Malware are becoming more and more complex. In this talk presenting with Jean-Pierre Lesueur at the School 42, we explained the business model behind as well provided an understanding of the Malware Threat.
CoinMiners are on the rise, trending so high that in the last couple of month they almost completely replaced ransomware in both media and the research community. Unlike ransomware which profit from rapid encryption of user’s data taken hostage, CoinMiners profit comes from high jacking computer resources. As long as the CoinMiner stays undetected and stealth, the higher its author profit.
In this talk we will focus on the unexplored territory of CoinMiner evasive maneuver and functionality to avoid getting found by its victims and provide tactics and tools to combat them.
TRITON: The Next Generation of ICS MalwareThomas Roccia
This presentation is about the industrial malware dubbed Triton that targeted Safety Industrial System in a oil and gas plant in 2017. It was presented during the CNES COMET event about Industrial Threats.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Stefano Maccaglia
The deck covers details about the Sunburst/Solorigate breach including some interesting threat intel paths we are currently evaluating to attribute the attack.
CoinMiners are on the rise, trending so high that in the last couple of month they almost completely replaced ransomware in both media and the research community. Unlike ransomware which profit from rapid encryption of user’s data taken hostage, CoinMiners profit comes from high jacking computer resources. As long as the CoinMiner stays undetected and stealth, the higher its author profit.
In this talk we will focus on the unexplored territory of CoinMiner evasive maneuver and functionality to avoid getting found by its victims and provide tactics and tools to combat them.
TRITON: The Next Generation of ICS MalwareThomas Roccia
This presentation is about the industrial malware dubbed Triton that targeted Safety Industrial System in a oil and gas plant in 2017. It was presented during the CNES COMET event about Industrial Threats.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Stefano Maccaglia
The deck covers details about the Sunburst/Solorigate breach including some interesting threat intel paths we are currently evaluating to attribute the attack.
EverSec + Cyphort: Big Trends in CybersecurityCyphort
Advanced threats are changing so often it is getting harder and harder to keep up! In addition to new attacks, hackers are reinventing older ones, making it even more difficult to detect. In this webinar, we will discuss at a high-level some of biggest cybersecurity threats happening right now, including:
--The Resurgence of Ransomware - Locky and other new cryptolockers
--Malvertising, oh My! - No website is safe from unknowingly spreading malware to visitors
--I have RATs - How to defend against Remote Access Trojans stealing your data
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
Speakers: Ashley Shen, Steve Su
This is a threat hunting and campaign tracking 101 workshop Ashley Shen (Google) and Steve (FireEye) prepared for the HITCON 2020 CTI Village. In this presentation we share the threat hunting concept with some basic techniques and explain the process and guidance for campaign tracking. The presentation was only 65 mins so we couldn't covered everything. However through this talk we hope to share our experience and insight to the beginners.
We have talked about the recent ransomware resurgence and now Cyphort Labs wants to spend some timer on one of the most effective methods of delivering ransomware and that is exploit kits.
In this edition of MMW, Nick Bilogorskiy, Senior Director of Threat Operations at Cyphort, will cover:
The evolution of exploit kits such as Angler, Nuclear, Rig and Neutrino
Show real examples of drive-by exploits in popular websites discovered in our crawler
Examine the relationship between exploits, kits and payload
The geopolitical conflicts in the Middle East have deepened in the last few years. Syria is no exception, with the crisis there taking many forms, and the cyberspace conflict is intensifying as sides try to tilt the struggle in their favor by exploiting cyber intelligence and using distortion.
The Global Research & Analysis Team (GReAT) at Kaspersky Lab has discovered new malware attacks in Syria, using some techniques to hide and operate malware, in addition to proficient social engineering tricks to deliver malware by tricking and tempting victims to open and launch malicious files. The malware files were found on activist sites and social networking forums, some other files were also reported by local organizations like CyberArabs and Technicians for Freedom.
All technical details are available in this report ans related blog post at https://securelist.com/blog/research/66051/the-syrian-malware-house-of-cards/.
For any inquire please contact intelreports@kaspersky.com
Cyphort Labs presents "Malware's Most Wanted: Ransomware Resurgence: Locky and Other “New Cryptolockers”
Like many viruses, botnets and malware families that we’ve seen over the past decade, hackers continue to find new ways of reinventing old threats. And this is no different for Ransomware.
Ransomware has come a long way from non-encrypting lockscreen FBI scare warnings like Reveton. In 2016 alone, there have been new ransomware families popping up and we expect that to only pick up steam over the summer.
In this edition of MMW, Nick Bilogorskiy, Senior Director of Threat Operations at Cyphort, will discuss:
Locky, the new “it” ransomware and how it works
A deep dive into a new family of ransom locker discovered by Cyphort Labs in March, that uses TOR Hidden Service
Other new ransomware families and why it’s becoming the preferred monetization method for attackers
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...CODE BLUE
For the past few years, Asia Pacific and Japan have continued to be a regular target of cyber threat actors. From 2018 to 2019, we have observed several threats targeting Japan involving cyber espionage and underground activities. Some of the adversaries and campaigns are revealed in OSINT, however, some are still lurking in shadow.
