SlideShare ist ein Scribd-Unternehmen logo

42 - Malware - Understand the Threat and How to Respond

T
Thomas Roccia

Malware are becoming more and more complex. In this talk presenting with Jean-Pierre Lesueur at the School 42, we explained the business model behind as well provided an understanding of the Malware Threat.

Technologie
1 von 65
Downloaden Sie, um offline zu lesen
Malware Understanding the Malware Threat and How to Respond Jean-Pierre LESUEUR Full Stack Developer x IT Security Researcher Thomas ROCCIA Security Researcher, Advanced Threat Research at McAfee @DarkCoderSc @fr0gger_
Malware Agenda #1 What is a Malware? # Malware Definition # Malware Economy # Malware Attribution #2 Malware Techniques # Infection Vectors # Persistence # Privilege escalation # Evasion Techniques # C&C #3 Malware Analysis # Static Analysis # Dynamic Analysis #4 Usecase Remote Administration Tools (RAT) # Definition # Business Model # Network Architecture # Network Protocol # Payload Configuration #5 Conclusion
What is a Malware? Malware Introduction to Malware – Focus on Remote Administration Tool Family An introduction to Malicious Software Malware
Malware Introduction to Malware – Focus on Remote Administration Tool Family Different families of Malware Virus, Worm Dropper, File Binder / Wrapper / Crypter, Downloader Trojan Backdoor Remote Administration Tools (RAT) HTTP Botnet Scareware / Rogue Ransomware Stealer (Password and/or Files) Spyware, Adware CoinMiners Rootkit / Bootkit What is a Malware? Malware Families
What is a Malware? # Who is behind ? Grey-hat Black-hat # Who use them and why ? • Script Kiddies • Criminal Organizations • Governments • Terrorism • IT Security Researcher Who and why
Malware Introduction to Malware – Focus on Remote Administration Tool Family What is a Malware? Malware Economy # Criminals are making money with their creation # Using it to steal data # Selling it for other criminals # Creating business model such as Malware as a Service
Malware Introduction to Malware – Focus on Remote Administration Tool Family What is a Malware? Malware Economy # Ransomware as a Service Source: https://securingtomorrow.mcafee.com/mcafee-labs/free-ransomware-available-dark-web/
Malware Introduction to Malware – Focus on Remote Administration Tool Family What is a Malware? Malware Economy # Exploit kits Source: https://www.mcafee.com/threat-center/threat-landscape-dashboard/
Malware Introduction to Malware – Focus on Remote Administration Tool Family What is a Malware? Malware Attribution # Malware are developed by Humans # Many techniques can lead to attribution # PDB Path # Strings # Code comparison # Tools used # Operating method # Timestamp # Infrastructure reuse
Malware Introduction to Malware – Focus on Remote Administration Tool Family What is a Malware? Malware Attribution # Malware are developed by Humans # Many techniques can lead to attribution # PDB Path # Strings # Code comparison # Tools used # Operating method # Timestamp # Infrastructure reuse Attribution can be faked!
Malware Techniques Malware Introduction to Malware – Focus on Remote Administration Tool Family Infection / Evasion / C&C / Privilege Escalation Malware
Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Infection Vectors Medias USB keys, CD/DVD, (External) Hard Drives Social Networks Facebook, Twitter, Google+, YouTube / Dailymotion, Instagram etc. Websites Phishing, Distributed Software, Vulnerabilities (JAVA, Flash, Web-browser) Exploits Local Exploits, Remote Exploits, Physical Exploits Network Sharing P2P Software (Torrent, Emule), Network file (NAS, FTP) Email Phishing, attachment
Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Infection Vectors # Supply Chain Attack Third Party Infected Download Trojanised Software Source: https://www.youtube.com/watch?v=tX0v-rMcuwc
Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Persistence # To survive to reboot Malware need to be persistent on the infected machine. # Registry RUN keys # Task Scheduler # Windows Services # AppInit_DLL # COM Hijacking # Bootkit
Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Persistence # Registry RUN Keys # Emotet Malware Example HKLMSoftwareMicrosoftWindowsCurrentVersionRun HKCUSoftwareMicrosoftWindowsCurrentVersionRun HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Persistence # Scheduler can be used to run tasks | NotPetya • at <time> shutdown.exe /r /f • schtasks /create /SC once /TN “” /TR shutdown.exe /r /f /ST <time>
Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Persistence # Bootkit
Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Privilege Escalation # Malware needs to elevate privilege to perform actions To access to sensitive data to steal/modify/encrypt… # Token Manipulation # Bypass User Access Control (UAC) # Vulnerability Exploitation # Hooking # Dump Credentials # Many more
Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Privilege Escalation # Token Manipulation | Teslacrypt
Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Privilege Escalation # UAC Bypass | Operation HoneyBee cmd /c wusa %TEMP%setup.cab /quiet /extract:%SystemRoot%System32 && del /f /q %TEMP%setup.cab && cliconfg.exe cmd /c expand %TEMP%setup.cab -F:* %SystemRoot%System32 && del /f /q %TEMP%setup.cab && cliconfg.exe # The macro extracts the CAB file into %systemroo%system32, using either wusa.exe or expand.exe (depending on the OS) to bypass UAC prompts # Once the files have been extracted, the Visual Basic macro deletes the CAB file and runs the malicious NTWDBLIB.dll via cliconfg.exe (to gain privileges and bypass UAC protections) Source: https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/
Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Privilege Escalation # Vulnerability Exploitation | Wannacry - EternalBlue # EternalBlue Vulnerability from Equation Group (MS17-010) – Kernel Exploit # Used to spread on the network but also to obtain system privileges https://www.slideshare.net/ThomasRoccia | https://securingtomorrow.mcafee.com/mcafee-labs/analysis-wannacry-ransomware/
Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Privilege Escalation # Credentials Dumping | Olympic Destroyer http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Evasion Techniques # Malware use Evasion Techniques to avoid detection, analysis https://www.slideshare.net/ThomasRoccia/malware-evasion-techniques Packer/Binder/Crypter Compress/Encrypt, IAT Protect, Code Virtualizing Process Injection Process Hollowing, DLL Injection, Process Doppelganging Sandbox Evasion VM Artifacts, x86 Instructions, Sleep, Running Process Anti-Virus Evasion Disabling AV, file Size, Injection Obfuscation Base64, XOR, Encryption, Hash, Custom Anti-Debugging Windows API, Timing Check, Debugger Detection Anti-Forensic Melting, File-less, Wiper, Removal
Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Evasion Techniques # Packers https://securingtomorrow.mcafee.com/technical-how-to/malware-packers-use-tricks-avoid-analysis-detection/
Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Evasion Techniques # Process Hollowing | Zcrypt Ransomware
Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Evasion Techniques # Antivirus Detection | Pinkslipbot
Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Evasion Techniques # Virtual Machine Detection | Pinkslipbot
Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Evasion Techniques # Unprotect Project | Malware Evasion Trick Database Unprotect.tdgt.org
Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Command & Control # Malware needs to communicate with C&C # Infected machines controlled by the same C&C are called Botnet # Malware use C&C to: # Receive command # Exfiltrate/download data # Get encryption key (Ransomware) or interact to pay the ransom Matthew Andrews/Getty Images/Hemera
Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Command & Control # Fast-Flux communication # One domain has multiple IP addresses # Every 3 min or more, host is pointing to another computer # Infected machines can serve of proxy https://commons.wikimedia.org/wiki/File:Single_und_double_flux.png
Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Command & Control # Domain Generation Algorithm # Connexion to multiple domains # Lot of domain can be generated by the sample # Attackers can activate one of several servers to allow communication # Conficker worm used this technique https://www.senet-int.com/blog/2013/09/malware-domain-generation-algorithm-dga
Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques More Information # Mitre ATT&CK Matrix | https://attack.mitre.org
Malware Analysis Malware Introduction to Malware – Focus on Remote Administration Tool Family Process, Techniques, Tools Malware
• Packed? • Encrypted? • Reverse Engineering Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Analysis Process Identification Analysis • Hash calculation • Virus Total… • Anti-Virus • Previous research • Internal Databases Static Dynamic Detection and Remediation • What the malware does? • Which CnC it contacts? • Does it still data? • How does it infects my system? • Sandboxing • Debugging • Monitoring Infected machines • Block CnC • Deploy signature • Clean infected machines • Improve Security
Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Analysis Toolkit # Static Analysis # Packer Detection: PEiD, RDG Packer Detect, DIE… # PE Format: Ressource Hacker, PEStudio, StudPE… # Reverse Engineering: IDA, Radare2, DnSPY… # Sysinternals: Strings, Sigcheck… # Utilities: HexEdit, Python…
Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Analysis Toolkit # Dynamic Analysis # Process: Process Explorer # Monitoring: Regshot, Procmon, Autoruns, API-Monitor… # Network: Wireshark, Fiddler, CurrPort… # Debugging: OllyDBG, X64DBG… # Sandbox: Cuckoo, Proprietary Sandbox…
Remote Administration Tools (RAT) Malware A popular Malware Framework Malware
# What is a Remote Administration Tool A RAT is a Malware Framework designed to take the control of a remote system: • Trojan Backdoor • Botnets • File Binder / Wrapper, Downloader • Stealer • Spyware • Crypter • Worms Commonly offered remote control modules: • Remote Desktop Streaming • Remote Webcam Streaming • Remote Ambient Sound Streaming (Micro) • Keylogger • Password Grabber • System Management • File System Management RAT Introduction
• Backorifice • SubSeven (Sub7) • Optix • Beast • LanFiltrator • Institution 2004 • Netbus • Coma • Y3k RAT • Prorat • Mosucker Past generation : Recent generation : • Poison Ivy • Bifrost • Blackshades • Turkojan • DarkComet • NetWire • SpyNet (Xtreme RAT) • NjRAT • NanoCore • L0stD00r • SubSeven (New gen) # Few renowned RAT’s RAT Introduction
Freeware Shareware Open Source SaaS (Software as a Service) It is a real business RAT Business Model
One shot The product owner received a one time payment and gives in exchange the different application parts. Monthly, Yearly, Version The product owner could also decide to rent his Malware with a subscription limited in time. Extra Services • FUD / UD • Support • Pay per installs • Extra Modules • Training • Open Source Access RAT Business Model
Payment methods: Liberty Reserve Online banking system Western Union Cash deposal service PayPal Ease of use Crypto-currency Bitcoin, Monero, Ethereum RAT Business Model
Malware Identify the different parts of the Framework C&C Stub Editor Stub Graphical application to take the control of infected machines by the Malware Graphical application designed to configure the Malware The Malware .exe, .js, .bat, .py, .pdf, .docx RAT Identify the Different part of the Framework
Malware Network Protocol • Client / Server based architecture • Malware coder can create custom protocol • They can also use existing protocol (HTTP Botnet) • To evade detection, cryptographic principle could be used RAT Network Protocol
