CARO workshop 2017
Keynote Speakers
Peter Kruse: Booby-Trapping The Hacker's Tools
Partner and  Head of Research and Intelligence, CSIS Security Group
Attackers are becoming constantly more and more creative and intelligent. We can’t argue that the offensive side has the upper hand. They decide where and how to attack, which tools, techniques and strategies to approach and their business is growing.

The security industry as a whole is down played in numbers and the odds are against us that we will be able to prevent these attacks from happening in the future. When we “Go back to the roots”, we soon realize that both the rules of the game and the threat landscape have changed.  When we agree on that – even if it’s controversial – we might need to adapt to a more aggressive and offensive approach if we want to make a change and win the battle.

This keynote will highlight the challenges we are facing. We have insecure IOTs numbering in the millions and growing, script kiddies utilizing phishing kits, and CEO fraud is on the rise. Additionally, CaaS (Crime as a Service) is being offered in darknet and underground markets and our critical infrastructure systems are more interconnected than ever..

We, as an industry, have to follow the law. We are the janitors of the Internet and we should be proud of that. Yet our work consists in finding loopholes and gaps in the law and in the criminal’s architecture that would make it easier, or even possible, for us to track these individuals and pass the results to the law enforcement for legal action. Isn’t this approach better than the mass surveillance alternative?

Welcome to: Booby-trapping the hacker’s tools. A tale about offensive protection without breaking the law and 20 years of tracking criminals using an industry creative approach. 

Peter Kruse co-founded the Danish IT-security company CSIS in 2003 and is currently leading the eCrime department which provides services mainly aimed at the financial sector. His ability to combine a keen appreciation of business needs and a profound technical understanding of malware has made CSIS a valued partner of clients in both Scandinavia and the rest of Europe. Today, Peter is by far the most quoted IT-security expert in Denmark and considered among the most recognized in Europe. He has a long history of active participation in several closed and vetted top IT-security communities and has numerous international connections in the antivirus- and banking industry, law enforcement and higher education institutions.

Peter Kosinar: Reversing the Power
Senior Research Fellow, ESET
Sometimes a single piece of malware reveals enough for the reverser to recognize other members of its same family immediately. Sometimes even having hundreds of them might not make the connection apparent. During our research, we encountered more than enough cases in which we saw separate pieces of a puzzle, separated not only by differences in code, but also large gaps in time and for which the relationship was discovered only much later. Combining machine power with human logic allowed us to extend this kind of (re)search considerably – and doing so certainly brought fruit.

In one case of self-spreading malware, we made our way close enough to “Patient Zero”, stopping just short of reaching the final (or perhaps initial?) stop. In another one, tracing from the beginning and from the end allowed us to find a piece of two missing in between them. Most of the cases we looked at are examples of targeted attacks – although not necessarily what one would call an APT; since Persistence might not have been what the bad guys were after.

We are going to present several of these cases in which we saw the power hidden in numbers -- cases in which gathering a large number of samples thoroughly helped with tracing the lineage of malware. Some of the malware analysed had been described before – but only as separate, not-known-to-be-related cases, while our research would suggest tighter connections. Our presentation will also include a quick walk through the obstacles we encountered while finding and subsequently processing all the relevant malware samples.

After spending a few years in the area of computer security as an independent researcher, Peter joined ESET more than a decade ago as malware researcher and later became one of the core developers behind its detection technology. Nowadays, his primary focus shifted more toward detailed investigation of cases of particular interest (including targeted attacks, non-standard attack vectors and cryptanalysis), crime attribution and subsequent interaction with law enforcement.

In addition to his job, Peter also holds occasional lectures for students of computer science on both high-school and university levels on topics related to malware analysis and computer security in general.


The abstracts are listed in the order they are presented on the program.

Nigerian BEC : Tools Techniques and Procedures, Gabor Szappanos (Sophos Plc)

  • Who are they?
  • What are their operating procedures?
  • What are the tools they are using?
These are the basic questions that arise when criminals are being investigated.

