15th International CARO Workshop

2022 Agenda

Wednesday May 4, 2022

Wednesday

16:00 - 19:00

|

Registration

19:00 - 22:00

|

Welcome Drinks Reception

Thursday May 5, 2022

Thursday

7:30 - 10:00

|

Registration

09:15

|

Opening remarks

Pavel Baudis, CoFounder of Avast & CARO member

Luis Corrons, Security Evangelist at Avast & Member of the Board of Directors at AMTSO

09:30

|

Keynote

Nicole Samantha van der Meulen, Senior Strategic Analyst at the European Cybercrime Centre
at EUROPOL

10:15

|

Oil, Water, and Something Fresh: Hunting Middle Eastern Threat Actors.

Robert Lipovský, Senior Malware Researcher at ESET

10:15

Oil, Water, and Something Fresh: Hunting Middle Eastern Threat Actors

Authors: Robert Lipovsky, Adam Burgher


In this presentation, we will discuss hunting Middle Eastern threat actors OilRig, MuddyWater, and a new group we are calling FreshFeline. We will layout our hunting methodology and how it led to a newly discovered OilRig backdoor, several new campaigns from MuddyWater, and the backdoors and exploitation chain used by FreshFeline.

OilRig is a cyberespionage group that has been active since at least 2014. The group targets Middle Eastern governments and a variety of business verticals. OilRig carried out the DNSpionage campaign in 2018 and 2019 that targeted victims in Lebanon and the United Arab Emirates. In 2019 and 2020, OilRig continued attacks with the HardPass campaign that used LinkedIn to target Middle Eastern victims in the energy and government sectors. 

We will present recent OilRig activity where they have been observed targeting Israeli companies in the medical and technology industries using a newly discovered backdoor, Marlin, as well as the DanBot Remote Access Tool (RAT), and the Milan and Shark backdoors.

MuddyWater is a cyberespionage group linked to Iran’s MOIS and active since at least 2017. The group targets victims in the Middle East and North America, with a focus on telecommunications, governmental organizations, and the oil and energy verticals. MuddyWater operators frequently use PowerShell-based backdoors, including the POWERSTATS backdoor

We will discuss the MuddyWater tendencies, as exhibited in their tactics, techniques, and procedures (TTPs), that led to our discovery of three campaigns that we are calling PSCore, CustomStories, and UNTITLED. Additionally, we will cover a never-before reported evolution of the PowGOOP campaign that US CYBERCOM recently reported on.

Lastly, FreshFeline is a newly discovered Middle Eastern cyberespionage group that targets companies in Israel in the construction, technology, and legal verticals. It has been active since 2021-04, when it began deploying the backdoor that we are calling Updater along with a loader, DriveGuard, and an injector, Lic. To date, FreshFeline has only targeted internet-exposed Microsoft Exchange servers with unpatched vulnerabilities, which is likely its primary means of ingress.

We will examine how we discovered this group, and explain how the exploitation chain works, and provide some insight into similarities with OilRig.

About Authors

Robert Lipovsky

Robert Lipovsky is a Senior Malware Researcher for ESET, with 15 years’ experience in cybersecurity and a broad spectrum of expertise covering targeted APTs, crimeware, as well as vulnerability research. He is responsible for threat intelligence and malware analysis and leads the Malware Research Team at ESET headquarters in Bratislava.


He is a regular speaker at security conferences, including RSA Conference, Black Hat, CARO Workshop, Virus Bulletin, AVAR, BlueHat, and ATT&CKcon. He also teaches reverse engineering at the Slovak University of Technology – his alma mater – and at Comenius University. When not bound to a keyboard, he enjoys traveling, playing guitar and flying single-engine airplanes.

Adam Burgher

Adam Burgher is a Senior Threat Intelligence Analyst in the security intelligence program at ESET. His primary role includes threat hunting and reverse engineering APTs. Prior to joining ESET, he spent 5 years in the hospitality and retail verticals threat hunting and analyzing malware, and 10 years in similar roles with the U.S. Government.

10:40 - 11:00

|

Break

11:00

|

Smashing Ransomware for Fun and Non-Profit

Jakub Křoustek, Malware Research Director at Avast

Ladislav Zezula, Senior Malware Analyst at Avast

11:00

Smashing Ransomware for Fun and Profit

Writing ransomware decryption tools since 2016

Authors: Jakub Křoustek and Ladislav Zezula (Avast Software)

Ransomware is a kind of malware with a 30 years long history that has dominated the threat landscape for more than a decade. Being one of the most destructive, it takes the users’ most precious digital asset – the data – as a hostage and demands payment for giving the data back. Unfortunately, there is still no silver bullet for defeating this evil, and frankly, most ransomware strains implement their cryptography well. Furthermore, it will probably take many years until quantum cryptography will be usable for breaking encryption algorithms employed by ransomware. Till then, we need to use other approaches when helping ransomware victims, such as finding weaknesses in their algorithms and implementations so that user data can be decrypted without paying the ransom. We at Avast have been working on ransomware decryption tools since 2016. We successfully delivered free decryption tools for more than 25 ransomware strains to the general public with tens of thousands of downloads. In this talk, we will share our know-how and the types of mistakes the ransomware authors have made in the past that led to free decryption.