In this talk, we will reveal the TTP's (tactics, techniques and procedures) of espionage threat actors interested in Japanese electronics, chemical and 5G equipment manufacturing companies. One campaign leverages a malware attributed to APT41, a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations. Beside the Chinese actors, we have also observed a group which historically focused on the EMEA region shift to showing interest in Japan. In addition, we will also disclose details of underground activity involving a target in the Japanese financial industry.
What you need to know about ExPetr ransomwareKaspersky
On Thursday, 29 June, Kaspersky Lab teamed up with Comae Technologies to present an emergency webinar for businesses to help them understand and defend against the Petya/ExPetr ransomware. The malware has affected companies in a range of industry sectors across the world, with Ukraine, Russia and number of Western European countries most affected.
Juan Andres Guerrero-Saade, senior security researcher in Kaspersky Lab’s Global Research and Analysis Team, will be joined by Matt Suiche from Comae Technologies to present the very latest information on the ransomware’s attack vectors, the infection process and how it spreads through company networks. They will provide mitigation guidance and explain the actions organizations need to take to secure their computers and networks against this threat.
More technical details regarding this threat: https://kas.pr/cf6w
Advice on how to protect your files: https://kas.pr/s8dp
https://kas.pr/2nvh
https://kas.pr/yg72
And how to you can protect yourself with our free tool: https://go.kaspersky.com/Anti-ransomware-tool_soc.html?utm_source=smm_yt&utm_medium=ww_yt_o_0516
Recently a ransomware variant titled “WannaCry” has infected thousands of unpatched endpoints worldwide.This quick presentation will provide a synopsis of what this threat might mean for end users and what actions can be taken in response to this new information.
Dr. Fengmin Gong, Co-Founder and Chief Strategy Officer, presents why an ecosystem-based approach is necessary to defend against modern malware threats. Discussion continues with what it takes to implement cybersecurity using this approach. He also presents a number of use cases where multi-vendor products interacting in a security ecosystem provide the most effective protection for enterprises.
There has been a Ransomware explosion the last 6 years and there have been very little done to stop infections aside from deprecated signature scans and classic malware scanner. Weston will go over a couple proof of concepts that work on even the most current versions of the malware stop from fully infecting the machines that would otherwise be infected with malware that demands 1000s of dollars in some instances. Weston will go over several methods of making your system immune to attacks from ransomware many of them were discovered from actually reverse engineering the malware early this year. Weston will also go over several open source tools to test your environments impact from malware such as Cryptowall and several tools both software and hardware that can protect your systems from malware infecting even methods of abusing the payment gateway system to allow you to get more than one file unlocked for free and Weston will also go into the research about breaking the encryption based on the outputted encrypted files.
In this Malware's Most Wanted, Cyphort Lab's Marion Marschalek will shed light on malware self-protection. The audience will get an overview of how malware evasion evolved over the years and how malware defense evolved with it, or vice versa as it occasionally happens in the digital arms race. The various observed anti-analysis tricks will be put in relation to the respective counter measures in order to showcase challenges of modern day security products.
Marion recently won a speaking contest at Komintern Sect in Stockholm.
Malware varies mostly in the visible payloads that they manifest. We can see them infecting files, un-installing antimalware applications, stealing important documents, controlling our computers remotely, and other malicious activities.
What we don’t see is how they are implemented within the malware code. Modern malware uses different techniques to protect themselves from detection, analysis, and eradication. Some malware uses layers to even obfuscate the way they use these protections.Layers in malware are defense mechanisms against deep analysis. Within these layers, different malware tricks are also deployed.
In this presentation, we are going to look into Scieron and Vawtrak. Two different malware that implements layers differently. We will see some video demo on how some of the malware code are executed within the context of a debugger.
Finally, we are going to leverage Volatility, a memory forensic tool, to detect the presence of layers in an infected system.
Threat actors are increasing their use of fleless
malware for one simple reason: most organizations
aren't prepared to detect it. Education is the frst step in
determining what threat these new attacks pose and what
you can do to detect and stop fileless malware attacks. Learn more at: https://www.bluvector.io
Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOLCyphort
Malvertising Attacks on Huffingtonpost, Yahoo, AOL
Cyphort Labs has reported an uptick in drive-by-infection through malvertising in 2014 and sounded alarms for the web property owners regarding this emerging trend. We believe that this trend presents a significant cybersecurity challenge in 2015. In this session, we will discuss this increasing trend of drive-by attacks by dissecting examples of recent web infections, as well as share observed, sophisticated behavior of modern exploit pack and the challenges for research and discovery. As we present exploit kit information, trends and statistics from research derived from our Cyphort Crawler, you will gain an awareness and an understanding of these malvertising threats to better protect your site visitors from malware infection.
There is increased discussion around threats that adopt so-called “living off the land” tactics. Attackers are increasingly making use of tools already installed on targeted computers or are running simple scripts and shellcode directly in memory. Creating fewer new files on the hard disk, or being completely fileless, means less chance of being detected by traditional security tools and therefore minimizes the risk of an attack being blocked. Using simple and clean dual-use tools allows the attacker to hide in plain sight among legitimate system administration work.
Further reading:
Attackers are increasingly living off the land (https://www.symantec.com/connect/blogs/attackers-are-increasingly-living-land)
Living off the land and fileless attack techniques (https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf)
Ransomware continues to be a major threat. This slidedeck looks at the first six months of 2017, examines why enterprises are being increasingly impacted by ransomware, and reviews the effect of high-profile incidents such as WannaCry and Petya.