# Mode 1 : Direct Connection C&C – Client Connect(89.27.25.120) Stub – Server Listen(1403) Out Port (TCP/UDP) > 1403 Internet (Cloud) In Port (TCP/UDP) > 1403 Malware Network Models RAT Network Models
# Mode 2 : Reverse Connection Malware Network Models C&C – Client Listen(1403) Stub –Client Connect(45.25.142.32) In Port (TCP/UDP) > 1403 Internet (Cloud) Out Port (TCP/UDP) > 1403 RAT Network Models
# Mode 3 : Hybrid (Direct and/or Reverse) Malware Network Models C&C – Client Connect(89.27.25.120) Stub – Server Listen(1403) Out Port (TCP/UDP) > 1403 Internet (Cloud) In Port (TCP/UDP) > 1403 C&C – Client Listen(1403) Stub –Client Connect(45.25.142.32) In Port (TCP/UDP) > 1403 Internet (Cloud) Out Port (TCP/UDP) > 1403 AND / OR RAT Network Models
# P2P (Peer to Peer) Malware Network Models RAT Network Models
Malware Network Protocol # Example of communication system Server Client Main Thread + Listener Thread (Server) Closed Client New Client Receive Plain / Text Management Thread Receive Buffer Thread Process List File List Reverse shell stdout buffer Webcam Streaming Desktop Streaming File Transfer + + Main Thread + Connection Attempt to C&C routine Thread New Server + Command Parser and Dispatcher Thread Process List File List Remote Desktop Thread+ RAT Network Protocol
Malware Network Protocol # HTTP Protocol RAT Network Protocol GET ; POST ; PUT ; UPDATE ; DELETE etc.
Malware Network Protocol # Nature of transmitted data CSV kill:14032,1254,12687 JSON { “action”:”kill”, “data”:[ 14032, 1254, 12687 ] } BYTES (Struct) 4c000000011402000000 0000c0000000000000469 b000800200000005284ce b6f7c8d3015284ceb6f7c 8d3014b5333d55ba3d301 00fa01… RAT Network Protocol
Malware Network Protocol # Use case : Basic File Transfer 1 2 filesystem;c: filesystem;c:windows,c:users,c:Pr ogram Files,c:Program Files (x86)|c:file.pdf,c:file2.png... 3 downloadfile;c:file.pdf 4downloadfile;c:file.pdf,10240 5 OK 6CHUNK 1 CHUNK 2 CHUNK N C&C Infected system file size / packet size = number of packets required for a file transfer RAT Network Protocol
Malware Network Protocol # Encryption Layer Symmetric Encryption RC4 / AES / Camelia Key : passw0rd RC4 / AES / Camelia Key : passw0rd Packet Data (Plain, Byte) Cloud Packet Data (Plain, Byte) Hello CF012FA29C HelloCF012FA29C RAT Network Protocol
Malware Network Protocol # Little reminder to XOR Encryption 0 0 0 1 0 1 0 1 1 1 1 0 0 1 0 0 1 1 0 0 1 0 1 1 1 1 0 0 1 1 1 0 0 1 1 1 0 0 1 1 0 1 0 1 1 0 1 0 1 0 1 1 1 0 0 0 1 0 0 1 1 0 1 0 1 0 1 1 1 0 0 0 1 0 0 1 1 1 1 0 0 1 1 1 0 0 1 1 0 1 0 1 0 1 0 0 1 1 0 0 1 0 1 1 1 1 0 0 Plain data Secret key Encrypted data DATA xor KEY = ENCRYPTED_DATA ENCRYPTED_DATA xor KEY = DATA ENCRYPTED_DATA xor DATA = KEY RAT Network Protocol
Malware Network Protocol # Encryption Layer Asymmetric Encryption RSA / ECC Remote public key RSA / ECC Local private key Session key Session keyCloud Step 1 : Transmit a generated temporary session key using asymmetric algorithm RC4 / AES / Camelia Key : temporary session key RC4 / AES / Camelia Key : temporary session key Packet Data (Plain, Byte) Cloud Packet Data (Plain, Byte) Hello CF012FA29C HelloCF012FA29C Step 2 : Symmetric encryption using transmitted session key RAT Network Protocol
Malware Payload Configuration • Payload configuration contains important information about how to contact the C&C • IP address(es) / Domain Name pointing to IP address(es) • Communication Port(s) • It also contains other important configuration elements such as • Persistence Information's (Startup, Process, File) • Anti’s functions (Anti-VM, Anti-Debugger etc.) • Encryption key (symmetric) • C&C private key for asymmetric traffic encryption (Asymmetric) • Optional file downloader (if dropper module available and enabled) • Embedded files (File Binder / Wrapper) • Fake error messages / events (Open other process) • Etc. RAT Payload Configuration
Malware Payload Configuration • Multiple ways exist to store the configuration inside the Stub • PE Resources Section • PE Custom Section • EOF (End Of File) • In the same way of network communication, the configuration could be from any formats • Plaintext : CSV, JSON, XML • Byte encoded structures • Some Malware encrypt configuration data to hide sensitive data's RAT Payload Configuration
Malware Payload Configuration # PE (Portable Executable) Resources .rsrc (Resource Section) DOS Segment PE Header Section Tables Section 1 … Section N DOS Header Icon Versions Info Bitmaps Custom Resources Window Resources (Dialogs) * LockResource, LoadResource, UpdateResource, SizeOfResource… RAT Payload Configuration
Malware Payload Configuration # PE (Portable Executable) Sections Section Tables Add new section info Section Address : 0x000FF12A Size of section : N Bytes Name of section : malconf Section 1 DOS Segment PE Header Section 1 Section N DOS Header … Custom Section 0x000FF12A Explore PE Header and Sections (PE Bear) JSON / CSV / Structures etc. { "cncaddr": [ "127.0.0.1", "192.168.0.11", "89.214.25.111", "lamer.no-ip.org", "lamer2.dyndns.org" ], "startup": { "enabled": true, "name": "svchost.exe" } [...] } RAT Payload Configuration
Malware Payload Configuration # EOF (End of File) Payload configuration is simply appended at the End of the application file. Appending content at the end of an application file doesn’t corrupt the application itself since it is out of the scope defined by the PE Structure (SizeOfImage structure attribute defined in the PE Header > IMAGE_OPTIONAL_HEADER) Most Antivirus detect such behavior by comparing the size of the image (SizeOfImage) from the PE Header with the file size. Example (Pascal/Delphi) RAT Payload Configuration
Malware Payload Formats Binary Application Script Files Documents Exploit Kit RAT Payload Format
Malware An example of timeline Malware Execution ping + timeout delete original copy run installed copy Installed Exit Process Copy to destination location Register location to startup Extract embedded files Download / Execute Initialize Melting Inject code to legitimate process (Explorer.exe ; Iexplore.exe ; firefox.exe) No Create Mutex Exists No Yes Establish a connection to C&C Anti-VM Yes Detected Yes No RAT Infection Process
Conclusion Malware Introduction to Malware – Focus on Remote Administration Tool Family “Know your enemy” Malware
Malware Introduction to Malware – Focus on Remote Administration Tool Family Conclusion # Malware are becoming more and more complex # Security industry and researcher are developping new techniques to fight advanced threats. # Understand the concepts behind malware can help to stay protected
Thank You Jean-Pierre LESUEUR Full Stack Developer x IT Security Researcher @DarkCoderSc Thomas ROCCIA Security Researcher, Advanced Threat Research at McAfee @fr0gger_ Q/A