1. Intro: So Much for the Happy Endings

First, we will briefly recap how encryption in ransomware usually works (key generation, commonly-used ciphers, storage of keys, etc.). Afterward, we will continue with a free-decryption warm-up, including what the term “Military-grade encryption” means in practice (spoiler alert: xor with a fixed key) and other funny stories. Afterward, we will continue with (almost) generic decryption of “education ransomware HiddenTear that has been spreading in hundreds of variants since its unfortunate release in 2015

2.Do Not Use Some Random Algorithm for Random Numbers 

Next, we will focus on the most common mistake in cryptographic implementation, which is the use of weak random number generators provided by the libraries. Authors often do not realize that those random number generators produce a sequence that may have good distribution in the range but still solely depend on the input initialization value (seed). The strength of those random generators is often equal to the size of the input seed, or even less. We will demonstrate this on the currently prevalent strain AtomSilo.

3. When One Facepalm is Not Enough

Afterward, we will continue with another humorous one – the Fonix ransomware. Sometimes the implementation of ransomware cryptography is just plain ridiculous. We discovered a fatal flaw in the cryptography schema of this ransomware, which could have been used for decrypting user files even without the master RSA key.

About Speakers

Jakub Koustek​

Jakub is Avast’s Malware Research Director, focusing on monitoring the threat landscape and building the company’s threat intelligence. He has been leading malware fighters at Avast, and previously at AVG, for the last eleven years, and has twenty years of experience in reverse engineering.

 He and his team are focused on hunting new malware threats, dissecting them, and preparing automated malware-detection methods. Furthermore, they actively develop tools for malware analysis, like YARA and RetDec, malware clustering, and provide free decryption tools to victims of ransomware attacks.

 Jakub also likes to share his findings via any available channel, such as the Avast blogs (https://decoded.avast.io/, https://blog.avast.com/), conference talks (including VB, Botconf, CARO), and social media (https://twitter.com/JakubKroustek).

Jakub has a Ph.D. in Cybersecurity from the Brno University of Technology, Czech Republic.

Ladislav Zezula

Ladislav Zezula is a senior malware analyst at Avast. Ladislav has been a malware analyst since 2006, working for Grisoft, then AVG, which was acquired by Avast in 2016. Avast. His area of expertise includes malware analysis, reverse engineering, Windows internals, and system tools. He contributed to the creation of a Win32 and Win64 emulator, removal tools for file infectors, new features in YARA, and ransomware decryption tools.

Ladislav holds an MS in Chemistry from Masaryk University in Brno, Czech Republic.

11:45

|

Tracking TeamTNT Activities: Evolution of a Cloud-Focused Hacking Group

David Fiser, Security Researcher at Trend Micro

11:45

Tracking TeamTNT Activities: Evolution of a Cloud-Focused Hacking Group

We have been seeing an increasing focus on cloud-based attacks and campaigns among malicious actors looking to take advantage of organizations shifting to cloud services. So that organizations understand how best to protect themselves, we will reveal the most recent activities hacking group TeamTNT. We will specifically cover the evolution of payloads produced by this group.

We will start by studying simple cryptojacking payloads, together with more advanced ones such as implementing kernel-mode module for hiding cryptojacking process, container escape features (various CVE for Docker and abuse of privileged container features). We will show how TeamTNT are targeting specific exposed services such as Redis, Docker and Kubernetes. We will describe how they shifted focus inside their payloads to the cloud related services to gain access to a company’s cloud accounts or hardware (this includes AWS, GCLOUD and CloudFlare). Learn how they harvest the credentials and additional RCE capable payload they deploy – Kaiten based modified IRC Bot.

We will also show how the attackers obtain and use the worm-like spread of their payloads by specifically looking on access tokens and secrets for other machines, this also includes LAN network discovery after they are able infect a machine and efficiently remove the competing malware found on infected systems.

Next we will discuss how TeamTNT profiles themselves and using public channels (twitter) to communicate some of their payloads, often teasing security companies and researchers. Understand their adoption of open-source software and implementation of it into their payloads.

The most significant difference among TeamTNT and other groups is that they were one of the first ones to shift their focus onto cloud services, providers, and technologies as well as

the hacking group relationship to the security community. This includes messages found on their website and statement published on Twitter as they are known as active Twitter commenter of newly published articles including their announcement of “quiting the szene”.

