SlideShare uma empresa Scribd logo

Operation Buhtrap - AVAR 2015

•
•
ESET
ESET

This presentation from ESET researchers Jean-Ian Boutin, Anton Cherepanov and Jan Matusik explains the background of Operation Buhtrap.

Tecnologia
1 de 58
Operation Buhtrap Jean-Ian Boutin, Anton Cherepanov, Jan Matušík AVAR – 2015
Outline • What? • How? • Campaigns • Targets • Tool • Evasion
Context: Operation Buthrap you say?
Operation Buhtrap – the basics • Financially motivated group targeting banks and businesses in Russia • Active since at least April 2014 • Uses spearphishing, exploit kits to run campaigns • Uses different people to code malware, exploit, test • Uses tools on sale in underground forums
Why are you talking about that? • More and more, groups are targeting commercial entities • They use techniques we used to see in espionage campaigns • We have seen several big attacks on businesses in the past, we believe we will see more, and operation Buhtrap is a good case study
The beginnings • We analyzed this, NSIS packed, first stage, which had interesting checks
The beginnings • We analyzed this, NSIS packed, first stage, which had interesting checks
Stealthy • Checks for system language, applications installed, URLs visited to decide which package to download • Also checks for security software to modify which application version to install
Targets • Looking at • Decoy documents • URLs and application installed • Domains used • Businesses and more specifically accounting departments seemed to be the target of this group
Certificates • As we will see later on, downloaded packages contained a lot of files • Many of which were signed by valid certificates
Group • While we progress in our research it became clear that this was a group of organized people • Malware coder • Exploit coder • Testers • As will become apparent, they also had pretty good ties with cybercriminals selling tools and services in underground forums
This seemed like a suitable research • Group of people launching spearphishing attacks against Russian businesses • Using as much stealth as possible • Code signing certificate usage • Using modular code and 3rd party tools
Campaigns
Timeline 2014 2015Q2 Q3 Q4 Q1 2015 Q2 Q3 Q4 Start of the first campaign (first known activity) 4/1/2014 Start of the second campaign 4/10/2015 Passport Scan 8/1/2015 Return of the MWI 10/1/2015 Blog post released 4/9/2015 Flash Player bundle 10/1/2015
Tools – Overall Installation process • Through spam, operators are ultimately trying to have full control of the victim computer
Targets – Detection statistics Russia 88% Ukraine 10% Other 2%
Targets • Businesses, most probably accounting departments. Why this assumption? • Decoy documents, applications and URLs check and finally domains • Malicious domains used by cybercriminals: • store.kontur-expres.com  "SKB Kontur has been simplifying business accounting in Russia since 1988“ • help.b-kontur.org • forum.buhonline.info  buhonline.ru: forum content directed towards accountant • topic.buhgalter-info.com • balans2w.balans2.com
Infection Vector • Spearphishing with business oriented decoy documents
Infection Vector • Spearphishing with business oriented decoy documents
Side Story - Microsoft Word Intruder? • It is a kit, sold in underground forums that allow to build RTF documents exploiting several CVE • Shows the connections of this group: they got it 1 year before public disclosure
Side Story - Microsoft Word Intruder • Uses four exploits • CVE-2010-3333 • CVE-2012-0158 • CVE-2013-3906 • CVE-2014-1761 • Two modes of operation: INTERNAL and EXTERNAL • No decoy, malware payload must show one if needed • Several modifications, we see the kit evolving through the buhtrap campaign as well
Tools – first stage • The first stage implant makes tons of checks to make sure the system is valuable and not a researcher’s system
Tools – first stage • The first stage implant makes tons of checks to make sure the system is valuable and not a researcher’s system
Tools – first stage • The first stage implant makes tons of checks to make sure the system is valuable and not a researcher’s system
Tools – Usage of Decoy Second Stage • If those tests fail, it downloads a decoy package instead of the real second stage implant • Remember this picture?
Tools – Usage of Decoy Second Stage • In this case, the NSIS first stage implant downloads a fake 7z self- extracting executable
