The Hitchhiker’s Guide to the North Korean malware galaxy

Thursday 4 October 14:00 - 14:30, Red room

Jay Rosenberg (Intezer Labs)
Itai Tevet (Intezer Labs)



The Lazarus, Silent Chollima, Group 123, Hidden Cobra, DarkSeoul, Blockbuster, Operation Troy and 10 Days of Rain attacks are all believed to originate from North Korea. But how can they be attributed with certainty? And what connection does a DDoS and disk-wiping attack from 4 July 2009 have with WannaCry, one of the largest cyber attacks in the history of the cyber sphere?

From the Mydoom variant Brambul, to the more recent FallChill, WannaCry, and targeting of cryptocurrency exchanges, there is a distinct timeline of attacks beginning from the moment North Korea entered the world stage as a significant threat actor. Bad actors have a tendency to unwittingly leave fingerprints on their attacks, allowing researchers to connect the dots between them. North Korean actors have left many of these clues in their wake and throughout the evolution of their malware arsenal. In this session, attendees will view never-before-seen code analysis illustrating key similarities between samples attributed to North Korea, a shared networking infrastructure, and other revealing data hidden within the binaries. All of these puzzle pieces will be put together to illustrate the connections between the many attacks attributed to North Korea and to categorize different tools used by specific teams of their cyber army.

 

Jay-Rosenberg-web.jpg

Jay Rosenberg

Jay Rosenberg, senior security researcher at Intezer Labs, leads the research behind Intezer's code reuse detection technology. He has been programming and reverse engineering since the tender age of 12. He has spoken at various conferences around the world, identified new threats, and published his threat intelligence research on some of the largest cyber attacks.

@JayTezer

 

Itai-Teveet-web.jpg

Itai Tevet

Tevet possesses a combination of in-depth technical expertise and leadership experience in mitigating state-level cyber threats. He previously served as the head of IDF CERT, the Israeli Defense Force's Cyber Incident Response team, where he led an elite group of cybersecurity professionals in digital forensics, malware analysis, incident response and reverse engineering.

@itaitevet

 

Related links



Back to VB2018 Programme page

Other VB2018 papers

Now you see it, now you don't: wipers in the wild

Saher Naumaan (BAE Systems)

Levelling up: why sharing threat intelligence makes you more competitive

Michael Daniel (Cyber Threat Alliance)

Behind the scenes of the SamSam investigation

Peter Mackenzie (Sophos)
Andrew Brandt (Sophos)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.