Empfohlen

Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion TechniquesThomas Roccia
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVThomas Roccia
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedThomas Roccia
 
TRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareTRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareThomas Roccia
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentStefano Maccaglia
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cnsmmubashirkhan
 
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Stefano Maccaglia
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 

Empfohlen

Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion TechniquesThomas Roccia
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVThomas Roccia
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedThomas Roccia
 
TRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareTRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareThomas Roccia
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentStefano Maccaglia
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cnsmmubashirkhan
 
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Stefano Maccaglia
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 
EverSec + Cyphort: Big Trends in Cybersecurity
EverSec + Cyphort: Big Trends in CybersecurityEverSec + Cyphort: Big Trends in Cybersecurity
EverSec + Cyphort: Big Trends in CybersecurityCyphort
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Studysecurityxploded
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler Marci Bontadelli
 
Syrian Malware
Syrian MalwareSyrian Malware
Syrian MalwareKaspersky
 
MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence Cyphort
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...CODE BLUE
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareKaspersky
 
ITPG Secure on WannaCry
ITPG Secure on WannaCryITPG Secure on WannaCry
ITPG Secure on WannaCryITPG Secure Compliance and Certification Training
 
Malware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemMalware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemCyphort
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
Malware self protection-matrix
Malware self protection-matrixMalware self protection-matrix
Malware self protection-matrixCyphort
 
Hunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezHunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezEC-Council
 
The Rising Threat of Fileless Malware
The Rising Threat of Fileless MalwareThe Rising Threat of Fileless Malware
The Rising Threat of Fileless MalwareChelsea Sisson
 
Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOL
Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOLMalware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOL
Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOLCyphort
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniquesSymantec Security Response
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its DefenceGreater Noida Institute Of Technology
 
Ransomware 2017: New threats emerge
Ransomware 2017: New threats emergeRansomware 2017: New threats emerge
Ransomware 2017: New threats emergeSymantec Security Response
 
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...CODE BLUE
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...PROIDEA
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 

Weitere ähnliche Inhalte

Was ist angesagt?

EverSec + Cyphort: Big Trends in Cybersecurity
EverSec + Cyphort: Big Trends in CybersecurityEverSec + Cyphort: Big Trends in Cybersecurity
EverSec + Cyphort: Big Trends in CybersecurityCyphort
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Studysecurityxploded
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler Marci Bontadelli
 
Syrian Malware
Syrian MalwareSyrian Malware
Syrian MalwareKaspersky
 
MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence Cyphort
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...CODE BLUE
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareKaspersky
 
Malware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemMalware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemCyphort
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
Malware self protection-matrix
Malware self protection-matrixMalware self protection-matrix
Malware self protection-matrixCyphort
 
Hunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezHunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezEC-Council
 
The Rising Threat of Fileless Malware
The Rising Threat of Fileless MalwareThe Rising Threat of Fileless Malware
The Rising Threat of Fileless MalwareChelsea Sisson
 
Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOL
Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOLMalware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOL
Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOLCyphort
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniquesSymantec Security Response
 
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...CODE BLUE
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...PROIDEA
 

Was ist angesagt? (20)

EverSec + Cyphort: Big Trends in Cybersecurity
EverSec + Cyphort: Big Trends in CybersecurityEverSec + Cyphort: Big Trends in Cybersecurity
EverSec + Cyphort: Big Trends in Cybersecurity
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Study
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
 
MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler
 
Syrian Malware
Syrian MalwareSyrian Malware
Syrian Malware
 
MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
 
ITPG Secure on WannaCry
ITPG Secure on WannaCryITPG Secure on WannaCry
ITPG Secure on WannaCry
 
Malware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemMalware Most Wanted: Security Ecosystem
Malware Most Wanted: Security Ecosystem
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
 
Malware self protection-matrix
Malware self protection-matrixMalware self protection-matrix
Malware self protection-matrix
 
Hunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezHunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul Alvarez
 
The Rising Threat of Fileless Malware
The Rising Threat of Fileless MalwareThe Rising Threat of Fileless Malware
The Rising Threat of Fileless Malware
 
Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOL
Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOLMalware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOL
Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOL
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
 
Ransomware 2017: New threats emerge
Ransomware 2017: New threats emergeRansomware 2017: New threats emerge
Ransomware 2017: New threats emerge
 
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
 

Ähnlich wie 42 - Malware - Understand the Threat and How to Respond

Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 
Practical Incident Response - Work Guide
Practical Incident Response - Work GuidePractical Incident Response - Work Guide
Practical Incident Response - Work GuideEduardo Chavarro
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threatsMartin Holovský
 