Tools – Usage of Decoy Second Stage • If we look at the installation script in the downloaded second stage, we see that they are using a malicious way to install the decoy package
Tools – Local Privilege Exploitation • They have been using several different exploits • First campaign was CVE-2013-3660 and Carberp trick in source code • Then in subsequent campaigns, we saw CVE-2014-4113, CVE-2015-2546 and CVE-2015-2387 (part of the Hacking Team leak) • Always had the x86 and x64 versions
Tools – Overall View of the Second stage Download • When the checks are satisfied, downloads the second stage malicious payload used to spy on their targets
Tools – System Preparation • xtm.exe - System preparation
Tools – mimikatz.exe • Tool used by pentesters (and others!) to access an account • Modified binary to issue following commands: privilege::debug and sekurlsa::logonPasswords to recover logon passwords
Tools – xtm.exe • 1c_export: tries to add a user to system • This package was no longer seen in later campaigns (NOT necessary for the initial compromise) • We have seen them later on they dropping it through the backdoor
Tools - Backdoor • lmpack.exe - Backdoor
Tools – lmpack.exe • Silent installation of litemanager, a remote administrator • Supposedly legit but, why silent installer? Detected as a PUA (potentially unsafe application)
Tools – Main Buhtrap module • pn_pack.exe – Spying Module
Tools – pn_pack.exe • Log all keystrokes and copy clipboard content • Enumerate smart cards present on the system • Handle C&C communications
Tools – pn_pack.exe • Uses dll-sideloading and decrypt main module on the fly • Uses well known application to hide • Yandex punto • The Guide • Teleport Pro
Tools – pn_pack.exe • RC4 for communications, but also to encrypt strings. NW is XOR with preceding byte and then RC4 encrypted • Two commands: download and execute module, download code and start new thread in it • only module present in later installment. Use existing functionalities to install all the remaining tools
New infection vector: Niteris EK
Timeline 2014 2015Q2 Q3 Q4 Q1 2015 Q2 Q3 Q4 Start of the first campaign (first known activity) 4/1/2014 Start of the second campaign 4/10/2015 Passport Scan 8/1/2015 Return of the MWI 10/1/2015 Blog post released 4/9/2015 Flash Player bundle 10/1/2015
Targets • Still (Russian) businesses • The dropper still contains the same script that checks for URLs, applications, debug app, etc
Infection Vector • They are no longer using MWI for this campaign • Spearphishing • Exploit Kit • Executable Attachments
Infection Vector – Executable attachments • Passport scan
Infection Vector – Niteris EK • Appeared in 2014 • Low prevalence, few malware distributed through it (ursnif, corkow) • Flash exploit – CVE-2014-0569
Tools – Evolved First Stage Downloaders • Distributed as Microsoft KB files • One dropper was very different, not NSIS, heavy usage of RC4 • LOTS of detection for security products • Sandbox (Sandboxie, Norman) • Virtual Machines (VMWare, VirtualBox, QEMU) • Python/Perl • Wine • User interaction • Downloads second stage if checks are satisfied
Tools – USB stealer • One component that was signed with certificate was a USB stealer • Copies file from drives A: and B: or USB drive to local folder • Skips .pdf, .doc and .mp3
The return of the MWI kit
Timeline 2014 2015Q2 Q3 Q4 Q1 2015 Q2 Q3 Q4 Start of the first campaign (first known activity) 4/1/2014 Blog post released 4/9/2015 Start of the second campaign 4/10/2015 Passport Scan 8/1/2015 Return of the MWI 10/1/2015 Flash Player bundle 10/1/2015
Targets • They shifted their focus • Businesses • Banks
Infection Vector – Microsoft Word Intruder via spam • MWI again! • Possibly due to big rewrite • The overall infection workflow changed
Infection vector – Strategic Web Compromise • Late October, we saw that Ammyy.com was distributing Buhtrap
Infection vector – Strategic Web Compromise • Other malware were distributed through ammyy.com • Lurk downloader • Corebot • Ranbyus • Netwire RAT
Evasion
Evasion – bypassing AntiVirus • Tries to prevent antivirus updates • Tries to put their malware in exclusion list • Different packages depending on which internet security product is installed
Evasion – Anti-Forensics • mbrkiller.exe : NSIS installer that destroys MBR. Possibly used to wipe the computer after they are done with it • damagewindow.exe: shows a pop up screen saying there was a HDD failure and user should reboot system
Questions ? @jiboutin Thank you