For more on this area, read Symantec Security Response's blog and whitepaper: https://www.symantec.com/connect/blogs/businesses-most-risk-new-breed-ransomware
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...CODE BLUE
DeepExploit is fully automated penetration testing tool using Deep Reinforcement Learning. It identifies the status of all opened ports on the target server and executes the exploit at pinpoint. DeepExploit’s key features are the following:
1) Efficiently execute exploit:
DeepExploit can execute exploits at pinpoint (minimum 1 attempt).
2) Deep penetration:
If DeepExploit succeeds the exploit to the target server (=compromised server) with in the perimeter network, then it executes the exploit to internal servers via compromised server.
3) Self-learning:
DeepExploit can learn how to exploitation by itself.
By using our DeepExploit, you will benefit from the following:
For penetration testers:
(a) They can greatly improve the test efficiency;
(b) The more penetration testers use DeepExploit, DeepExploit learns how to method of exploitation using Deep Reinforcement learning. As a result, accuracy of test can be improved.
For Information Security Officers:
(c) They can quickly identify vulnerabilities of own servers. As a result, prevent that attackers attack to your servers using vulnerabilities, and protect your reputation by avoiding the negative media coverage after breach.
Because attack methods to servers are evolving day by day, there is no guarantee that yesterday’s security countermeasures are safety today. It is necessary to quickly find vulnerabilities and take countermeasures. DeepExploit will contribute greatly to maintaining your safety.
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...PROIDEA
Vitali presents malware techniques and tricks on how to reverse engineer and analyze malware families exploiting active directory. The talk dives deeper into pseudo-source code level analysis and malware developer implementation of Lightweight Directory Access Protocol (LDAP) harvesting techniques for lateral movement and persistence across corporate environment. The talks explores three prolific malware families such as TrickBot, QakBot, and IcedID (BokBot) and their coding routine and patterns that are focused on collecting LDAP. For example, TrickBot specifically grabs credential and group policy information stored in “SYSVOL” das well as searching for corporate machines for possible sensitive machines associated with possible point-of-sale terminals on domain controller. Vitali also presents detection and mitigation methods on how to detect active directory exploitation and discusses defense mechanisms surrounding most popular active methods used in the wild by the sophisticated groups.
Given at TRISC 2010, Grapevine, Texas.
http://www.trisc.org/speakers/aditya_sood/#p
The talk sheds light on the new trends of web based malware. Technology and Insecurity goes hand in hand. With the advent of new attacks and techniques the distribution of malware through web has been increased tremendously. Browser based exploits mainly Internet Explorer have given a birth to new world of malware infection. The attackers spread malware elegantly by exploiting the vulnerabilities and drive by downloads. The infection strategies opted by attackers like malware distribution through IFRAME injections and Search Engine Optimization. In order to understand the intrinsic behavior of these web based malware a typical analysis is required to understand the logic concept working behind these web based malwares. It is necessary to dissect these malwares from bottom to top in order to control the devastating behavior. The talk will cover structured methodologies and demonstrate the static, dynamic and behavioral analysis of web malware including PCAP analytics. Demonstrations will prove the fact and necessity of web malware analysis.
EverSec + Cyphort: Big Trends in CybersecurityCyphort
Advanced threats are changing so often it is getting harder and harder to keep up! In addition to new attacks, hackers are reinventing older ones, making it even more difficult to detect. In this webinar, we will discuss at a high-level some of biggest cybersecurity threats happening right now, including:
--The Resurgence of Ransomware - Locky and other new cryptolockers
--Malvertising, oh My! - No website is safe from unknowingly spreading malware to visitors
--I have RATs - How to defend against Remote Access Trojans stealing your data
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
Speakers: Ashley Shen, Steve Su
This is a threat hunting and campaign tracking 101 workshop Ashley Shen (Google) and Steve (FireEye) prepared for the HITCON 2020 CTI Village. In this presentation we share the threat hunting concept with some basic techniques and explain the process and guidance for campaign tracking. The presentation was only 65 mins so we couldn't covered everything. However through this talk we hope to share our experience and insight to the beginners.
We have talked about the recent ransomware resurgence and now Cyphort Labs wants to spend some timer on one of the most effective methods of delivering ransomware and that is exploit kits.
In this edition of MMW, Nick Bilogorskiy, Senior Director of Threat Operations at Cyphort, will cover:
The evolution of exploit kits such as Angler, Nuclear, Rig and Neutrino
Show real examples of drive-by exploits in popular websites discovered in our crawler
Examine the relationship between exploits, kits and payload
The geopolitical conflicts in the Middle East have deepened in the last few years. Syria is no exception, with the crisis there taking many forms, and the cyberspace conflict is intensifying as sides try to tilt the struggle in their favor by exploiting cyber intelligence and using distortion.
The Global Research & Analysis Team (GReAT) at Kaspersky Lab has discovered new malware attacks in Syria, using some techniques to hide and operate malware, in addition to proficient social engineering tricks to deliver malware by tricking and tempting victims to open and launch malicious files. The malware files were found on activist sites and social networking forums, some other files were also reported by local organizations like CyberArabs and Technicians for Freedom.