About Speakers

David Fiser

David had been working as a Malware Analyst since 2010. In 2017 he shifted his focus into more generic threat and vulnerability research. He has been credited for several CVEs and presented his research on conferences including CARO, AVAR and SecurityFest.

12:10 - 14:00

|

Lunch

14:00

|

Botnet² - IoT story behind Meris, Glupteba, TrickBot and the company

Martin Hron, Senior Security Researcher at Avast

14:00

Botnet² – IoT story behind Meris, Glupteba, TrickBot and the company

Author: Martin Hron

Let us tell you a story that began back in 2018. The culprit was and still is one unfortunate router vulnerability.

Some critical MikroTik vulnerabilities have been around for a few years already. Since then, these devices have been under constant attacks from nefarious actors misusing them in various ways. Because of poor patch adoption, these devices are just ideal targets for being a part of a botnet which has happened several times already. A recent potent example was the Meris botnet named and discovered by QRator and Yandex in June 2021.

We present to you a case of investigation that led us to a C2 server that controlled infrastructure as a service by using enslaved MikroTik devices since 2018 as a mesh of proxies and VPN tunnels to hide malicious traffic and to protect hidden tiers of C2 servers in plain sight. We believe it ties together botnet strains such as Meris, Glupteba and possibly others.

About Speakers

Martin Hron

Martin Hron is a senior security researcher at Avast, frequent speaker, abandonware and open source advocate, coffee addict and coffee machines breaker. Martin leads research across various disciplines such as dynamic binary translation, hardware-assisted virtualization and malware analysis. Recently his focus has been IoT and underlying hardware and software vulnerabilities, spanning from chip to cloud. He is devoted to technology and is a dedicated software and hardware reverse engineer, game programmer, tinkerer, AI and IoT mantras practitioner. For almost 25 years, he has been keeping an eye on emerging technologies and connected threats.

14:45

|

YARA for Threat Hunting: Pushing the Limits

Jakub Křoustek, Malware Research Director at Avast

Marek Milkovič, Lead Software Engineer at Avast

14:45

YARA for Threat Hunting: Pushing the Limits

Authors: Jakub Křoustek and Marek Milkovič (Avast Software)

 

YARA is one of the most universal tools in the cybersecurity industry. It can be used for the classification of threats, hunting for new ones, it can utilize any type of information for matching (static features, behavior in a sandbox, ML models, etc.), and some geeks are even (ab)using it for playing games.

 

In this talk, we would like to provide a sneak peek at how massively we are using YARA at Avast and also share with the community one significant contribution we recently open-sourced. Furthermore, we would like to use this talk as a poll to check whether the YARA users in the AV industry would be interested in open-sourcing parts of our YARA toolchain.

 

At Avast, we use YARA for building our threat intelligence: scanning millions of new files each day and hundreds of millions of old files multiple times a day with tens of thousands of rules – most of them written in-house. For that, having reliable tooling for CD/CI, IDE for rules creation and debugging, and many more is a must-have. Over the last seven years, we’ve built many such systems and open-sourced some of them. In this talk, we will share some ideas behind these tools and demonstrate them with real examples. We will focus on how we optimized the scanning engine used by YARA in detail.

 

The scanning engine in YARA is heavily based on two things – the Aho-Corasick algorithm and bytecode for evaluations of the rules and regular expressions. These also represent the biggest CPU bottlenecks with fast disks on our server machines. We will present how we completely replaced the scanning engine in YARA with a different engine for regular expressions and replaced YARA bytecode with a transpilation to a native code. We will also analyze how it positively affected the performance of the scans.

 

First, we have replaced the Aho-Corasick with HyperScan, which has impressive results in public benchmarks and uses features of modern CPUs like SIMD instruction sets. We have also addressed bytecode by transpiling YARA into C++ using modern C++20 features that focus on compile-time evaluations and template metaprogramming to achieve the best runtime performance even though the compilation is slower.

About Speakers

Jakub Křoustek

Jakub is Avast’s Malware Research Director, focusing on monitoring the threat landscape and building the company’s threat intelligence. He has been leading malware fighters at Avast, and previously at AVG, for the last eleven years, and has twenty years of experience in reverse engineering.

 He and his team are focused on hunting new malware threats, dissecting them, and preparing automated malware-detection methods. Furthermore, they actively develop tools for malware analysis, like YARA and RetDec, malware clustering, and provide free decryption tools to victims of ransomware attacks.

 Jakub also likes to share his findings via any available channel, such as the Avast blogs (https://decoded.avast.io/, https://blog.avast.com/), conference talks (including VB, Botconf, CARO), and social media (https://twitter.com/JakubKroustek).

Jakub has a Ph.D. in Cybersecurity from the Brno University of Technology, Czech Republic.