Common Malware Types Vulnerability Management
Common Malware Types Vulnerability ManagementCommon Malware Types Vulnerability Management
Common Malware Types Vulnerability ManagementMuhammad FAHAD
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
Chapter 2Risk AnalysisCopyright © 2014 by McGraw-Hill Educat
Chapter 2Risk AnalysisCopyright © 2014 by McGraw-Hill EducatChapter 2Risk AnalysisCopyright © 2014 by McGraw-Hill Educat
Chapter 2Risk AnalysisCopyright © 2014 by McGraw-Hill EducatEstelaJeffery653
 
Battling Malware In The Enterprise
Battling Malware In The EnterpriseBattling Malware In The Enterprise
Battling Malware In The EnterpriseAyed Al Qartah
 
Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Satria Ady Pradana
 
Types of Malware (CEH v11)
Types of Malware (CEH v11)Types of Malware (CEH v11)
Types of Malware (CEH v11)EC-Council
 
Internet Security in Web 2.0
Internet Security in Web 2.0 Internet Security in Web 2.0
Internet Security in Web 2.0 Arjunsinh Sindhav
 
Malware in penetration testing 1
Malware in penetration testing 1Malware in penetration testing 1
Malware in penetration testing 1Arbab Usmani
 
CyberSecurity presentation for basic knowledge about this topic
CyberSecurity presentation for basic knowledge about this topicCyberSecurity presentation for basic knowledge about this topic
CyberSecurity presentation for basic knowledge about this topicpiyushkamble6
 
Cyber threats landscape and defense
Cyber threats landscape and defenseCyber threats landscape and defense
Cyber threats landscape and defensefantaghost
 
Learn Hacking With Gflixacademy
Learn Hacking With GflixacademyLearn Hacking With Gflixacademy
Learn Hacking With GflixacademyGaurav Mishra
 
Internetsecuritypowerpoint 130404101055-phpapp02
Internetsecuritypowerpoint 130404101055-phpapp02Internetsecuritypowerpoint 130404101055-phpapp02
Internetsecuritypowerpoint 130404101055-phpapp02sanjay kumar
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 

Ähnlich wie 42 - Malware - Understand the Threat and How to Respond (20)

Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
Practical Incident Response - Work Guide
Practical Incident Response - Work GuidePractical Incident Response - Work Guide
Practical Incident Response - Work Guide
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threats
 
Mitppt
MitpptMitppt
Mitppt
 
Common Malware Types Vulnerability Management
Common Malware Types Vulnerability ManagementCommon Malware Types Vulnerability Management
Common Malware Types Vulnerability Management
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
 
Chapter 2Risk AnalysisCopyright © 2014 by McGraw-Hill Educat
Chapter 2Risk AnalysisCopyright © 2014 by McGraw-Hill EducatChapter 2Risk AnalysisCopyright © 2014 by McGraw-Hill Educat
Chapter 2Risk AnalysisCopyright © 2014 by McGraw-Hill Educat
 
Battling Malware In The Enterprise
Battling Malware In The EnterpriseBattling Malware In The Enterprise
Battling Malware In The Enterprise
 
Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)
 
Types of Malware (CEH v11)
Types of Malware (CEH v11)Types of Malware (CEH v11)
Types of Malware (CEH v11)
 
Internet Security in Web 2.0
Internet Security in Web 2.0 Internet Security in Web 2.0
Internet Security in Web 2.0
 
Malware in penetration testing 1
Malware in penetration testing 1Malware in penetration testing 1
Malware in penetration testing 1
 
CyberSecurity presentation for basic knowledge about this topic
CyberSecurity presentation for basic knowledge about this topicCyberSecurity presentation for basic knowledge about this topic
CyberSecurity presentation for basic knowledge about this topic
 
Cyber threats landscape and defense
Cyber threats landscape and defenseCyber threats landscape and defense
Cyber threats landscape and defense
 
Learn Hacking With Gflixacademy
Learn Hacking With GflixacademyLearn Hacking With Gflixacademy
Learn Hacking With Gflixacademy
 
Internetsecuritypowerpoint 130404101055-phpapp02
Internetsecuritypowerpoint 130404101055-phpapp02Internetsecuritypowerpoint 130404101055-phpapp02
Internetsecuritypowerpoint 130404101055-phpapp02
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
NetWitness
NetWitnessNetWitness
NetWitness
 
