As with last year, Intrinsec was present at Botconf this year –  https://www.botconf.eu/

This 4th edition took place in Lyon, at Lyon 2 University, from November 30th to December 2nd.

DAY 1

(Links to reports from other days:) Day 2 & day 3)

 

Title: Locky, Dridex, Necurs: the evil triad

The first presentation, titled "Locky, Dridex, Recurs: the evil triad," was given by Jean-Michel Picot (Google), who presented the various malware from Gmail's perspective, explaining the difficulties in identifying them on the platform. Attackers use a multitude of different vectors to infect their victims, such as "doc," "docx," "MSO," and "RTF" files. Furthermore, the fact that only droppers (and not entire malware programs) are transmitted via email makes their classification challenging. It is also possible to obfuscate the same dropper multiple times or using different tools.

The speaker presented a review of phishing campaigns that occurred around March 2015. He explained that the attacks came in waves, with significant spikes on weekends. Based on information Google was able to collect and analyze, it's possible that Locky and Dridex shared the same infrastructure. The Necurs botnet has since been shut down and its main operator arrested.

The final part of the presentation focuses on the evasion methods used by malware, such as:

• using commented JScript commands to cause antivirus software to stop
• the obfuscation of various keywords (notably 'eval')
• the use of COM components, which are not case-sensitive in JScript, but are in Javascript
• using the 'sleep' command to detect the presence of a sandbox

 

Title: Visiting the Bear's Den

This presentation aims to explain the methodology of the Sednit hacker group (also known as APT28, Fancy Bears, etc.). After a brief overview of the group's history and its typical targets (embassies and government ministries), Jessy Campos presents the group's modus operandi.

The group's infection phase is classic, using spear phishing and imitating known URLs to redirect the victim to a page containing an exploit kit (named SEDKIT). The exploit then compromises the machine via various CVEs to install SEDUPLOADER, which allows the group to download other binaries, such as SEDRECO, XAGENT, DOWNDELPH, mimikatz, and others.

Once the persistence actions and lateral movements have been carried out, the attackers extract the victims' passwords via keyloggers or screenshots.

Slides: https://www.botconf.eu/wp-content/uploads/2016/11/PR01-Visiting-Bears-Den-CAMPOS.pdf

 

Title: Lurk: the story about five years of activity

The conference resumed at 2:00 PM after the lunch break with "Lurk: the story about five years of activity," presented by Vladimir Kropotov and Fyodor Yarochkin (Trendmicro). The conference focused on the LURK group, whose activity dates back to 2011. Trendmicro's research is based on proxy logs that reveal the infrastructure used has changed very little since the start of operations: simplistic URLs like "[A-Z0-9]{4}", unchanged filenames (indexm.html), etc. Some of these characteristics are similar to those of the Angler exploit kit (such as the injection of payloads directly into memory), suggesting that the two groups are closely linked.

The LURK group relies on directly exploiting websites and adding malicious iframes or advertising networks to spread its malware, primarily by exploiting Flash and Java vulnerabilities. Like Necurs, the group typically launched its campaigns on weekends or the day before holidays.

Finally, the presentation ended with a video of the group's arrest by Russian law enforcement.

Slides: https://www.botconf.eu/wp-content/uploads/2016/11/PR02-LURK-KROPOTOV.pdf

 

Title: Browser-based Malware: Evolution and Prevention

Presented by Yandex Security, this conference shows us the techniques used to carry out MITB (Man-In-The-Browser) attacks, first through basic techniques, then through new techniques used by viruses.

The principle of a Man-in-the-Box (MITB) attack is to inject malicious code directly into the browser of the infected machine to insert JavaScript into targeted pages, often those of banks, email clients, or social networks. However, this technique can encounter problems, particularly with browser updates that can render viruses inoperative, containerized applications that complicate injections, or the large number of interfaces of record (IOCs) present on the machine, etc.

Yandex Security researchers explain how MITB attacks have evolved to use browser extensions, or WFP (Windows Filtering Platform) proxies, which they illustrate with examples.

The conference concludes with some ways to detect these MITB attacks and the results obtained by the Yandex security team.

Slides: https://www.botconf.eu/wp-content/uploads/2016/11/PR03-Browser-based-Malware-Evolution-and-Prevention-KOVALEV-SIDOROV.pdf

 

Title: Language Agnostic Botnet Detection Based on ESOM and DNS

In this conference, two researchers from Ruag present a method for detecting botnets using an agnostic approach. To achieve this, the researchers developed ESOM (Emergent Self-organizing Maps), an artificial neural network.

The researchers present this tool, the architecture used, and the botnets used to train the algorithm. This method allows botnets to be categorized based on the DNS server they use.

Slides: https://www.botconf.eu/wp-content/uploads/2016/11/PR04-ESOM-DNS-MANDRYSCH.pdf

 

Title: Vawtrak Banking Trojan: A Threat to the Banking Ecosystem

For this presentation, two Blueliv researchers, Raashid Bhat and Victor Acin, introduce us to the Vawtrak Trojan horse. Formerly known as Neverquest, this Trojan horse appeared in November 2013 and is now among the top 5 financial Trojans.

After a presentation on the technical specifications of Vawtrak, such as its packer or the configuration of bots, the two researchers show us the communications with the Command & Control server, including the encryption used.

The botnet figures are also explained, such as the number of infections, the most affected countries, the number of IOCs detected, and the infrastructure of the two groups operating this botnet: Moskalvzapoe and Vawtrak Group.

Slides: https://www.botconf.eu/wp-content/uploads/2016/11/PR05-Vawtrak-ACIN-BHAT.pdf

 

Title: Snoring Is Optional: The Metrics and Economics of Cyber Insurance for Malware Related Claims

In this presentation, Wayne Crowder introduces insurance policies designed to cover digital risks. He notes that the costs of data breaches are increasing dramatically year after year. He then lists what insurance policies can cover regarding digital risks:

• Data leak
• Virus
• DDoS
• Etc.

The rest of the presentation aims to explain the advantages of insurance and the points to check to ensure you have good coverage in case of compromise.

In conclusion, he explains that insurance in the digital field will develop to complement operational security.

Slides: https://www.botconf.eu/wp-content/uploads/2016/11/PR06-SnoringOptional-WC-Botconf2016.pdf

 

(Links to reports from other days:) Day 2 & day 3)