Thursday 5 October 14:00 - 14:30, Green room
Omer Agmon (IBM Trusteer)
The popularity of cybercrime in Brazil has been growing steadily during recent years, and has come to a peak with Client Maximus – a piece of financial malware and a RAT that was discovered at the end of August this year, gaining traction among cybercriminals in Latin America. Gone are the days when 'Brazilian banking trojan' was a synonym for clumsy low-end Delphi code. After setting the new technical standard for Brazil's financial malwares, the latest version of Client Maximus manages to do it again. In this talk I will familiarize the audience with this very impressive, yet little known malware, and focus on its unique deployment method.
We shall explore the impressively complex, multi-staged method with which it protects the malicious payload and deploys it upon infection. Jumping between PowerShell, VBScript and .NET code, Client Maximus decodes and decrypts multiple scripts and assemblies that are carefully orchestrated in order for it to stay as stealthy as possible. Using advanced .NET code hiding techniques, it dynamically loads pre-compiled C# code which is invisible to your everyday reflector, as we will explore in depth.
At its final stage, just before the malicious payload is executed, Client Maximus utilizes an extremely powerful public PowerShell project that practically replaces Windows Loader functionality with its own. It injects a Dynamic Load Library (DLL) into a remote process by parsing the Portable Executable (PE) header of the malicious DLL, analysing its dependencies, and injecting them one by one into the remote process, which was an innocent process up to this point. Finally, the payload is executed and the end-point is infected with the newest Client Maximus.
Omer Agmon Omer Agmon was born in Israel in 1981. He studied information system engineering at Ben-Gurion University of the Negev, graduating in 2010. Omer joined Intel as a software engineer in 2007, where he worked as a C++ and C# developer. He then moved to IBM, where he has worked for the last three years as a Security Researcher. Omer has a great passion for the software and hardware realm, with emphasis on the different security angles. Most of his experience is with financial malware and specifically with Latin America malware. His hobbies include playing music, jogging and electronics. |
John Graham-Cumming (Cloudflare)
In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…
Thiago Marques (Kaspersky Lab)
Fabio Assolini (Kaspersky Lab)
Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…
Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)
Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…