Nigerian criminals have been heavily involved in email scams for decades. They started with the classic 419 scams and then moved on to CEO spoofing, nowadays adding the (slightly) more sophisticated business email compromise (BEC) schemes, most notably payment diversions. In a typical payment diversion scheme the criminals use credential stealers in order to gain access to corporate email services then look for pending invoices. Using the compromised account they send out updated invoices that divert the payments to the criminals’ bank account.

These criminals are known for their poor OpSec, and indeed, they leave a huge pile of tracks behind themselves. This presentation is not about entertaining the audience with their mistakes, but to mine through the tracks they left, and using this information to understand them and their methods.

The compromise is not the working of a single individual; rather it is a larger, complex and organized group of people working together. The presentation will give an insight into and deep analysis of the working and internal structure of an average Nigerian BEC group. At the top of the group are those responsible for the administration of the drop servers. Others are preparing the keyloggers used in the attacks, and hand them to the distributors, who collect the potential target addresses and send out the phishing emails. Finally the operators are at the bottom of the food chain and work with the compromised accounts.

These criminals are not highly sophisticated computer experts. Instead of developing their own solutions, they heavily rely on commercial offerings from the underground markets:
  • Keylogger
  • Exploit builders
  • Mass-mailers
We will also give an overview of the pre-infection, infection and post-infection process of the common BEC schemes including:
  • Target selection
  • Invoice generation
  • Mail bombing
  • Handling stolen credentials
  • Hijacking invoices
  • Other “recreational activities” like Facebooks scams and traditional 419 scams
All this will be illustrated with real-life examples.


An Incursion in the Malware Packer Market, Cătălin Valeriu Liță, Doina Cosovan (Security Scorecard) 

We propose an incursion in the malware packer market advertised on forums and focus particularly on describing how and why malware packers have evolved, the most interesting features of various actively used packers, and a price analysis. According to AV-Test, an independent organization used to test AV products, the number of malware variants has had an exponential growth. The security vendors are continuously adapting and fighting them by using various advanced detection techniques like machine learning, memory scanning, emulators, and so on. Cybercriminals need to ensure the malware gets and stays undetected on as many machines as possible. To achieve this goal, they use packers in order to protect the malware code from anti-virus detection, reverse engineering, and dynamic analysis in virtualized environments. Since they are willing to spend good money on this type of protection, packer development for malware became a profitable business.

Thus, malware builders, like Zeus, which had in the beginning their own packer as a feature of the builder, removed this component because their clients started to use a packer bought from the market instead of the one proposed in the builder. The reasoning behind this is that a packer developed by a team specialized in packers is better than one added by a team specialized in writing malware.

To ensure malware samples remain undetected, packer developers issue frequent, sometimes daily, updates as response to detections added by anti-virus products. For staying undetected a longer period of time, various techniques are being used: providing personalized encryption techniques for each packer client, setting various sample characteristics (like the overlay size, the number of sections) to random values, using custom websites for sample scanning in order to avoid uploading files on virustotal (which shares samples with anti-virus vendors), and so on.

The prices for these packers vary from as low as $8 for a DarkShield packer monthly subscription to $150 for only one private file encryption from Most of the payments for these services are done in bitcoins, so they are untraceable.

Since the competition is growing in the malware packer market, packers started to become better and packer developers started to provide more and more features with every day. They even started to ensure persistence, disable specific processes and features related to reverse engineering, clean the computer from previous malware infections, and so on. Nowadays, all the malware creators have to do is to focus on implementing the logic because malware packer developers implement not only a huge variety of protection techniques, but everything a malware needs to safely install on a system.