Marek Milkovi

Marek is a Lead Software Engineer at Avast, where he is part of a bigger team known as Threat Intelligence Systems. In this role, he leads a team of people working on extraction, classification, and automation systems used to build threat intelligence, mainly focusing on YARA. Marek and his team are also contributors to the upstream of the YARA project while also developing and maintaining several other open-source tools in the YARA ecosystem, such as yaramod, and authenticode-parser.

Marek is an advocate for microservices, Docker, Kubernetes & GitOps, but he is still heavily interested in low-level and reverse engineering. He previously worked on RetDec (https://retdec.com/). The most obscure bugs, no one else wants to work on, are his hobby, which he sometimes tweets about on his Twitter (@dev_metthal). 

Marek holds an MS in Information Technology Security from the Brno University of Technology, Czech Republic.

15:30 - 15:55

|

Break

15:55

|

Cybercrime Atlas Project

Michael Daniel, President & CEO at Cyber Threat Alliance

15:55

Cybercrime Atlas Project

Author: Michael Daniel

Although many organizations analyze elements of the cybercriminal ecosystem, no holistic picture of that environment exists. This knowledge gap hinders governments ability to impose costs on criminals and prevents network defenders from make the most efficient resource allocation to counter the threats. To address this shortfall, the World Economic Forum’s (WEF) Centre for Cybersecurity, the Cyber Threat Alliance, and Fortinet are sponsoring a project called the Cybercrime Atlas. This project seeks to: 

• Enable senior decision makers to make better strategic resource and targeting decisions 

• Increase the speed of cybercrime investigations 

• Identify targets of concern for further investigation. 

How Atlas will operate 

Project analysts will collect available intelligence on various criminal groups, filter the data, and populate the findings into a mind map. This intelligence will come from a wide variety of sources, including cybersecurity vendors, non-governmental organizations, and governments; it also includes non-technical intelligence, such as court records or sanctions. Once data is in the mind map, researchers can use various analytic tools to uncover hidden links and create a visual representation of the criminal ecosystem. The data will also support infrastructure correlation, identification of common service dependencies, and other kinds of link analysis. 

Current Work 

The project started in 2021 with volunteers from seven different organizations contributing to the initial pilot focusing on one criminal actor group. Based on the pilot’s positive results, project analysts are researching an addition 12 criminal actor groups associated with business email compromise, ransomware, card fraud, and general malware production. Assuming the project continues to produce valuable results, the sponsors are developing a governance model and resourcing plan to sustain the project over the long term. 

Outcomes 

The Cybercrime Atlas will create a/an: 

• Unique community of experts and strategic insight. 

• Increased understanding of cybercriminal group operations, TTP evolution, infrastructure, financial systems, and identities. 

• Centralized repository of information, tools, visualization, and analytic techniques. 

• Standard, non-proprietary way to define cybercriminal groups and their attributes. 

• Framework for continued cooperation and improvement in this area. 

CARO presentation 

Michael Daniel and one other member of the project’s steering team would provide a presentation on the group’s work to date, including the criminal actors analyzed, any surprising or previously unknown findings, and the project plan going forward.

About Speakers

Michael Daniel

Michael Daniel serves as the President & CEO of the Cyber Threat Alliance (CTA), a not-for-profit that enables cyber threat information sharing among cybersecurity organizations.  Prior to CTA, Michael served for four years as US Cybersecurity Coordinator, leading US cybersecurity policy development, facilitating US government partnerships with the private sector and other nations, and coordinating significant incident response activities.  From 1995 to 2012, Michael worked for the Office of Management and Budget, overseeing funding for the U.S. Intelligence Community.  Michael also works with the Aspen Cybersecurity Group, the World Economic Forum’s Partnership Against Cybercrime, and other organizations improving cybersecurity in the digital ecosystem.  In his spare time, he enjoys running and martial arts.  

 

16:20

|

Four years targeting palestian authorities; The story of an Arid Viper campaign

Vitor Ventura, Security Researcher at CISCO Talos

16:20

Four years targeting palestian authorities; The story of an Arid Viper campaign.

Authors: Vitor Ventura, Asheer Malhotra

Arid Viper is a threat actor with a long record of activity that goes back to 2015, targeting multiple platforms and geographies, with the intent to perform espionage and information theft from high value targets. Most espionage oriented threat actors tend to take reactive measures to hide their infrastructure and malicious tooling when exposed publicly. However, Arid Viper is a persistent group that is not deterred by any kind of exposure of their operations and continues to operate as usual. In this presentation we will do a deep dive into a five year long ongoing campaign perpetrated by Arid Viper against the Palestian and Israeli authorities. This multi-year campaign illustrates this threat actor’s capabilities and determination while pursuing their objectives. The presentation will start by showing the initial discovery of the campaign in 2017, this will be followed by the analysis of the politically themed malicious documents used over the course of five years as initial attack vectors. The presentation will finish with an evolutionary analysis of Arid Vipers most popular ‘Micropsia’ malware implant and its various flavors, over the same five years. Apart from Windows based implants, the group is also actively infecting mobile devices including iOS and Android. The next part of the presentation will show the evolution in the mobile space with a special focus on their most recent mobile campaign which is targeting the Indian Army. Themes primarily used in their mobile implants include honeytraps in the form of dating and chat applications masquerading as legitimate such as WhatsApp, Telegram etc.