Recomendados

2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat ReviewESET
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
 
penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux pptAbhayNaik8
 
Hack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingHack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingSteve Phillips
 
Kali presentation
Kali presentationKali presentation
Kali presentationZain Ul abadin
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 

Recomendados

2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat ReviewESET
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
 
penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux pptAbhayNaik8
 
Hack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingHack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingSteve Phillips
 
Kali presentation
Kali presentationKali presentation
Kali presentationZain Ul abadin
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 
Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber SecuritySatria Ady Pradana
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012Andrew Morris
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCanSecWest
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
Linux/Unix Night - (PEN) Testing Toolkits (English)
Linux/Unix Night - (PEN) Testing Toolkits (English)Linux/Unix Night - (PEN) Testing Toolkits (English)
Linux/Unix Night - (PEN) Testing Toolkits (English)Jelmer de Reus
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 
Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014TGodfrey
 
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCsw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCanSecWest
 
Malware for Red Team
Malware for Red TeamMalware for Red Team
Malware for Red TeamSatria Ady Pradana
 
(03 2013) guide to kali linux
(03 2013) guide to kali linux(03 2013) guide to kali linux
(03 2013) guide to kali linuxjulius77
 
Kali linux and some features [view in Full screen mode]
Kali linux and some features [view in Full screen mode]Kali linux and some features [view in Full screen mode]
Kali linux and some features [view in Full screen mode]abdou Bahassou
 
Pa or die
Pa or diePa or die
Pa or dieSetia Juli Irzal Ismail
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali LinuxJason Murray
 
Mengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatMengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatCharles Lim
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Kali Linux
Kali LinuxKali Linux
Kali LinuxChanchal Dabriya
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
 
Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP FRSecure
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent ThreatsESET
 

Mais conteĂşdo relacionado

Mais procurados

CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012Andrew Morris
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCanSecWest
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
Linux/Unix Night - (PEN) Testing Toolkits (English)
Linux/Unix Night - (PEN) Testing Toolkits (English)Linux/Unix Night - (PEN) Testing Toolkits (English)
Linux/Unix Night - (PEN) Testing Toolkits (English)Jelmer de Reus
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 
Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014TGodfrey
 
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCsw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCanSecWest
 
(03 2013) guide to kali linux
(03 2013) guide to kali linux(03 2013) guide to kali linux
(03 2013) guide to kali linuxjulius77
 
Kali linux and some features [view in Full screen mode]
Kali linux and some features [view in Full screen mode]Kali linux and some features [view in Full screen mode]
Kali linux and some features [view in Full screen mode]abdou Bahassou
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali LinuxJason Murray
 
Mengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatMengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatCharles Lim
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
 
Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP FRSecure
 

Mais procurados (20)

Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber Security
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
Linux/Unix Night - (PEN) Testing Toolkits (English)
Linux/Unix Night - (PEN) Testing Toolkits (English)Linux/Unix Night - (PEN) Testing Toolkits (English)
Linux/Unix Night - (PEN) Testing Toolkits (English)
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
 
Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014
 
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCsw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
 
Malware for Red Team
Malware for Red TeamMalware for Red Team
Malware for Red Team
 
(03 2013) guide to kali linux
(03 2013) guide to kali linux(03 2013) guide to kali linux
(03 2013) guide to kali linux
 
Kali linux and some features [view in Full screen mode]
Kali linux and some features [view in Full screen mode]Kali linux and some features [view in Full screen mode]
Kali linux and some features [view in Full screen mode]
 