MALWARE
MALWAREMALWARE
MALWARE
 

Kürzlich hochgeladen

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 

Kürzlich hochgeladen (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

42 - Malware - Understand the Threat and How to Respond

  • 1. Malware Understanding the Malware Threat and How to Respond Jean-Pierre LESUEUR Full Stack Developer x IT Security Researcher Thomas ROCCIA Security Researcher, Advanced Threat Research at McAfee @DarkCoderSc @fr0gger_
  • 2. Malware Agenda #1 What is a Malware? # Malware Definition # Malware Economy # Malware Attribution #2 Malware Techniques # Infection Vectors # Persistence # Privilege escalation # Evasion Techniques # C&C #3 Malware Analysis # Static Analysis # Dynamic Analysis #4 Usecase Remote Administration Tools (RAT) # Definition # Business Model # Network Architecture # Network Protocol # Payload Configuration #5 Conclusion
  • 3. What is a Malware? Malware Introduction to Malware – Focus on Remote Administration Tool Family An introduction to Malicious Software Malware
  • 4. Malware Introduction to Malware – Focus on Remote Administration Tool Family Different families of Malware Virus, Worm Dropper, File Binder / Wrapper / Crypter, Downloader Trojan Backdoor Remote Administration Tools (RAT) HTTP Botnet Scareware / Rogue Ransomware Stealer (Password and/or Files) Spyware, Adware CoinMiners Rootkit / Bootkit What is a Malware? Malware Families
  • 5. What is a Malware? # Who is behind ? Grey-hat Black-hat # Who use them and why ? • Script Kiddies • Criminal Organizations • Governments • Terrorism • IT Security Researcher Who and why
  • 6. Malware Introduction to Malware – Focus on Remote Administration Tool Family What is a Malware? Malware Economy # Criminals are making money with their creation # Using it to steal data # Selling it for other criminals # Creating business model such as Malware as a Service
  • 7. Malware Introduction to Malware – Focus on Remote Administration Tool Family What is a Malware? Malware Economy # Ransomware as a Service Source: https://securingtomorrow.mcafee.com/mcafee-labs/free-ransomware-available-dark-web/
  • 8. Malware Introduction to Malware – Focus on Remote Administration Tool Family What is a Malware? Malware Economy # Exploit kits Source: https://www.mcafee.com/threat-center/threat-landscape-dashboard/
  • 9. Malware Introduction to Malware – Focus on Remote Administration Tool Family What is a Malware? Malware Attribution # Malware are developed by Humans # Many techniques can lead to attribution # PDB Path # Strings # Code comparison # Tools used # Operating method # Timestamp # Infrastructure reuse
  • 10. Malware Introduction to Malware – Focus on Remote Administration Tool Family What is a Malware? Malware Attribution # Malware are developed by Humans # Many techniques can lead to attribution # PDB Path # Strings # Code comparison # Tools used # Operating method # Timestamp # Infrastructure reuse Attribution can be faked!
  • 11. Malware Techniques Malware Introduction to Malware – Focus on Remote Administration Tool Family Infection / Evasion / C&C / Privilege Escalation Malware
  • 12. Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Infection Vectors Medias USB keys, CD/DVD, (External) Hard Drives Social Networks Facebook, Twitter, Google+, YouTube / Dailymotion, Instagram etc. Websites Phishing, Distributed Software, Vulnerabilities (JAVA, Flash, Web-browser) Exploits Local Exploits, Remote Exploits, Physical Exploits Network Sharing P2P Software (Torrent, Emule), Network file (NAS, FTP) Email Phishing, attachment
  • 13. Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Infection Vectors # Supply Chain Attack Third Party Infected Download Trojanised Software Source: https://www.youtube.com/watch?v=tX0v-rMcuwc
  • 14. Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Persistence # To survive to reboot Malware need to be persistent on the infected machine. # Registry RUN keys # Task Scheduler # Windows Services # AppInit_DLL # COM Hijacking # Bootkit
  • 15. Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Persistence # Registry RUN Keys # Emotet Malware Example HKLMSoftwareMicrosoftWindowsCurrentVersionRun HKCUSoftwareMicrosoftWindowsCurrentVersionRun HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
  • 16. Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Persistence # Scheduler can be used to run tasks | NotPetya • at <time> shutdown.exe /r /f • schtasks /create /SC once /TN “” /TR shutdown.exe /r /f /ST <time>
  • 17. Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Persistence # Bootkit
  • 18. Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Privilege Escalation # Malware needs to elevate privilege to perform actions To access to sensitive data to steal/modify/encrypt… # Token Manipulation # Bypass User Access Control (UAC) # Vulnerability Exploitation # Hooking # Dump Credentials # Many more
  • 19. Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Privilege Escalation # Token Manipulation | Teslacrypt
  • 20. Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Privilege Escalation # UAC Bypass | Operation HoneyBee cmd /c wusa %TEMP%setup.cab /quiet /extract:%SystemRoot%System32 && del /f /q %TEMP%setup.cab && cliconfg.exe cmd /c expand %TEMP%setup.cab -F:* %SystemRoot%System32 && del /f /q %TEMP%setup.cab && cliconfg.exe # The macro extracts the CAB file into %systemroo%system32, using either wusa.exe or expand.exe (depending on the OS) to bypass UAC prompts # Once the files have been extracted, the Visual Basic macro deletes the CAB file and runs the malicious NTWDBLIB.dll via cliconfg.exe (to gain privileges and bypass UAC protections) Source: https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/
  • 21. Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Privilege Escalation # Vulnerability Exploitation | Wannacry - EternalBlue # EternalBlue Vulnerability from Equation Group (MS17-010) – Kernel Exploit # Used to spread on the network but also to obtain system privileges https://www.slideshare.net/ThomasRoccia | https://securingtomorrow.mcafee.com/mcafee-labs/analysis-wannacry-ransomware/
  • 22. Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Privilege Escalation # Credentials Dumping | Olympic Destroyer http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