All technical details are available in this report ans related blog post at https://securelist.com/blog/research/66051/the-syrian-malware-house-of-cards/.
For any inquire please contact intelreports@kaspersky.com
Cyphort Labs presents "Malware's Most Wanted: Ransomware Resurgence: Locky and Other “New Cryptolockers”
Like many viruses, botnets and malware families that we’ve seen over the past decade, hackers continue to find new ways of reinventing old threats. And this is no different for Ransomware.
Ransomware has come a long way from non-encrypting lockscreen FBI scare warnings like Reveton. In 2016 alone, there have been new ransomware families popping up and we expect that to only pick up steam over the summer.
In this edition of MMW, Nick Bilogorskiy, Senior Director of Threat Operations at Cyphort, will discuss:
Locky, the new “it” ransomware and how it works
A deep dive into a new family of ransom locker discovered by Cyphort Labs in March, that uses TOR Hidden Service
Other new ransomware families and why it’s becoming the preferred monetization method for attackers
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...CODE BLUE
For the past few years, Asia Pacific and Japan have continued to be a regular target of cyber threat actors. From 2018 to 2019, we have observed several threats targeting Japan involving cyber espionage and underground activities. Some of the adversaries and campaigns are revealed in OSINT, however, some are still lurking in shadow.
In this talk, we will reveal the TTP's (tactics, techniques and procedures) of espionage threat actors interested in Japanese electronics, chemical and 5G equipment manufacturing companies. One campaign leverages a malware attributed to APT41, a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations. Beside the Chinese actors, we have also observed a group which historically focused on the EMEA region shift to showing interest in Japan. In addition, we will also disclose details of underground activity involving a target in the Japanese financial industry.
What you need to know about ExPetr ransomwareKaspersky
On Thursday, 29 June, Kaspersky Lab teamed up with Comae Technologies to present an emergency webinar for businesses to help them understand and defend against the Petya/ExPetr ransomware. The malware has affected companies in a range of industry sectors across the world, with Ukraine, Russia and number of Western European countries most affected.
Juan Andres Guerrero-Saade, senior security researcher in Kaspersky Lab’s Global Research and Analysis Team, will be joined by Matt Suiche from Comae Technologies to present the very latest information on the ransomware’s attack vectors, the infection process and how it spreads through company networks. They will provide mitigation guidance and explain the actions organizations need to take to secure their computers and networks against this threat.
More technical details regarding this threat: https://kas.pr/cf6w
Advice on how to protect your files: https://kas.pr/s8dp
https://kas.pr/2nvh
https://kas.pr/yg72
And how to you can protect yourself with our free tool: https://go.kaspersky.com/Anti-ransomware-tool_soc.html?utm_source=smm_yt&utm_medium=ww_yt_o_0516
Recently a ransomware variant titled “WannaCry” has infected thousands of unpatched endpoints worldwide.This quick presentation will provide a synopsis of what this threat might mean for end users and what actions can be taken in response to this new information.
Dr. Fengmin Gong, Co-Founder and Chief Strategy Officer, presents why an ecosystem-based approach is necessary to defend against modern malware threats. Discussion continues with what it takes to implement cybersecurity using this approach. He also presents a number of use cases where multi-vendor products interacting in a security ecosystem provide the most effective protection for enterprises.
There has been a Ransomware explosion the last 6 years and there have been very little done to stop infections aside from deprecated signature scans and classic malware scanner. Weston will go over a couple proof of concepts that work on even the most current versions of the malware stop from fully infecting the machines that would otherwise be infected with malware that demands 1000s of dollars in some instances. Weston will go over several methods of making your system immune to attacks from ransomware many of them were discovered from actually reverse engineering the malware early this year. Weston will also go over several open source tools to test your environments impact from malware such as Cryptowall and several tools both software and hardware that can protect your systems from malware infecting even methods of abusing the payment gateway system to allow you to get more than one file unlocked for free and Weston will also go into the research about breaking the encryption based on the outputted encrypted files.
In this Malware's Most Wanted, Cyphort Lab's Marion Marschalek will shed light on malware self-protection. The audience will get an overview of how malware evasion evolved over the years and how malware defense evolved with it, or vice versa as it occasionally happens in the digital arms race. The various observed anti-analysis tricks will be put in relation to the respective counter measures in order to showcase challenges of modern day security products.
Marion recently won a speaking contest at Komintern Sect in Stockholm.
Malware varies mostly in the visible payloads that they manifest. We can see them infecting files, un-installing antimalware applications, stealing important documents, controlling our computers remotely, and other malicious activities.
What we don’t see is how they are implemented within the malware code. Modern malware uses different techniques to protect themselves from detection, analysis, and eradication. Some malware uses layers to even obfuscate the way they use these protections.Layers in malware are defense mechanisms against deep analysis. Within these layers, different malware tricks are also deployed.
In this presentation, we are going to look into Scieron and Vawtrak. Two different malware that implements layers differently. We will see some video demo on how some of the malware code are executed within the context of a debugger.
Finally, we are going to leverage Volatility, a memory forensic tool, to detect the presence of layers in an infected system.
