Thursday 5 October 16:00 - 16:30, Red room
Cristina Vatamanu (Bitdefender)
Adrian Schipor (Bitdefender)
Alexandru Maximciuc (Bitdefender)
Targeted attacks are usually deployed to interfere with the operation of specific entities. In order to get the job done, the attackers run low under the radar for a considerable period of time, allowing them to operate unrestricted in the victim's environment. These kinds of attacks are usually custom-made with just enough features to enable them to carry out the attacks for which they have been designed.
The piece of malware presented in this paper, Netrepser, uses quite an array of methods to steal valuable and specific information from specific victims. It is built around a legitimate, yet controversial recovery toolkit provided by NirSoft. The cybercriminals manage to play the simplicity card to better blend in with the environment.
We have isolated and dissected the malware in order to better understand its early stages. This paper will detail its method of distribution through advanced spear-phishing techniques, its communication with the C&C servers, the JavaScript payloads used in the attack, the methods of collecting intelligence and exfiltrating it systematically, the tools used, the methods of obfuscation deployed to avoid detection and, ultimately, the impact it has on the victim's data. Analysing this piece of malware, observing its primary focus, the number of victims and the data it gathers, we presume that this targeted attack is part of a cyber-espionage campaign.
Cristina Vatamanu Cristina Vatamanu graduated from the Faculty of Computer Science at the University of 'Gheorghe Asachi'. She has worked at Bitdefender for almost eight years. Some of her responsibilities (and hobbies) include reverse engineering, exploit analysis, and automated systems.
|
|
Adrian Schipor Adrian Schipor has worked at Bitdefender for four years and is passionate about reverse engineering, exploits and cryptography. He is also currently studying for a Ph.D. in cryptography at the 'Alexandru Ioan Cuza' University of Iasi.
|
|
Alexandru Maximciuc Alexandru Maximciuc is passionate about reverse engineering, likes Perl and Go, and studied mathematics. He has been working at Bitdefender for ten years, and he really enjoys fighting malware.
|
Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)
Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…
John Graham-Cumming (Cloudflare)
In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…
Tiberius Axinte (Bitdefender)
This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…