Pa or die
Pa or diePa or die
Pa or die
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
 
2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux
 
Mengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatMengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih Dekat
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Kali Linux
Kali LinuxKali Linux
Kali Linux
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
 
Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP
 

Semelhante a Operation Buhtrap - AVAR 2015

Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent ThreatsESET
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityLumension
 
Malware forensics
Malware forensicsMalware forensics
Malware forensicsSameera Amjad
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive SecurityAndy Hoernecke
 
Attackers process
Attackers processAttackers process
Attackers processbegmohsin
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
NGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkNGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkWallarm
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
Metasploit
MetasploitMetasploit
MetasploitLalith Sai
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...SegInfo
 
Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive securityScott Behrens
 
VMI based malware detection in virtual environment
VMI based malware detection in virtual environmentVMI based malware detection in virtual environment
VMI based malware detection in virtual environmentAyush Gargya
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesSam Bowne
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalHarsimran Walia
 
The adoption of FOSS workfows in commercial software development: the case of...
The adoption of FOSS workfows in commercial software development: the case of...The adoption of FOSS workfows in commercial software development: the case of...
The adoption of FOSS workfows in commercial software development: the case of...dmgerman
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 

Semelhante a Operation Buhtrap - AVAR 2015 (20)

Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs Security
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
 
Attackers process
Attackers processAttackers process
Attackers process
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
NGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkNGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talk
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
Metasploit
MetasploitMetasploit
Metasploit
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
 
Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive security
 
VMI based malware detection in virtual environment
VMI based malware detection in virtual environmentVMI based malware detection in virtual environment
VMI based malware detection in virtual environment
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
The adoption of FOSS workfows in commercial software development: the case of...
The adoption of FOSS workfows in commercial software development: the case of...The adoption of FOSS workfows in commercial software development: the case of...
The adoption of FOSS workfows in commercial software development: the case of...
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 

Mais de ESET

ESET Cybersecurity students
ESET Cybersecurity studentsESET Cybersecurity students
ESET Cybersecurity studentsESET
 
ESET Cybersecurity training
ESET Cybersecurity trainingESET Cybersecurity training
ESET Cybersecurity trainingESET
 
How to implement a robust information security management system?
How to implement a robust information security management system?How to implement a robust information security management system?
How to implement a robust information security management system?ESET
 
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...ESET
 
Visiting the Bear Den
Visiting the Bear DenVisiting the Bear Den
Visiting the Bear DenESET
 
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...ESET
 
ESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection RegulationESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection RegulationESET
 
Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinBootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinESET
 
Shopping Online
Shopping OnlineShopping Online
Shopping OnlineESET
 
Banking Online
Banking OnlineBanking Online
Banking OnlineESET
 
Is Anti-Virus Dead?
Is Anti-Virus Dead?Is Anti-Virus Dead?
Is Anti-Virus Dead?ESET
 
Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct? Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct? ESET
 
Unpack your troubles*: .NET packer tricks and countermeasures
Unpack your troubles*: .NET packer tricks and countermeasuresUnpack your troubles*: .NET packer tricks and countermeasures
Unpack your troubles*: .NET packer tricks and countermeasuresESET
 
ESET: #DoMore With Our Comprehensive Range of Business Products
ESET: #DoMore With Our Comprehensive Range of Business ProductsESET: #DoMore With Our Comprehensive Range of Business Products
ESET: #DoMore With Our Comprehensive Range of Business ProductsESET
 
ESET: Delivering Benefits to Enterprises
ESET: Delivering Benefits to EnterprisesESET: Delivering Benefits to Enterprises
ESET: Delivering Benefits to EnterprisesESET
 
ESET: Delivering Benefits to Medium and Large Businesses
ESET: Delivering Benefits to Medium and Large BusinessesESET: Delivering Benefits to Medium and Large Businesses
ESET: Delivering Benefits to Medium and Large BusinessesESET
 