As use cases, we have investigated a set of almost 15 malware packers, which currently are being actively advertised on forums: Cloud Crypter, Darkeye Protector, Darkshield, Exploit.Im, Exterbyte Crypter, Flow Crypter, Fud.Io, iJuan, Janadark, Kazy Crypter, Lotuscrypt, Rata Protector, Shield Cryptor, Spartan Crypter, Static Crypt 4.

Going back to the “Router”, Chun Feng (Microsoft), Kafeine (Proofpoint)

Routers have been widely used by home users, small business, and large enterprises as the device to connect computers or mobile devices to the Internet. However, the security of routers has been overlooked by both vendors and users to some extent in the past. At the end of year 2016, we noticed a new breed of exploit kit, which attempts to attack vulnerable routers, rather than targeting endpoint devices like traditional exploit kits.
This presentation provides a detailed analysis of this new exploit kit and will address the following questions:

  1. Why is the router a good target for attackers?
  2. How does the exploit kit locate the router IP address with STUN protocol?
  3. Why is it that the claim “my-router-is-not-visible-or-accessible-from-Internet-therefore-it-is-safe” a myth?
  4. How does the exploit kit fingerprint the router model with “image fingerprint” technique?
  5. What are the attack vectors of this exploit kit (CSRF attack, “DNS changer”, etc.)?
  6. What are the common mistakes most users are making on their routers?
What’s the significance of such kind of attack? We studied the discrepancy between the benign DNS server and the malicious one used in this attack. In this presentation, we will shed some light into the goal of such kind of router attack.

We also want to point out that the security issues and the attack vectors go beyond routers. They can be applied to Internet of Things (IoT) devices as well. We will also provide some advice for both IoT and router vendors and users.

Contain Me If You Can!, Abhijit P. Kulkarni and Prakash D. Jagdale (Quickheal)

Abstract: Software Containers are becoming a commonplace. And so will the malwares targeting the Container and the related technology.

The Windows container feature is available on Windows Server 2016, Nano Server, and Windows 10 Professional and Enterprise (Anniversary Edition). Microsoft recommends Anti-virus optimization for Windows Containers which will avoid redundant scanning of Windows Container files and help improve Container start up time. Since performance is the key we see all the AV products would have no choice but to implement this. There lies the problem.

Each container has an isolated volume that represents the system volume to that container. A container isolation filter (wcifs.sys) provides a virtual overlay of package layers onto this container volume. If a container modifies a file, the isolation filter performs copy-on-write and replaces the placeholder with the contents of the package file. The paper will discuss the ways in which a rootkit sitting between the isolation filter and AV real time filter can fool the AV and trick it to skip the scanning thereby infecting the container and the host thereafter.

The paper will suggest the way in which the AVs can tackle such rootkit. Sample code and demo showcasing the same will be presented.

The life story of an IPT - Inept Persistent Threat actor, Adam Haertle (UPC)

Abstract: The presentation will follow a Polish threat actor, known as "Thomas", in his career of a wannabe cybercriminal from late 2011 until today. We will watch his first steps on HackForums, where friendly vendors and free tools helped him to build his first botnet. We will follow his phishing and spam campaigns visible in the media and correlate them with tool purchases on HF. We will see how his tools evolved and botnets grew despite his total lack of technical and language skills, and how he even managed to perform targeted attacks against state institutions. We will celebrate with him as he bragged about successes and cry over his failures, as he attempted to pivot into banking fraud and got scammed by others on multiple occasions. We will look at his business strategies and monetisation vectors, including botnet-as-a-service offering, while contemplating pricing strategies and ad design skills. We will watch him try to defraud competitors with deceptive video demonstration of his own hacking tools, using the opportunity to get a glimpse of his desktop, and we'll look at an unsolicited interview he gave to a malware analyst while the latter reverse engineered one of his malware samples. Finally, we will discover his identity though multiple uncensored screenshots and end by trying to explain legal hurdles due to which, despite being so well known to LE community, he still remains at large. Every step of our travel through the timeline of his criminal career will be illustrated with relevant screenshots or videos, documenting his operations from both victims' and perpetrator's point of view.