About Authors

Vitor Ventura

Vitor Ventura is a Cisco Talos security researcher and manager of the EMEA and Asia Outreach team. As a researcher, he investigated and published various articles on emerging threats. Vitor has been a speaker in conferences, like VirusBulletin, NorthSec, Recon, Defcon’s Crypto and Privacy Village, among others. Prior to that he was IBM X-Force IRIS European manager where he was the lead responder on several high profile organizations affected by the WannaCry and NotPetya infections. Before that he did penetration testing at IBM X-Force Red, leading projects like Connected Car assessments and ICS security assessments, custom mobile devices. Vitor holds a BSc in Computer Science and multiple security related certifications like GREM, CISM. Asheer Malhotra is a threat researcher specializing in malware analysis, reversing, detection technologies and threat disclosures within Talos. He has been researching malware threats for about a decade now at FireEye, Intel, McAfee and now at Talos. His key focus is tracking nation state attacks (APTs) across the world. Asheer holds an M.S in Computer Science with a focus on Cyber Security.

Asheer Malhotra

is a threat researcher specializing in malware analysis, reversing, detection
technologies and threat disclosures within Talos. He has been researching malware threats for
about a decade now at FireEye, Intel, McAfee and now at Talos. His key focus is tracking nation
state attacks (APTs) across the world. Asheer holds an M.S in Computer Science with a focus
on Cyber Security.

16:45

|

A Tale of Two SEOs - A Story of the Poisoned Searches

Gabor Szappanos, Threat Research Director at Sophos

16:45

A Tale of Two SEOs – A Story of the Poisoned Searches

It is the age of foolishness, it is the epoch of belief, it is the epoch of credulity in the almighty search engines. Google knows where the information is found, wouldn’t serve us anything bad, right?
On the contrary: search engines have been the target of criminal groups for many years and were used to deliver malicious content regularly. But we tend to focus on methods favored by ransomware operators and other high profile malicious actors thus seeing only phishing emails, RDP exploitation, and remote code execution vulnerabilities. However, there are still some active campaigns that use search engine poisoning as an infection vector, and these don’t get as much security attention right now. As a result, SEO-based campaigns can slip under the radar of defenders until it is too late. The concept is not new at all but proves to be efficient even today.
The presentations will look at two recently active campaigns: Gootloader and SolarMarker, which have very different approaches when it comes to SEO.


Gootloader is a sophisticated and selective malware distribution framework. The criminals maintain several hundreds of hosting servers – all hacked legitimate websites. The victims must meet several criteria (geolocation, clickthrough via web search etc.), and then a well-designed social engineering process will provide them with a custom-made delivery page based on their initial search terms. Finally, a JavaScript installer will start the deployment of the payload.

SolarMarker believes in brute force, featuring several hundreds of fake Google Groups discussions and download links to PDF documents hosted on a few thousand redirection websites. The delivery is not selective, the criminals cast a large net in the hope of catching the victims. At the end an MSI installer package will take care of the deployment of the final payload.

One commonality the two families share is the extensive use of fileless infection methods, heavily relying on the registry, in the hope to avoid the attention of security solutions. These methods will be covered in detail in the presentation.

About Speakers

Gabor Szappanos

He graduated from the Eotvos Lorand University of Budapest with degree in physics. His first job was in the Computer and Automation Research Institute, developing diagnostic software and hardware for nuclear power plants.
He started antivirus work in 1995, and has been developing freeware antivirus solutions in spare time.
He joined VirusBuster in 2001 where he was responsible for taking care of macro virus and script malware. Since 2002 he was the head of the virus lab.
Between 2008 and 2015 he was a member of the board of directors in AMTSO (Anti Malware Testing Standards Organizations).
In 2012 he joined Sophos where he works as a Threat Research Director.

17:30

|

Day 1 closing remarks

19:30 - 22:00

|

Outdoor Dinner at the Špilberk castle

Friday May 6, 2022

Friday

09:30 - 10:00

|

Registration

10:00

|

Welcome

Ondrej Vlcek, CEO at Avast

10:05

|

SandyBlacktail: Following the footsteps of a commercial offensive malware in the Middle East

Aseel Kayal, Security Researcher at Kaspersky

Mark Lechtik, Senior Security Researcher at Kaspersky

Paul Rascagneres, Security Researcher at Kaspersky

Vasiliy Berdnikov, Lead Malware Analyst at Kaspersky

10:05

SandyBlacktail: Following the footsteps of a commercial offensive malware in the Middle East

In the last decade there was a significant proliferation of companies in the offensive cybersecurity market. While some made headlines and became the subject of public scrutiny, others have remained away from the spotlight, gaining little traction and maintaining business as usual. In this talk we are going to discuss the tools developed by one such organization that was the subject of an on-going research by Kaspersky’s GReAT, in collaboration with our AMR team. The underlying entity has been operating for years, with its technology leveraged by seemingly different threat actors in the Middle East.