#DoMore with ESET
#DoMore with ESET#DoMore with ESET
#DoMore with ESETESET
 
Learn more about ESET and our soulutions for mobile platforms
Learn more about ESET and our soulutions for mobile platformsLearn more about ESET and our soulutions for mobile platforms
Learn more about ESET and our soulutions for mobile platformsESET
 
Trends for 2014: The Challenge of Internet Privacy
Trends for 2014: The Challenge of Internet PrivacyTrends for 2014: The Challenge of Internet Privacy
Trends for 2014: The Challenge of Internet PrivacyESET
 
ESET Technology From
ESET Technology FromESET Technology From
ESET Technology FromESET
 

Mais de ESET (20)

ESET Cybersecurity students
ESET Cybersecurity studentsESET Cybersecurity students
ESET Cybersecurity students
 
ESET Cybersecurity training
ESET Cybersecurity trainingESET Cybersecurity training
ESET Cybersecurity training
 
How to implement a robust information security management system?
How to implement a robust information security management system?How to implement a robust information security management system?
How to implement a robust information security management system?
 
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...
 
Visiting the Bear Den
Visiting the Bear DenVisiting the Bear Den
Visiting the Bear Den
 
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
 
ESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection RegulationESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection Regulation
 
Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinBootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus Bulletin
 
Shopping Online
Shopping OnlineShopping Online
Shopping Online
 
Banking Online
Banking OnlineBanking Online
Banking Online
 
Is Anti-Virus Dead?
Is Anti-Virus Dead?Is Anti-Virus Dead?
Is Anti-Virus Dead?
 
Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct? Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct?
 
Unpack your troubles*: .NET packer tricks and countermeasures
Unpack your troubles*: .NET packer tricks and countermeasuresUnpack your troubles*: .NET packer tricks and countermeasures
Unpack your troubles*: .NET packer tricks and countermeasures
 
ESET: #DoMore With Our Comprehensive Range of Business Products
ESET: #DoMore With Our Comprehensive Range of Business ProductsESET: #DoMore With Our Comprehensive Range of Business Products
ESET: #DoMore With Our Comprehensive Range of Business Products
 
ESET: Delivering Benefits to Enterprises
ESET: Delivering Benefits to EnterprisesESET: Delivering Benefits to Enterprises
ESET: Delivering Benefits to Enterprises
 
ESET: Delivering Benefits to Medium and Large Businesses
ESET: Delivering Benefits to Medium and Large BusinessesESET: Delivering Benefits to Medium and Large Businesses
ESET: Delivering Benefits to Medium and Large Businesses
 
#DoMore with ESET
#DoMore with ESET#DoMore with ESET
#DoMore with ESET
 
Learn more about ESET and our soulutions for mobile platforms
Learn more about ESET and our soulutions for mobile platformsLearn more about ESET and our soulutions for mobile platforms
Learn more about ESET and our soulutions for mobile platforms
 
Trends for 2014: The Challenge of Internet Privacy
Trends for 2014: The Challenge of Internet PrivacyTrends for 2014: The Challenge of Internet Privacy
Trends for 2014: The Challenge of Internet Privacy
 
ESET Technology From
ESET Technology FromESET Technology From
ESET Technology From
 

Último

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel AraĂşjo
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Operation Buhtrap - AVAR 2015