How to get money for infecting and rooting your own Android device, Roman Unuchek (Kaspersky Lab)

Abstract: During last year, we saw many apps in the Google Play Store which were infected with a Ztorg (‘Ghost Push’) Trojan.

In November 2016 we reported to Google almost 50 such infections, some of which had been installed more than 100 000 times.
Ztorg is a very sophisticated Trojan with module architecture. It uses several exploit packs to gain root privileges on an infected device.
We found out that these infected apps become popular in a very short time – sometimes reaching 10 000 installations within a day!

Therefore, we analyzed the reasons behind such popularity and found two main sources. The first reason is advertising modules in the regular apps, mostly belonging to popular advertising networks. The other source is apps that pay users for installing other apps from Google Play. Such apps receive these offers from several advertising networks. These malicious advertising offers will be shown in this research.

Tracking exploit kit criminals, Kalpesh Mantri (McAfee)

Abstract: Exploit kits (EKs) are one of the most effective ways to deploy malwares in a more sophisticated manner. An exploit kit is an off-the-shelf software package containing easy-to-use packaged attacks on known and unknown (zero-day) vulnerabilities. Exploit Kits take advantage of client side vulnerabilities, typically targeting the web browser and applications that can be accessed by the web browser. These threats have evolved themselves through decades. Malware authors are enforcing advance masquerading techniques to evade AV analysis and detection.
Even though kits are evolving, criminals behind them are the same. Anti-Virus industry can be strengthened for exploit kits by keeping track of kit criminals and finding their pattern to hunt weaknesses in them. We will present our approaches on how we targeted kits authors by following and targeting patterns used by those threat actors. Once similarities and their logic are discovered, it becomes easy to disrupt and stop in-wild kits that especially targets flash vulnerabilities.
In our research paper we would walk you through the approaches that we have taken to identify such exploit kit actors to an extent even revealed the actors’ orientations. We have been able to identify the actor’s domain registration patterns that were used to deploy the attack in the wild. Thereby providing proactive protection to the customers from such executions. Disrupting malicious actors’ orientations has helped us staying ahead of the actors. Let’s explore the digital mannerism of actors using exploit kits as their weapon of attack.

I OWN YOU(R device) – Use and Abuse of Root privileges by Android Malware, Jagadeesh Chandraiah (Sophos)

Abstract: We have witnessed an increasing number of recent Android malware eyeing for Root access. Android OS comes with restricted system resource access for third party applications. In order to perform malicious activities and make themselves persistent, recently many Android malware has started using exploits or publicly available rooting tools to gain Root privileges on the device [1]. With root access, high profile malware like Ghost push was able to infect thousands of devices [1]. Most of these malware appear as legitimate apps and then later either download or use local exploit to get root access. After gaining root privileges these malware can steal Google account information, download other malicious applications, display advertisements, increase app reputation in app stores and contact command control servers in the background. These malware also modifies system files like init.rc and to make themselves hard to remove.
In this research, we want to discuss about:
  • Different types of Android Rooting including System less rooting.
  • Legitimate uses and necessity for Android device rooting.
  • Android Safety net API and how It can also be used to detect rooting.
  • Android malware abusing rooting privileges, their rooting methods and commonly seen system modifications.
  • Different exploits and open source rooting tools and services used by Android malware.
  • Conclude with a discussion about the motive and the end game for use of rooting by Android malware.

Spora: New Kid On The Block, Előd Kironský and Jakub Křoustek (AVAST)

Abstract: In 2016, ransomware clearly demonstrated that it is one of the biggest security threats and that it is challenging to fully protect against it. More than 200 new strains of ransomware were discovered in the last year, growth of in-the-wild ransomware samples two-folded, and it targeted every major operating system.
Although most of the newly discovered ransomware strains are a low-quality crap, some of them are really interesting and worth a deeper analysis because it is highly likely we will be facing them in future.

