Abusing third-party cloud services in targeted attacks

Wednesday 2 October 16:30 - 17:00, Green room

Daniel Lunghi (Trend Micro)
Jaromir Horejsi (Trend Micro)



The infrastructure of malware is important for both attackers and defenders. A typical piece of malware needs to reach an attacker-operated server to get its commands and send the results back. Yet, on the attacker's side, designing, implementing and maintaining a C&C infrastructure is time- and resource-consuming as well as error-prone. On the defender's side, analysing the infrastructure of a threat actor is useful in building patterns for detection, tracking an actor's activity, gathering more intelligence about it and correlating it to known groups.

Threat actors performing targeted attacks have high stealth requirements, and we have seen attacks that shifted to cloud services for this reason. This seems to be a smart move, as the infrastructure is maintained by a third party and the malicious traffic is mixed with legitimate traffic. However, such a choice has drawbacks for the attacker.

In this presentation we will show examples of targeted attacks involving threat actors from different parts of the world, for example Muddywater or Confucius, that moved part of their infrastructure to well-known third-party cloud services: file-sharing services (e.g. Dropbox, Google Drive), communication and collaboration services (e.g. Slack, Telegram), version control services (e.g. GitHub) or publishing platforms (e.g. Blogger). We will detail different implementations and how we managed to use them to our advantage to find out more about the attackers and their campaigns.

 Related links

 

silhouette-vb2019.jpg

Daniel Lunghi

Daniel Lunghi is a threat researcher at Trend Micro. He has been monitoring threat actors, hunting malware and performing incident response investigation for years, sometimes in IT infrastructures involving thousands of hosts. When not on the trail of online attackers, Daniel still spends time in front of a keyboard — on a piano.

@thehellu

 

Jaromir-Horejsi-web.jpg

Jaromir Horejsi

Jaromir Horejsi is a threat researcher at Trend Micro. He specializes in hunting and reverse-engineering threats that target Windows and Linux. He has researched many types of threats over the course of his career, covering threats such as APTs, DDoS botnets, banking trojans, click fraud and ransomware. In the past he has presented his research at RSAC, Virus Bulletin, FIRST, AVAR, Botconf and CARO.

@JaromirHorejsi


   Download slides

Back to VB2019 Programme page

Other VB2019 papers

2,000 reactions to a malware attack - accidental study

Adam Haertle (BadCyber.com / ZaufanaTrzeciaStrona.pl)

Who is SandCat: an unveiling of a lesser-known threat actor

Brian Bartholomew (Kaspersky)

For reserve paper

Reserve speaker (TBA)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.