  • 1. Operation Buhtrap Jean-Ian Boutin, Anton Cherepanov, Jan MatuĹĄĂ­k AVAR – 2015
  • 2. Outline • What? • How? • Campaigns • Targets • Tool • Evasion
  • 4. Operation Buhtrap – the basics • Financially motivated group targeting banks and businesses in Russia • Active since at least April 2014 • Uses spearphishing, exploit kits to run campaigns • Uses different people to code malware, exploit, test • Uses tools on sale in underground forums
  • 5. Why are you talking about that? • More and more, groups are targeting commercial entities • They use techniques we used to see in espionage campaigns • We have seen several big attacks on businesses in the past, we believe we will see more, and operation Buhtrap is a good case study
  • 6. The beginnings • We analyzed this, NSIS packed, first stage, which had interesting checks
  • 7. The beginnings • We analyzed this, NSIS packed, first stage, which had interesting checks
  • 8. Stealthy • Checks for system language, applications installed, URLs visited to decide which package to download • Also checks for security software to modify which application version to install
  • 9. Targets • Looking at • Decoy documents • URLs and application installed • Domains used • Businesses and more specifically accounting departments seemed to be the target of this group
  • 10. Certificates • As we will see later on, downloaded packages contained a lot of files • Many of which were signed by valid certificates
  • 11. Group • While we progress in our research it became clear that this was a group of organized people • Malware coder • Exploit coder • Testers • As will become apparent, they also had pretty good ties with cybercriminals selling tools and services in underground forums
  • 12. This seemed like a suitable research • Group of people launching spearphishing attacks against Russian businesses • Using as much stealth as possible • Code signing certificate usage • Using modular code and 3rd party tools
  • 14. Timeline 2014 2015Q2 Q3 Q4 Q1 2015 Q2 Q3 Q4 Start of the first campaign (first known activity) 4/1/2014 Start of the second campaign 4/10/2015 Passport Scan 8/1/2015 Return of the MWI 10/1/2015 Blog post released 4/9/2015 Flash Player bundle 10/1/2015
  • 15. Tools – Overall Installation process • Through spam, operators are ultimately trying to have full control of the victim computer
  • 16. Targets – Detection statistics Russia 88% Ukraine 10% Other 2%
  • 17. Targets • Businesses, most probably accounting departments. Why this assumption? • Decoy documents, applications and URLs check and finally domains • Malicious domains used by cybercriminals: • store.kontur-expres.com  "SKB Kontur has been simplifying business accounting in Russia since 1988“ • help.b-kontur.org • forum.buhonline.info  buhonline.ru: forum content directed towards accountant • topic.buhgalter-info.com • balans2w.balans2.com
  • 18. Infection Vector • Spearphishing with business oriented decoy documents
  • 19. Infection Vector • Spearphishing with business oriented decoy documents
  • 20. Side Story - Microsoft Word Intruder? • It is a kit, sold in underground forums that allow to build RTF documents exploiting several CVE • Shows the connections of this group: they got it 1 year before public disclosure
  • 21. Side Story - Microsoft Word Intruder • Uses four exploits • CVE-2010-3333 • CVE-2012-0158 • CVE-2013-3906 • CVE-2014-1761 • Two modes of operation: INTERNAL and EXTERNAL • No decoy, malware payload must show one if needed • Several modifications, we see the kit evolving through the buhtrap campaign as well
  • 22. Tools – first stage • The first stage implant makes tons of checks to make sure the system is valuable and not a researcher’s system
  • 23. Tools – first stage • The first stage implant makes tons of checks to make sure the system is valuable and not a researcher’s system
  • 24. Tools – first stage • The first stage implant makes tons of checks to make sure the system is valuable and not a researcher’s system
  • 25. Tools – Usage of Decoy Second Stage • If those tests fail, it downloads a decoy package instead of the real second stage implant • Remember this picture?
  • 26. Tools – Usage of Decoy Second Stage • In this case, the NSIS first stage implant downloads a fake 7z self- extracting executable
  • 27. Tools – Usage of Decoy Second Stage • If we look at the installation script in the downloaded second stage, we see that they are using a malicious way to install the decoy package