In January 2017 a new ransomware strain dubbed Spora appeared on the malware scene. Spora stands out from the countless line of .NET cloned ransomware copycats created by script kiddies. It was written in C++ and has a very interesting design that allows encrypting in offline mode without the need of a CnC server infrastructure. Spora also has an innovative business model by calculating the ransom value based on the number and type of encrypted files.

Furthermore, to get even more money from victims, Spora also provides an immunity package to protect users from a future infection.

Ransomware with such a rich list of features must have ambitions to become a global player in this playground among the other strains such as Cerber or Locky. However, the vast majority of infections were reported only from Russia and other Post-soviet countries so far, which caught our attention because these countries are rarely the main target of ransomware attacks.

We’ve been tracking Spora right from the beginning of its appearance. In our presentation, we will show various spreading mechanisms used by Spora, how Spora juggles with all the generated symmetric and asymmetric keys, what is the spreading map based on our sensors, and more. We will also give a technical analysis of the ransomware’s executable and provide information on how the encryption and decryption works. Last but not least, we will discuss possibilities of immunization with an example of Spora’s own immunization tool and with our own method that is even more effective. 

Hunting down MazarBOT, Lukas Stefanko (ESET), Peter Kruse (CSIS)

Abstract: MazarBOT was discovered approx a year as Denmark was the primary target of a massive Smishing campaign. This turned out to be the first real SMS spam campaign to ever hit Denmark in large numbers and the malware itself, introduced with a shortlink, targeted Android smartphones with a malicious APK. The name MazarBOT was given by the author as he used it when advertising on several underground forums prior to being used in the wild. Since then, we have observed MazarBOT being spread in similar geographical targeted attacks against e.g. China, USA, Italy, Spain, Switcher land and the UK. The presentation will focus on the binary code and the MazarBOT C&C and infrastructure. This will also include infection statistics and dropdata overview. MazarBOT provides the most comprehensive C&C panel we have seen so far related to Android malware and is growing rapidly. The talk also highlights the potential author of MazarBOT and the group using this to harvest credit card data and "BankID" and NemID" credentials with various 2FA bypass tricks."

A forensic approach to testing rootkit protection, Simon Edwards. SE Labs

Abstract: This talk is on the topic of detecting the presence and activity of rootkits and rootkit-like malware when testing the abilities of Windows anti-malware products to detect and effectively remove or otherwise mitigate such threats.
I plan to cover a range of issues and techniques, including:
  1. The challenges rootkits pose for security vendors and testing organizations.
  2. Dedicated detection tools (e.g. GMER) – are these sufficient for checking a 'cleaned' system?
  3. Monitoring network activity from 'disinfected' hosts:
    • Different ways to do it, including on-host, transparent proxy, network tap, waiting for your ISP to alert you (hint: don't, but it can happen and did to us – just once!)
    • Amusing anecdote about how we independently (but accidentally) noticed the emergence of the (Mebroot/Sinowal/Torpig) MBR bootkit around 2007-8, using a transparent proxy.
  4. Offline memory analysis
    • Tools you'll need (all free), plus:
    • Alternatives, for when malware blocks the ones you use by default!
    • A real example analysis from our lab.
    • An exploration of a system infected with Stuxnet.
    • Physical versus virtual systems issues (inconvenient but realistic vs. easy but fallible).
  5. Important tips, including ways to avoid your anti-malware from damaging your samples…

Down but not out: The crypters that refuse to let VB6 malware die, Sanchit Karve (McAfee)