During 2021, we were able to detect a set of advanced and proprietary tools that we affiliate to this company, which were used against disparate targets in the Middle East. This toolset, which will be presented with detail, includes an extensive malicious Windows framework, operating in both userland and kernel mode, as well as components that facilitate the execution of MBR and UEFI bootkits. Some of the latter were detected in a few malware deployments in the wild.

Despite the technical finesse and attention to detail, we were able to track the framework in question for a while, allowing us to gain insight into various clusters of high profile and malicious activity. In the talk, we are going to describe those clusters and their distinctions, outlining how the same commercial toolkit could have been used by multiple actors for different operational objectives in each case.

About Speakers

Aseel Kayal

Aseel is a security researcher at Kaspersky’s GReAT (Global Research and Analysis Team). Her research mainly focuses on threat groups and attacks active in the Middle East region. Aseel received her Bachelors degree in computer science and English literature, and speaks Arabic, Hebrew and English. Some of her work has been presented at security conferences such as Virus Bulletin, CCC, Botconf, Hacktivity, and TheSASCon.

Mark Lechtik

Mark Lechtik is a Senior Security Researcher at Kaspersky`s GReAT (Global Research & Analysis Team), based in Israel. After working as a researcher and manager in Check Points malware research team, he is focused mainly on analyzing malware of all shapes and forms, digging up its underlying stories and profiling the actors behind it. Today he is tasked with breaking down implants and campaigns in the realm of APT and putting it all into intelligence reports for Kapserky’s customers. Mark has previously presented some of his work at known security conferences including REcon, CCC, CARO Workshop, AVAR and TheSASCon.

Paul Rascagneres

Paul Rascagneres is a security researcher within Kaspersky GReAT (Global Research & Analysis Team). As a researcher, he performs investigations to identify new threats and presents his findings as publications and at international security conferences throughout the world. He has been involved in security research for ten years, mainly focusing on malware analysis, malware hunting and more specially on advanced persistent threat (APT) campaigns and rootkit capabilities. He previously worked for several incident response teams within the private and public sectors.

Vasiliy Berdnikov

Vasiliy joined Kaspersky in 2010 as a member of the Anti-Malware Research Team, specifically the Anti-Rootkit Group. He was responsible for discovering complex threats that are difficult to detect or cure, specifically those that bypass Kaspersky security systems and technologies. Since 2016, he has worked in the Targeted Attacks Research Group (TARG) and researches targeted and complex threats (APTs), writing detection logic that allows Kaspersky products to hunt previously unknown activity of that nature.

10:50

|

Uncovering a broad criminal ecosystem powered by one of the largest botnets, Glupteba

Luca Nagy, Security Engineer at Google

10:50

Uncovering a broad criminal ecosystem powered by one of the largest botnets, Glupteba

 

About Speakers

Luca Nagy

Luca Nagy is a security engineer at Google, Threat Analysis Group in Zurich. She has finished
her studies in computer engineering, during which she developed an interest in IT security and
a passion for malware analysis. Then at SophosLabs, Luca was spending her time reverse
engineering emerging threats and creating detections against them. In the past year she
joined Google to focus on understanding and disrupting serious financially motivated threats
against Google and Google’s users.

11:15 - 11:35

|

Break

11:35

|

Researcher-Centered Threat Hunting Tooling

Nikolaos Chrysaidos, Head, Threat Intelligence Platforms at Avast

Ondrej David, Mobile Malware Analysis Team Lead at Avast

11:35

Researcher-Centered Threat Hunting Tooling

Authors: Nikolaos Chrysaidos, Ondrej David

About Authors

Nikolaos Chrysaidos

Nikolaos Chrysaidos has more than ten years of experience in the cybersecurity and information security sectors. Currently, he is Head of Threat Intelligence Platforms & Services at Avast, leading the development of platforms that assist various stakeholders in threat hunting, classification, detection, reporting, and statistics. He is passionate about the contextualization of big data and mobile security and is a frequent presenter at conferences like AVAR, CARO, RSA, BSides, LSEC CTI2020, and MWC. 

Ondrej David

Ondrej David is a Mobile Malware Analysis Team Lead and (former) Android developer at Avast. Previously leading the development of Avast’s Android antivirus engine and currently a team of skilled mobile malware analysts, he has insight into the technology and detection capabilities inside out. He’s committed to making the world a safer place and likes to find out how things work. In the past, he has presented at various conferences such as mDevCamp, AVAR, RSA or jOpenSpace.