  • 28. Tools – Local Privilege Exploitation • They have been using several different exploits • First campaign was CVE-2013-3660 and Carberp trick in source code • Then in subsequent campaigns, we saw CVE-2014-4113, CVE-2015-2546 and CVE-2015-2387 (part of the Hacking Team leak) • Always had the x86 and x64 versions
  • 29. Tools – Overall View of the Second stage Download • When the checks are satisfied, downloads the second stage malicious payload used to spy on their targets
  • 30. Tools – System Preparation • xtm.exe - System preparation
  • 31. Tools – mimikatz.exe • Tool used by pentesters (and others!) to access an account • Modified binary to issue following commands: privilege::debug and sekurlsa::logonPasswords to recover logon passwords
  • 32. Tools – xtm.exe • 1c_export: tries to add a user to system • This package was no longer seen in later campaigns (NOT necessary for the initial compromise) • We have seen them later on they dropping it through the backdoor
  • 33. Tools - Backdoor • lmpack.exe - Backdoor
  • 34. Tools – lmpack.exe • Silent installation of litemanager, a remote administrator • Supposedly legit but, why silent installer? Detected as a PUA (potentially unsafe application)
  • 35.
  • 36. Tools – Main Buhtrap module • pn_pack.exe – Spying Module
  • 37. Tools – pn_pack.exe • Log all keystrokes and copy clipboard content • Enumerate smart cards present on the system • Handle C&C communications
  • 38. Tools – pn_pack.exe • Uses dll-sideloading and decrypt main module on the fly • Uses well known application to hide • Yandex punto • The Guide • Teleport Pro
  • 39. Tools – pn_pack.exe • RC4 for communications, but also to encrypt strings. NW is XOR with preceding byte and then RC4 encrypted • Two commands: download and execute module, download code and start new thread in it • only module present in later installment. Use existing functionalities to install all the remaining tools
  • 40. New infection vector: Niteris EK
  • 41. Timeline 2014 2015Q2 Q3 Q4 Q1 2015 Q2 Q3 Q4 Start of the first campaign (first known activity) 4/1/2014 Start of the second campaign 4/10/2015 Passport Scan 8/1/2015 Return of the MWI 10/1/2015 Blog post released 4/9/2015 Flash Player bundle 10/1/2015
  • 42. Targets • Still (Russian) businesses • The dropper still contains the same script that checks for URLs, applications, debug app, etc
  • 43. Infection Vector • They are no longer using MWI for this campaign • Spearphishing • Exploit Kit • Executable Attachments
  • 44. Infection Vector – Executable attachments • Passport scan
  • 45. Infection Vector – Niteris EK • Appeared in 2014 • Low prevalence, few malware distributed through it (ursnif, corkow) • Flash exploit – CVE-2014-0569
  • 46. Tools – Evolved First Stage Downloaders • Distributed as Microsoft KB files • One dropper was very different, not NSIS, heavy usage of RC4 • LOTS of detection for security products • Sandbox (Sandboxie, Norman) • Virtual Machines (VMWare, VirtualBox, QEMU) • Python/Perl • Wine • User interaction • Downloads second stage if checks are satisfied
  • 47. Tools – USB stealer • One component that was signed with certificate was a USB stealer • Copies file from drives A: and B: or USB drive to local folder • Skips .pdf, .doc and .mp3
  • 48. The return of the MWI kit
  • 49. Timeline 2014 2015Q2 Q3 Q4 Q1 2015 Q2 Q3 Q4 Start of the first campaign (first known activity) 4/1/2014 Blog post released 4/9/2015 Start of the second campaign 4/10/2015 Passport Scan 8/1/2015 Return of the MWI 10/1/2015 Flash Player bundle 10/1/2015
  • 50. Targets • They shifted their focus • Businesses • Banks
  • 51. Infection Vector – Microsoft Word Intruder via spam • MWI again! • Possibly due to big rewrite • The overall infection workflow changed
  • 52. Infection vector – Strategic Web Compromise • Late October, we saw that Ammyy.com was distributing Buhtrap
  • 53. Infection vector – Strategic Web Compromise • Other malware were distributed through ammyy.com • Lurk downloader • Corebot • Ranbyus • Netwire RAT
  • 55. Evasion – bypassing AntiVirus • Tries to prevent antivirus updates • Tries to put their malware in exclusion list • Different packages depending on which internet security product is installed
  • 56. Evasion – Anti-Forensics • mbrkiller.exe : NSIS installer that destroys MBR. Possibly used to wipe the computer after they are done with it • damagewindow.exe: shows a pop up screen saying there was a HDD failure and user should reboot system
  • 57.