4
google-logo
Logo_la_poste_groupe_header
lexfo
Maltego-Logo-Horizontal-Black
certsg2

Silver

Logo-GLIMPS
prodaft_high_res
Strangebee
Scroll to Top