12:00

|

TA410: APT10's distant cousin

 Alexandre Côté Cyr, Malware Researcher at ESET

12:00

TA410: APT10’s distant cousin

TA410 is a cyber-espionage group that was first described in August 2019 by researchers at Proofpoint. The threat actor shows interesting technical capabilities, with the use of complex implants, but has not received the same level of attention from the threat intelligence community as most major APTs. TA410s activity shares some characteristics, such as similar VBA macros, with past APT10 operations. As such, some public reports have mis-attributed TA410 activities to APT10. In this presentation, we will clarify what is TA410 and how its activities differ from the current activities of APT10. Then, by leveraging ESET telemetry, we will present our view of the main targets. We found victims in Africa, Asia, Europe, and the Middle East. Most of them are governmental entities, but the attackers are also interested in universities and religious entities. While reviewing the victims, we noticed that TA410 uses one of three different sets of implants depending on the victim’s profile so we will provide a breakdown of implant usage per vertical. The second part of this presentation will be more technical as we will dive into the threat actor’s toolset. We will start with the compromise vectors, including exploitation of the ProxyShell and ProxyLogon vulnerabilities on exposed Exchange servers, and the usage of malicious RTF files generated by the Royal Road builder. This RTF builder is used by many different APT groups, but specific artefacts can be used to cluster the documents per group. Then, we will present an analysis of the first set of backdoors: X4 and LookBack. X4 is custom backdoor that uses a Metasploit shellcode, encrypted in the Windows registry, for network communications. In some cases, X4 is used as a first stage in the deployment of a more complex backdoor called Lookback. Since the latter was already described in 2019, we will focus on the changes found in newer samples. The second set of backdoors we will describe is the Tendyron downloader and FlowCloud. The former is a simple downloader that abuses DLL search-order hijacking on a genuine Tendyron executable. This downloader is the first step in the installation of FlowCloud, a highly complex and custom implant written in C++. FlowCloud is deployed along with a custom driver that has keylogger and rootkit functionality. The main payload exposes a wide range of capabilities including file system manipulation, access to the camera, display, and other devices, and extensibility through plugins. The last set of backdoors is composed of malware families shared with other threat actors such as Quasar RAT and PlugX. We will present only a quick description of their main characteristics. The last part of the presentation will focus on mitigation ideas based on knowledge learned during the reverse-engineering of TA410’s implants. We will discuss both host and network-level mitigations for the initial compromise vectors and the different backdoors.

About Speakers

Alexandre Côt Cyr

Alexandre Côté Cyr is a malware researcher at ESET. He completed his Bachelor’s degree in computer science at UQAM in 2021. He is an active member of Montreal’s Infosec community and is involved in mentoring students getting started in the security field. His interests include operating systems fundamentals and writing shell scripts to automate tasks that don’t always need to be automated.

12:25

|

Next-level Threat Hunting: ML-Assisted XDR

Inbar Raz, VP of Research at Hunters

Or Wilder, XDR Group Manager at Hunters

12:25

Next-level Threat Hunting: ML-Assisted XDR

abstract

About Speakers

name

bio

12:50 - 14:50

|

Lunch

14:50

|

Hunting the Tools that can Kill the Guards: Lessons in Breaking Cybersecurity Products

Raghav Rastogi, Threat Researcher at K7 Computing

Samir Mody, VP Threat Research at K7Computing

14:50

Hunting the Tools that can Kill the Guards: Lessons in Breaking Cybersecurity Products

About Speakers

Raghav Rastogi

Raghav Rastogi is a Threat Researcher at K7 Labs. He graduated from Manipal University, Jaipur, INDIA with a Bachelor’s degree in Computer Science Engineering. Raghav has over two years of experience in malware analysis. His interests involve debugging and reverse engineering prevalent malware threats and threat intelligence. In his spare time he likes to play the guitar and read books.

Samir Mody

VP Threat Research at K7Computing

15:15

|

Sharing of VBA code by opposing groups in South Asia – subjective and objective code similarity

Vanja Svajcer, Technical Leader at CISCO Talos

15:15

Sharing of VBA code by opposing groups in South Asia – subjective and objective code similarity

Transparent Tribe is a well-known APT group targeting Asian countries with the objective of obtaining remote access to the targets and exfiltrating confidential information and documents. Traditionally, they have been doing that by deploying remote access trojans, usually Crimson RAT, but also others, such as Oblique RAT. Their operation is previously well documented by researchers.