Threat actors are increasing their use of fleless
malware for one simple reason: most organizations
aren't prepared to detect it. Education is the frst step in
determining what threat these new attacks pose and what
you can do to detect and stop fileless malware attacks. Learn more at: https://www.bluvector.io
Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOLCyphort
Malvertising Attacks on Huffingtonpost, Yahoo, AOL
Cyphort Labs has reported an uptick in drive-by-infection through malvertising in 2014 and sounded alarms for the web property owners regarding this emerging trend. We believe that this trend presents a significant cybersecurity challenge in 2015. In this session, we will discuss this increasing trend of drive-by attacks by dissecting examples of recent web infections, as well as share observed, sophisticated behavior of modern exploit pack and the challenges for research and discovery. As we present exploit kit information, trends and statistics from research derived from our Cyphort Crawler, you will gain an awareness and an understanding of these malvertising threats to better protect your site visitors from malware infection.
There is increased discussion around threats that adopt so-called “living off the land” tactics. Attackers are increasingly making use of tools already installed on targeted computers or are running simple scripts and shellcode directly in memory. Creating fewer new files on the hard disk, or being completely fileless, means less chance of being detected by traditional security tools and therefore minimizes the risk of an attack being blocked. Using simple and clean dual-use tools allows the attacker to hide in plain sight among legitimate system administration work.
Further reading:
Attackers are increasingly living off the land (https://www.symantec.com/connect/blogs/attackers-are-increasingly-living-land)
Living off the land and fileless attack techniques (https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf)
Ransomware continues to be a major threat. This slidedeck looks at the first six months of 2017, examines why enterprises are being increasingly impacted by ransomware, and reviews the effect of high-profile incidents such as WannaCry and Petya.
For more on this area, read Symantec Security Response's blog and whitepaper: https://www.symantec.com/connect/blogs/businesses-most-risk-new-breed-ransomware
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...CODE BLUE
DeepExploit is fully automated penetration testing tool using Deep Reinforcement Learning. It identifies the status of all opened ports on the target server and executes the exploit at pinpoint. DeepExploit’s key features are the following:
1) Efficiently execute exploit:
DeepExploit can execute exploits at pinpoint (minimum 1 attempt).
2) Deep penetration:
If DeepExploit succeeds the exploit to the target server (=compromised server) with in the perimeter network, then it executes the exploit to internal servers via compromised server.
3) Self-learning:
DeepExploit can learn how to exploitation by itself.
By using our DeepExploit, you will benefit from the following:
For penetration testers:
(a) They can greatly improve the test efficiency;
(b) The more penetration testers use DeepExploit, DeepExploit learns how to method of exploitation using Deep Reinforcement learning. As a result, accuracy of test can be improved.
For Information Security Officers:
(c) They can quickly identify vulnerabilities of own servers. As a result, prevent that attackers attack to your servers using vulnerabilities, and protect your reputation by avoiding the negative media coverage after breach.
Because attack methods to servers are evolving day by day, there is no guarantee that yesterday’s security countermeasures are safety today. It is necessary to quickly find vulnerabilities and take countermeasures. DeepExploit will contribute greatly to maintaining your safety.
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...PROIDEA
Vitali presents malware techniques and tricks on how to reverse engineer and analyze malware families exploiting active directory. The talk dives deeper into pseudo-source code level analysis and malware developer implementation of Lightweight Directory Access Protocol (LDAP) harvesting techniques for lateral movement and persistence across corporate environment. The talks explores three prolific malware families such as TrickBot, QakBot, and IcedID (BokBot) and their coding routine and patterns that are focused on collecting LDAP. For example, TrickBot specifically grabs credential and group policy information stored in “SYSVOL” das well as searching for corporate machines for possible sensitive machines associated with possible point-of-sale terminals on domain controller. Vitali also presents detection and mitigation methods on how to detect active directory exploitation and discusses defense mechanisms surrounding most popular active methods used in the wild by the sophisticated groups.
Given at TRISC 2010, Grapevine, Texas.
http://www.trisc.org/speakers/aditya_sood/#p
The talk sheds light on the new trends of web based malware. Technology and Insecurity goes hand in hand. With the advent of new attacks and techniques the distribution of malware through web has been increased tremendously. Browser based exploits mainly Internet Explorer have given a birth to new world of malware infection. The attackers spread malware elegantly by exploiting the vulnerabilities and drive by downloads. The infection strategies opted by attackers like malware distribution through IFRAME injections and Search Engine Optimization. In order to understand the intrinsic behavior of these web based malware a typical analysis is required to understand the logic concept working behind these web based malwares. It is necessary to dissect these malwares from bottom to top in order to control the devastating behavior. The talk will cover structured methodologies and demonstrate the static, dynamic and behavioral analysis of web malware including PCAP analytics. Demonstrations will prove the fact and necessity of web malware analysis.
Training on July 16, 2017.
This training is the compressed version of Malware Engineering & Crafting.
In this training, we will talk about malware as well as crafting the simple working malware. The goal of this session is to understanding malware internal so one can have tactics to combat it.
2017-07-16
A training for learning the internal of malware.
This version is the compressed version of Malware Engineering & Crafting.
We talk about malware as well as crafting the simple working malware. The goal of this session is to understand malware internal so one can have tactics to combat it.