  • 23. Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Evasion Techniques # Malware use Evasion Techniques to avoid detection, analysis https://www.slideshare.net/ThomasRoccia/malware-evasion-techniques Packer/Binder/Crypter Compress/Encrypt, IAT Protect, Code Virtualizing Process Injection Process Hollowing, DLL Injection, Process Doppelganging Sandbox Evasion VM Artifacts, x86 Instructions, Sleep, Running Process Anti-Virus Evasion Disabling AV, file Size, Injection Obfuscation Base64, XOR, Encryption, Hash, Custom Anti-Debugging Windows API, Timing Check, Debugger Detection Anti-Forensic Melting, File-less, Wiper, Removal
  • 24. Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Evasion Techniques # Packers https://securingtomorrow.mcafee.com/technical-how-to/malware-packers-use-tricks-avoid-analysis-detection/
  • 25. Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Evasion Techniques # Process Hollowing | Zcrypt Ransomware
  • 26. Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Evasion Techniques # Antivirus Detection | Pinkslipbot
  • 27. Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Evasion Techniques # Virtual Machine Detection | Pinkslipbot
  • 28. Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Evasion Techniques # Unprotect Project | Malware Evasion Trick Database Unprotect.tdgt.org
  • 29. Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Command & Control # Malware needs to communicate with C&C # Infected machines controlled by the same C&C are called Botnet # Malware use C&C to: # Receive command # Exfiltrate/download data # Get encryption key (Ransomware) or interact to pay the ransom Matthew Andrews/Getty Images/Hemera
  • 30. Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Command & Control # Fast-Flux communication # One domain has multiple IP addresses # Every 3 min or more, host is pointing to another computer # Infected machines can serve of proxy https://commons.wikimedia.org/wiki/File:Single_und_double_flux.png
  • 31. Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques Command & Control # Domain Generation Algorithm # Connexion to multiple domains # Lot of domain can be generated by the sample # Attackers can activate one of several servers to allow communication # Conficker worm used this technique https://www.senet-int.com/blog/2013/09/malware-domain-generation-algorithm-dga
  • 32. Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Techniques More Information # Mitre ATT&CK Matrix | https://attack.mitre.org
  • 33. Malware Analysis Malware Introduction to Malware – Focus on Remote Administration Tool Family Process, Techniques, Tools Malware
  • 34. • Packed? • Encrypted? • Reverse Engineering Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Analysis Process Identification Analysis • Hash calculation • Virus Total… • Anti-Virus • Previous research • Internal Databases Static Dynamic Detection and Remediation • What the malware does? • Which CnC it contacts? • Does it still data? • How does it infects my system? • Sandboxing • Debugging • Monitoring Infected machines • Block CnC • Deploy signature • Clean infected machines • Improve Security
  • 35. Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Analysis Toolkit # Static Analysis # Packer Detection: PEiD, RDG Packer Detect, DIE… # PE Format: Ressource Hacker, PEStudio, StudPE… # Reverse Engineering: IDA, Radare2, DnSPY… # Sysinternals: Strings, Sigcheck… # Utilities: HexEdit, Python…
  • 36. Malware Introduction to Malware – Focus on Remote Administration Tool Family Malware Analysis Toolkit # Dynamic Analysis # Process: Process Explorer # Monitoring: Regshot, Procmon, Autoruns, API-Monitor… # Network: Wireshark, Fiddler, CurrPort… # Debugging: OllyDBG, X64DBG… # Sandbox: Cuckoo, Proprietary Sandbox…
  • 37. Remote Administration Tools (RAT) Malware A popular Malware Framework Malware
  • 38. # What is a Remote Administration Tool A RAT is a Malware Framework designed to take the control of a remote system: • Trojan Backdoor • Botnets • File Binder / Wrapper, Downloader • Stealer • Spyware • Crypter • Worms Commonly offered remote control modules: • Remote Desktop Streaming • Remote Webcam Streaming • Remote Ambient Sound Streaming (Micro) • Keylogger • Password Grabber • System Management • File System Management RAT Introduction
  • 39. • Backorifice • SubSeven (Sub7) • Optix • Beast • LanFiltrator • Institution 2004 • Netbus • Coma • Y3k RAT • Prorat • Mosucker Past generation : Recent generation : • Poison Ivy • Bifrost • Blackshades • Turkojan • DarkComet • NetWire • SpyNet (Xtreme RAT) • NjRAT • NanoCore • L0stD00r • SubSeven (New gen) # Few renowned RAT’s RAT Introduction
  • 40. Freeware Shareware Open Source SaaS (Software as a Service) It is a real business RAT Business Model
  • 41. One shot The product owner received a one time payment and gives in exchange the different application parts. Monthly, Yearly, Version The product owner could also decide to rent his Malware with a subscription limited in time. Extra Services • FUD / UD • Support • Pay per installs • Extra Modules • Training • Open Source Access RAT Business Model
  • 42. Payment methods: Liberty Reserve Online banking system Western Union Cash deposal service PayPal Ease of use Crypto-currency Bitcoin, Monero, Ethereum RAT Business Model
  • 43. Malware Identify the different parts of the Framework C&C Stub Editor Stub Graphical application to take the control of infected machines by the Malware Graphical application designed to configure the Malware The Malware .exe, .js, .bat, .py, .pdf, .docx RAT Identify the Different part of the Framework
  • 44. Malware Network Protocol • Client / Server based architecture • Malware coder can create custom protocol • They can also use existing protocol (HTTP Botnet) • To evade detection, cryptographic principle could be used RAT Network Protocol
  • 45. # Mode 1 : Direct Connection C&C – Client Connect(89.27.25.120) Stub – Server Listen(1403) Out Port (TCP/UDP) > 1403 Internet (Cloud) In Port (TCP/UDP) > 1403 Malware Network Models RAT Network Models
  • 46. # Mode 2 : Reverse Connection Malware Network Models C&C – Client Listen(1403) Stub –Client Connect(45.25.142.32) In Port (TCP/UDP) > 1403 Internet (Cloud) Out Port (TCP/UDP) > 1403 RAT Network Models