There are also several other groups operating in South Asia, such as Sidewinder, Sidecopy, Donut and a recently discovered group designated as SDuser. Each of the groups chooses their targets according to the interest of their respective countries. ¨For example, Transparent Tribe and Sidecopy are attributed to actors operating from Pakistan and are targeting military and government organizations in India. Sidewinder and Donut target organizations in Nepal, China, Pakistan and middle eastern countries.

Transparent Tribe often uses malicious Excel spreadsheets and Word documents as well as lure documents that appear to be legitimate documents of the targeted government organizations.

Throughout the course of research of Transparent Tribe TTPs we have discovered a variant of VBA code which does not seem to be generated by a code generator, and it is shared between the groups with opposing objectives. False flag operations are not new, and we will briefly discuss why they can be useful to actors.

In the presentation, we will discuss in detail the characteristics of the malicious dropper VBA code, which regularly evolves but keeps some regular features such as using VBA Forms to store the executable payload in a lightly obfuscated format. We will show instances of similar VBA code used previously by Sidewinder, Donut and Sidecopy.

The similarity of the VBA code used by the opposing groups is easy to spot for a human researcher but not as obvious to machine algorithms. In the second half of the presentation, we discuss similarity algorithms such as Normalized Compression Distance, Winnowing, Jaccard similarity and common diffing algorithms to show how well they perform on a small set of samples attributed to groups we describe in the first half of the session.

We compare the effectiveness of the algorithms on unmodified code and code with various levels of normalization. We also discuss the scalability of similarity algorithms based on a large number of samples they should be able to compare.

About Speakers

Vanja Švajcer

Vanja Švajcer works as a Technical Leader for Cisco Talos. He is a security researcher with more than 20 years of experience in malware research and threat intelligence. Prior to joining Talos, Vanja worked as a Principal researcher for SophosLabs and led a Security Research Team at Hewlett Packard Enterprise. Vanja enjoys tinkering with automated analysis systems, reversing binaries and analysing mobile malware. He thinks time spent scraping telemetry data to find indicators of new attacks is well worth the effort. He presented his work at conferences such as Virus Bulletin, RSA, CARO, AVAR, BalcCon and others. In his free time, he is trying to improve his acoustic guitar skills and often plays basketball, which at his age, is not a recommended activity.

16:00 - 16:20

|

Break

16:20

|

Emotet untold stories

Marc Ester, G-Data

Thomas Siebert, G-Data

16:20

Emotet untold stories

About Speakers

Marc Ester

During his studies of applied computer science Marc worked for the “Institute for Internet Security” in Gelsenkirchen, where he was member of the awareness and pen-testing team. Since 2009 Marc works for the German anti-malware solution provider G DATA, which is located in Bochum. He worked in the SecurityLabs where his tasks were cybercrime research and point of contact for law enforcement.

Since 2017 he works for the ” G DATA Advanced Analytics” as Security Consultant.

Thomas Siebert

Thomas Siebert graduated 2010 from Ruhr-Universität Bochum with an engineer’s degree in IT Security. Afterwards he started researching novel pro-active malware detection technologies at G DATA. During that time, he became co-inventor of the patented BankGuard technology and the USB Keyboard Guard, leading to G DATA receiving the 2014 “Innovative Cyber Security Company” award by the EU sponsored IPACSO. Now he serves as Head of Protection Technologies, leading the research, development and enhancement of all techniques that protect G DATA’s customers. This includes the signature engine, protection cloud, pro-active client technologies, and all associated backend processing like sandboxes and automated classification systems. With years of experience in the international field of computer sciences, he regularly presents his work at conferences.

16:45

|

Behind the scenes of hunting InvisiMole

Zuzana Hromcova, Malware Researcher at ESET

Anton Cherepanov, Senior Malware Researcher at ESET

16:45

Behind the scenes of hunting InvisiMole

About Speakers

Anton Cherepanov

Anton Cherepanov is a Senior Malware Researcher for ESET; his responsibilities include the analysis of, and hunting for, the most complex threats. He has done extensive research on cyberattacks in Ukraine and uncovered the origins of the NotPetya attack. He has presented his research at numerous conferences, including Black Hat USA, Virus Bulletin and CARO Workshop. His interests focus on reverse engineering and malware analysis automation.

Zuzana Hromcova

Zuzana Hromcova is a Malware Researcher at ESET, specializing in targeted threats. She previously presented her research at security conferences such as RSAC, Black Hat USA, BlueHat IL or Virus Bulletin. Hromcova holds a master’s degree in computer science from Comenius University in Bratislava. She majored in computer security, concluding her studies with a thesis dealing with securing a Linux desktop environment using SELinux mechanisms.

17:30

|

Thank You / Closure

19:00 - 23:00

|

CARO Workshop 2022 After Party

Starting tram stop is Silingrovo namesti/square, exit tram stop is Mendlovo namesti/square by tram no. 5 (towards Ustredni Hrbitov smycka) or no. 6 (towards Stary Liskovec smycka).