The CEH v11 program provides an in-depth understanding of ethical hacking phases, various attack vectors, and preventative countermeasures. It will teach you how hackers think and act maliciously so that you will be better positioned to set up your security infrastructure and defend against future attacks.
Since this month we will dive into core malware analysis, it will be better if we take a first hand intro into this world and its elements.In present scenario,cyber-espionage has replaced the old fashion spying methodology to obtain secret and confidential data. Therefore malware, together with other malicious activities are increasingly becoming a true weapon in the hands of the Military and Governments, used to re-establish the balance of power or better the
balance of threat.
Learn ethical hacking at your own Platform with live classes , Ppt and various types of pdf. we also provided Udemy premium courses and hacking tools tooo. Kindly visit
https://www.gflixacademy.com
As soluções da NetWitness capturam todos os dados que circulam na rede e os contextualizam, filtrando o que pode ser crítico ou não. O usuario pode ver quem está indo aonde e vendo o quê.
The term malware refers to software designed to intentionally damage a computer, a server, a client or a computer network. Alternatively, a software defect happens when a faulty component leads to unintentional harm.
Similar to 42 - Malware - Understand the Threat and How to Respond (20)
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Key Trends Shaping the Future of Infrastructure.pdf
42 - Malware - Understand the Threat and How to Respond
1. Malware
Understanding the Malware Threat and How to Respond
Jean-Pierre LESUEUR
Full Stack Developer x IT Security Researcher
Thomas ROCCIA
Security Researcher, Advanced Threat Research at McAfee
@DarkCoderSc @fr0gger_
3. What is a Malware?
Malware Introduction to Malware – Focus on Remote Administration Tool Family
An introduction to Malicious Software
Malware
4. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Different families of Malware
Virus, Worm
Dropper, File Binder / Wrapper / Crypter, Downloader
Trojan Backdoor
Remote Administration Tools (RAT)
HTTP Botnet
Scareware / Rogue
Ransomware
Stealer (Password and/or Files)
Spyware, Adware
CoinMiners
Rootkit / Bootkit
What is a Malware? Malware Families
5. What is a Malware?
# Who is behind ?
Grey-hat Black-hat
# Who use them and why ?
• Script Kiddies
• Criminal Organizations
• Governments
• Terrorism
• IT Security Researcher
Who and why
6. Malware Introduction to Malware – Focus on Remote Administration Tool Family
What is a Malware? Malware Economy
# Criminals are making money with their creation
# Using it to steal data
# Selling it for other criminals
# Creating business model such as Malware as a Service
7. Malware Introduction to Malware – Focus on Remote Administration Tool Family
What is a Malware? Malware Economy
# Ransomware as a Service
Source: https://securingtomorrow.mcafee.com/mcafee-labs/free-ransomware-available-dark-web/
8. Malware Introduction to Malware – Focus on Remote Administration Tool Family
What is a Malware? Malware Economy
# Exploit kits
Source: https://www.mcafee.com/threat-center/threat-landscape-dashboard/
9. Malware Introduction to Malware – Focus on Remote Administration Tool Family
What is a Malware? Malware Attribution
# Malware are developed by Humans
# Many techniques can lead to attribution
# PDB Path
# Strings
# Code comparison
# Tools used
# Operating method
# Timestamp
# Infrastructure reuse
10. Malware Introduction to Malware – Focus on Remote Administration Tool Family
What is a Malware? Malware Attribution
# Malware are developed by Humans
# Many techniques can lead to attribution
# PDB Path
# Strings
# Code comparison
# Tools used
# Operating method
# Timestamp
# Infrastructure reuse
Attribution can be faked!
12. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Infection Vectors
Medias
USB keys, CD/DVD, (External) Hard Drives
Social Networks
Facebook, Twitter, Google+, YouTube / Dailymotion, Instagram etc.
Websites
Phishing, Distributed Software, Vulnerabilities (JAVA, Flash, Web-browser)
Exploits
Local Exploits, Remote Exploits, Physical Exploits
Network Sharing
P2P Software (Torrent, Emule), Network file (NAS, FTP)