  • 47. # Mode 3 : Hybrid (Direct and/or Reverse) Malware Network Models C&C – Client Connect(89.27.25.120) Stub – Server Listen(1403) Out Port (TCP/UDP) > 1403 Internet (Cloud) In Port (TCP/UDP) > 1403 C&C – Client Listen(1403) Stub –Client Connect(45.25.142.32) In Port (TCP/UDP) > 1403 Internet (Cloud) Out Port (TCP/UDP) > 1403 AND / OR RAT Network Models
  • 48. # P2P (Peer to Peer) Malware Network Models RAT Network Models
  • 49. Malware Network Protocol # Example of communication system Server Client Main Thread + Listener Thread (Server) Closed Client New Client Receive Plain / Text Management Thread Receive Buffer Thread Process List File List Reverse shell stdout buffer Webcam Streaming Desktop Streaming File Transfer + + Main Thread + Connection Attempt to C&C routine Thread New Server + Command Parser and Dispatcher Thread Process List File List Remote Desktop Thread+ RAT Network Protocol
  • 50. Malware Network Protocol # HTTP Protocol RAT Network Protocol GET ; POST ; PUT ; UPDATE ; DELETE etc.
  • 51. Malware Network Protocol # Nature of transmitted data CSV kill:14032,1254,12687 JSON { “action”:”kill”, “data”:[ 14032, 1254, 12687 ] } BYTES (Struct) 4c000000011402000000 0000c0000000000000469 b000800200000005284ce b6f7c8d3015284ceb6f7c 8d3014b5333d55ba3d301 00fa01… RAT Network Protocol
  • 52. Malware Network Protocol # Use case : Basic File Transfer 1 2 filesystem;c: filesystem;c:windows,c:users,c:Pr ogram Files,c:Program Files (x86)|c:file.pdf,c:file2.png... 3 downloadfile;c:file.pdf 4downloadfile;c:file.pdf,10240 5 OK 6CHUNK 1 CHUNK 2 CHUNK N C&C Infected system file size / packet size = number of packets required for a file transfer RAT Network Protocol
  • 53. Malware Network Protocol # Encryption Layer Symmetric Encryption RC4 / AES / Camelia Key : passw0rd RC4 / AES / Camelia Key : passw0rd Packet Data (Plain, Byte) Cloud Packet Data (Plain, Byte) Hello CF012FA29C HelloCF012FA29C RAT Network Protocol
  • 54. Malware Network Protocol # Little reminder to XOR Encryption 0 0 0 1 0 1 0 1 1 1 1 0 0 1 0 0 1 1 0 0 1 0 1 1 1 1 0 0 1 1 1 0 0 1 1 1 0 0 1 1 0 1 0 1 1 0 1 0 1 0 1 1 1 0 0 0 1 0 0 1 1 0 1 0 1 0 1 1 1 0 0 0 1 0 0 1 1 1 1 0 0 1 1 1 0 0 1 1 0 1 0 1 0 1 0 0 1 1 0 0 1 0 1 1 1 1 0 0 Plain data Secret key Encrypted data DATA xor KEY = ENCRYPTED_DATA ENCRYPTED_DATA xor KEY = DATA ENCRYPTED_DATA xor DATA = KEY RAT Network Protocol
  • 55. Malware Network Protocol # Encryption Layer Asymmetric Encryption RSA / ECC Remote public key RSA / ECC Local private key Session key Session keyCloud Step 1 : Transmit a generated temporary session key using asymmetric algorithm RC4 / AES / Camelia Key : temporary session key RC4 / AES / Camelia Key : temporary session key Packet Data (Plain, Byte) Cloud Packet Data (Plain, Byte) Hello CF012FA29C HelloCF012FA29C Step 2 : Symmetric encryption using transmitted session key RAT Network Protocol
  • 56. Malware Payload Configuration • Payload configuration contains important information about how to contact the C&C • IP address(es) / Domain Name pointing to IP address(es) • Communication Port(s) • It also contains other important configuration elements such as • Persistence Information's (Startup, Process, File) • Anti’s functions (Anti-VM, Anti-Debugger etc.) • Encryption key (symmetric) • C&C private key for asymmetric traffic encryption (Asymmetric) • Optional file downloader (if dropper module available and enabled) • Embedded files (File Binder / Wrapper) • Fake error messages / events (Open other process) • Etc. RAT Payload Configuration
  • 57. Malware Payload Configuration • Multiple ways exist to store the configuration inside the Stub • PE Resources Section • PE Custom Section • EOF (End Of File) • In the same way of network communication, the configuration could be from any formats • Plaintext : CSV, JSON, XML • Byte encoded structures • Some Malware encrypt configuration data to hide sensitive data's RAT Payload Configuration
  • 58. Malware Payload Configuration # PE (Portable Executable) Resources .rsrc (Resource Section) DOS Segment PE Header Section Tables Section 1 … Section N DOS Header Icon Versions Info Bitmaps Custom Resources Window Resources (Dialogs) * LockResource, LoadResource, UpdateResource, SizeOfResource… RAT Payload Configuration
  • 59. Malware Payload Configuration # PE (Portable Executable) Sections Section Tables Add new section info Section Address : 0x000FF12A Size of section : N Bytes Name of section : malconf Section 1 DOS Segment PE Header Section 1 Section N DOS Header … Custom Section 0x000FF12A Explore PE Header and Sections (PE Bear) JSON / CSV / Structures etc. { "cncaddr": [ "127.0.0.1", "192.168.0.11", "89.214.25.111", "lamer.no-ip.org", "lamer2.dyndns.org" ], "startup": { "enabled": true, "name": "svchost.exe" } [...] } RAT Payload Configuration
  • 60. Malware Payload Configuration # EOF (End of File) Payload configuration is simply appended at the End of the application file. Appending content at the end of an application file doesn’t corrupt the application itself since it is out of the scope defined by the PE Structure (SizeOfImage structure attribute defined in the PE Header > IMAGE_OPTIONAL_HEADER) Most Antivirus detect such behavior by comparing the size of the image (SizeOfImage) from the PE Header with the file size. Example (Pascal/Delphi) RAT Payload Configuration
  • 61. Malware Payload Formats Binary Application Script Files Documents Exploit Kit RAT Payload Format
  • 62. Malware An example of timeline Malware Execution ping + timeout delete original copy run installed copy Installed Exit Process Copy to destination location Register location to startup Extract embedded files Download / Execute Initialize Melting Inject code to legitimate process (Explorer.exe ; Iexplore.exe ; firefox.exe) No Create Mutex Exists No Yes Establish a connection to C&C Anti-VM Yes Detected Yes No RAT Infection Process
  • 63. Conclusion Malware Introduction to Malware – Focus on Remote Administration Tool Family “Know your enemy” Malware
  • 64. Malware Introduction to Malware – Focus on Remote Administration Tool Family Conclusion # Malware are becoming more and more complex # Security industry and researcher are developping new techniques to fight advanced threats. # Understand the concepts behind malware can help to stay protected
  • 65. Thank You Jean-Pierre LESUEUR Full Stack Developer x IT Security Researcher @DarkCoderSc Thomas ROCCIA Security Researcher, Advanced Threat Research at McAfee @fr0gger_ Q/A