Email
Phishing, attachment
13. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Infection Vectors
# Supply Chain Attack
Third Party Infected Download
Trojanised Software
Source: https://www.youtube.com/watch?v=tX0v-rMcuwc
14. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Persistence
# To survive to reboot Malware need to be persistent on the infected machine.
# Registry RUN keys
# Task Scheduler
# Windows Services
# AppInit_DLL
# COM Hijacking
# Bootkit
15. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Persistence
# Registry RUN Keys
# Emotet Malware Example
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce
HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
16. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Persistence
# Scheduler can be used to run tasks | NotPetya
• at <time> shutdown.exe /r /f
• schtasks /create /SC once /TN “” /TR shutdown.exe /r /f /ST <time>
17. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Persistence
# Bootkit
18. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Privilege Escalation
# Malware needs to elevate privilege to perform actions
To access to sensitive data to steal/modify/encrypt…
# Token Manipulation
# Bypass User Access Control (UAC)
# Vulnerability Exploitation
# Hooking
# Dump Credentials
# Many more
19. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Privilege Escalation
# Token Manipulation | Teslacrypt
20. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Privilege Escalation
# UAC Bypass | Operation HoneyBee
cmd /c wusa %TEMP%setup.cab /quiet /extract:%SystemRoot%System32 &&
del /f /q %TEMP%setup.cab && cliconfg.exe cmd /c expand
%TEMP%setup.cab -F:* %SystemRoot%System32 && del /f /q
%TEMP%setup.cab && cliconfg.exe
# The macro extracts the CAB file into %systemroo%system32,
using either wusa.exe or expand.exe (depending on the OS) to
bypass UAC prompts
# Once the files have been extracted, the Visual Basic macro
deletes the CAB file and runs the malicious NTWDBLIB.dll via
cliconfg.exe (to gain privileges and bypass UAC protections)
Source: https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/
21. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Privilege Escalation
# Vulnerability Exploitation | Wannacry - EternalBlue
# EternalBlue Vulnerability from Equation Group (MS17-010) – Kernel Exploit
# Used to spread on the network but also to obtain system privileges
https://www.slideshare.net/ThomasRoccia | https://securingtomorrow.mcafee.com/mcafee-labs/analysis-wannacry-ransomware/
22. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Privilege Escalation
# Credentials Dumping | Olympic Destroyer
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
23. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Evasion Techniques
# Malware use Evasion Techniques to avoid detection, analysis
https://www.slideshare.net/ThomasRoccia/malware-evasion-techniques
Packer/Binder/Crypter
Compress/Encrypt, IAT Protect, Code Virtualizing
Process Injection
Process Hollowing, DLL Injection, Process Doppelganging
Sandbox Evasion
VM Artifacts, x86 Instructions, Sleep, Running Process
Anti-Virus Evasion
Disabling AV, file Size, Injection
Obfuscation
Base64, XOR, Encryption, Hash, Custom
Anti-Debugging
Windows API, Timing Check, Debugger Detection
Anti-Forensic
Melting, File-less, Wiper, Removal
24. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Evasion Techniques
# Packers
https://securingtomorrow.mcafee.com/technical-how-to/malware-packers-use-tricks-avoid-analysis-detection/
25. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Evasion Techniques
# Process Hollowing | Zcrypt Ransomware
26. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Evasion Techniques
# Antivirus Detection | Pinkslipbot
27. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Evasion Techniques
# Virtual Machine Detection | Pinkslipbot
28. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Evasion Techniques
# Unprotect Project | Malware Evasion Trick Database
Unprotect.tdgt.org
29. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Command & Control
# Malware needs to communicate with C&C
# Infected machines controlled by the same C&C are called Botnet
# Malware use C&C to:
# Receive command
# Exfiltrate/download data
# Get encryption key (Ransomware) or
interact to pay the ransom
Matthew Andrews/Getty Images/Hemera
30. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Command & Control
# Fast-Flux communication
# One domain has multiple IP addresses
# Every 3 min or more, host is pointing to
another computer
# Infected machines can serve of proxy
https://commons.wikimedia.org/wiki/File:Single_und_double_flux.png
31. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques Command & Control
# Domain Generation Algorithm
# Connexion to multiple domains
# Lot of domain can be generated by the
sample
# Attackers can activate one of several
servers to allow communication
# Conficker worm used this technique
https://www.senet-int.com/blog/2013/09/malware-domain-generation-algorithm-dga
32. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Malware Techniques More Information
# Mitre ATT&CK Matrix | https://attack.mitre.org
38. # What is a Remote Administration Tool
A RAT is a Malware Framework designed to take the control of a remote system:
• Trojan Backdoor
• Botnets
• File Binder / Wrapper, Downloader
• Stealer
• Spyware
• Crypter
• Worms
Commonly offered remote control modules:
• Remote Desktop Streaming
• Remote Webcam Streaming
• Remote Ambient Sound Streaming (Micro)
• Keylogger
• Password Grabber
• System Management
• File System Management
RAT Introduction
41. One shot
The product owner received a one time payment and gives in exchange the different
application parts.
Monthly, Yearly, Version
The product owner could also decide to rent his Malware with a subscription limited in time.
Extra Services
• FUD / UD
• Support
• Pay per installs
• Extra Modules
• Training
• Open Source Access
RAT Business Model
42. Payment methods:
Liberty Reserve
Online banking system
Western Union
Cash deposal service
PayPal
Ease of use
Crypto-currency
Bitcoin, Monero, Ethereum
RAT Business Model
43. Malware Identify the different parts of the Framework
C&C Stub Editor Stub
Graphical application
to take the control of
infected machines
by the Malware
Graphical application
designed to configure
the Malware
The Malware
.exe, .js, .bat, .py, .pdf, .docx
RAT Identify the Different part of the Framework
44. Malware Network Protocol
• Client / Server based architecture
• Malware coder can create custom protocol
• They can also use existing protocol (HTTP Botnet)
• To evade detection, cryptographic principle could be used
RAT Network Protocol
45. # Mode 1 : Direct Connection
C&C – Client
Connect(89.27.25.120)
Stub – Server
Listen(1403)
Out Port
(TCP/UDP) > 1403
Internet (Cloud)
In Port
(TCP/UDP) > 1403
Malware Network Models
RAT Network Models
46. # Mode 2 : Reverse Connection
Malware Network Models
C&C – Client
Listen(1403)
Stub –Client
Connect(45.25.142.32)
In Port
(TCP/UDP) > 1403
Internet (Cloud)
Out Port
(TCP/UDP) > 1403
RAT Network Models
47. # Mode 3 : Hybrid (Direct and/or Reverse)
Malware Network Models
C&C – Client
Connect(89.27.25.120)
Stub – Server
Listen(1403)
Out Port
(TCP/UDP) > 1403
Internet (Cloud)
In Port
(TCP/UDP) > 1403
C&C – Client
Listen(1403)
Stub –Client
Connect(45.25.142.32)
In Port
(TCP/UDP) > 1403
Internet (Cloud)
Out Port
(TCP/UDP) > 1403
AND / OR
RAT Network Models
48. # P2P (Peer to Peer)
Malware Network Models
RAT Network Models
49. Malware Network Protocol
# Example of communication system
Server
Client
Main Thread + Listener Thread
(Server)
Closed Client
New Client
Receive Plain / Text
Management Thread
Receive Buffer
Thread
Process List
File List
Reverse shell stdout buffer
Webcam Streaming
Desktop Streaming
File Transfer
+
+
Main Thread +
Connection
Attempt to C&C
routine Thread
New Server +
Command Parser
and Dispatcher
Thread
Process List
File List
Remote Desktop Thread+
RAT Network Protocol
52. Malware Network Protocol
# Use case : Basic File Transfer
1
2
filesystem;c:
filesystem;c:windows,c:users,c:Pr
ogram Files,c:Program Files
(x86)|c:file.pdf,c:file2.png...
3 downloadfile;c:file.pdf
4downloadfile;c:file.pdf,10240
5 OK
6CHUNK 1 CHUNK 2 CHUNK N
C&C Infected system
file size / packet size = number of packets required for a file transfer
RAT Network Protocol
56. Malware Payload Configuration
• Payload configuration contains important information about how to contact
the C&C
• IP address(es) / Domain Name pointing to IP address(es)
• Communication Port(s)
• It also contains other important configuration elements such as
• Persistence Information's (Startup, Process, File)
• Anti’s functions (Anti-VM, Anti-Debugger etc.)
• Encryption key (symmetric)
• C&C private key for asymmetric traffic encryption (Asymmetric)
• Optional file downloader (if dropper module available and enabled)
• Embedded files (File Binder / Wrapper)
• Fake error messages / events (Open other process)
• Etc.
RAT Payload Configuration
57. Malware Payload Configuration
• Multiple ways exist to store the configuration inside the Stub
• PE Resources Section
• PE Custom Section
• EOF (End Of File)
• In the same way of network communication, the configuration could be from any formats
• Plaintext : CSV, JSON, XML
• Byte encoded structures
• Some Malware encrypt configuration data to hide sensitive data's
RAT Payload Configuration
58. Malware Payload Configuration
# PE (Portable Executable) Resources
.rsrc
(Resource Section)
DOS Segment
PE Header
Section Tables
Section 1
…
Section N
DOS Header
Icon
Versions Info
Bitmaps
Custom Resources
Window Resources (Dialogs)
* LockResource, LoadResource, UpdateResource, SizeOfResource…
RAT Payload Configuration
59. Malware Payload Configuration
# PE (Portable Executable) Sections
Section Tables Add new section info
Section Address : 0x000FF12A
Size of section : N Bytes
Name of section : malconf
Section 1
DOS Segment
PE Header
Section 1
Section N
DOS Header
…
Custom Section
0x000FF12A
Explore PE Header and Sections (PE Bear)
JSON / CSV / Structures etc.
{
"cncaddr": [
"127.0.0.1",
"192.168.0.11",
"89.214.25.111",
"lamer.no-ip.org",
"lamer2.dyndns.org"
],
"startup": {
"enabled": true,
"name": "svchost.exe"
}
[...]
}
RAT Payload Configuration
60. Malware Payload Configuration
# EOF (End of File)
Payload configuration is simply appended at the End of the application file.
Appending content at the end of an application file doesn’t corrupt the application itself since it is out of the scope defined by the PE Structure
(SizeOfImage structure attribute defined in the PE Header > IMAGE_OPTIONAL_HEADER)
Most Antivirus detect such behavior by comparing the size of the image (SizeOfImage) from the PE Header with the file size.
Example (Pascal/Delphi)
RAT Payload Configuration
62. Malware An example of timeline
Malware Execution
ping + timeout
delete original copy
run installed copy
Installed
Exit Process
Copy to destination location
Register location to startup
Extract embedded files
Download / Execute
Initialize Melting
Inject code to legitimate process
(Explorer.exe ; Iexplore.exe ; firefox.exe)
No
Create Mutex
Exists
No
Yes
Establish a connection to C&C
Anti-VM
Yes
Detected
Yes No
RAT Infection Process
64. Malware Introduction to Malware – Focus on Remote Administration Tool Family
Conclusion
# Malware are becoming more and more complex
# Security industry and researcher are developping new techniques to
fight advanced threats.
# Understand the concepts behind malware can help to stay protected
65. Thank You
Jean-Pierre LESUEUR
Full Stack Developer x IT Security Researcher
@DarkCoderSc
Thomas ROCCIA
Security Researcher, Advanced Threat Research at McAfee
@fr0gger_
Q/A