Abstract: Microsoft’s Visual Basic 6 (VB6) programming language gained immense popularity among software developers and hobbyist programmers due to its short learning curve for creating Windows applications. As with any popular programming language, malware authors took up VB6 to create file infectors, worms and Trojans in early 2000s. Given that the compiled binary structure and the p-code instruction set is largely undocumented, there are not any mature VB6 code emulators. This offers an evasion opportunity for VB6 based malware that malware authors have taken advantage of and its use for creating malicious software has only gained momentum since the beginning of the new millennium.
Based on the analysis of over fourteen million VB6 samples submitted to McAfee Labs since 2012, we demonstrate that it is not the case anymore. Our data reveals that while VB6 malware are steadily declining since 2012, only a handful of crypters are responsible for keeping VB6 as a malware platform alive today. These crypters occupy upwards of 80% of new malicious VB6 samples submitted in the previous two years. We believe that the takedown of the VObfus/Beebone botnet is responsible for this phenomenon.

W32/VObfus was the most recent and prevalent standalone VB6 Trojan seen in the wild since 2007. After a coordinated effort by the anti-malware industry and law enforcement dismantled the botnet in April 2015, no other family in the VB6 malware space has taken its place. Instead, the dynamic of VB6 malware has shifted from being self-contained malware to injectors for other malware families.
This paper describes our methodology and analysis of the state of VB6 malware since 2012. Our findings indicate that there are potentially a handful of groups utilizing VB6 for authoring malware crypters. We study the crypters used and document what makes them unique. As VB6 runtimes are pre-installed on Windows 10, malware using VB6 is well positioned for a possible resurgence. To prevent this from happening we make recommendations on how the anti-malware industry can help kill the crypters keeping VB6 malware alive on its last crutch.

Tracking online counterfeiters, Emilio Casbas (

Abstract: The counterfeiting market makes-up a vast global business where the fraud estimations are harder to quantify than any other illegal activity. The existing datasets are largely incomplete and limited in terms of quality. The last report (“Trade in Counterfeit and Pirated Goods, 2016”) published by the Organization for Economic Cooperation and Development (OECD) show that trade in counterfeit amounted to up to 2.5% of world trade in 2013. Counterfeiting is a global issue which has become more complex as black market activities moved to internet. The online counterfeiters create thousands of websites with different approaches as part of their strategy to lure unsuspected shoppers. This paper presents the most common tactics of the online counterfeiters and their relation with the “Black market commoditization”. It will show its resilience against takedown efforts and it will provide some guidance about how to detect them. With the knowledge acquired, a new kind of threat intelligence feed could be generated. This information (currently integrated into VT) might be integrated into existing security technologies such as either proxies, Intrusion Detection Systems (IDSs) or Security Information and Event Management systems (SIEMs). The ultimate goal is to shed light on this increasing fraud vector so new detection capabilities can be deployed into existing services thus protecting users from unsafe sites. This paper is based on research performed with an online service during two years analyzing the metadata of websites.

Criminal Preferences From a Grab Bag of New gTLDs, Merike Kaeo (Farsight Security)

Abstract: Going back to the root of the DNS and the domains immediately under it can give specific insights into criminal activity. While many generic Top-Level Domains (gTLDs) are legitimate, there are specific TLDs that are often used in abuse-related contexts such as spamvertised domains, domains used for phishing or malware C&C's, etc. Passive DNS, along with Whois-based tools allows us to estimate a model showing the relationships between selection of those domains, their economic and privacy policies, the registrars cybercriminals empirically prefer, and other attributes that make some of these new gTLDs effectively persona non-grata at a growing number of sites.

This talk will use empirical data to provide a mechanism for how to ascertain the gTLDs that are the preferred choice for criminal activity. The data used will be a combination of: historical Passive DNS information, WHOIS registration information and real-time flow data of newly observed delegation points and fully qualified domain names. Added global insights into recent Internet governance perspectives on abusive gTLDs will also be given.

Owning the attackers, slowly, Liam O’Murchu (Symantec Corporation)

Abstract: For the last TEN years Symantec has been tracking a group of career criminals as they moved from scam to scam building and dismantling botnets as needed and enlisting the help of accomplices both willing and innocent to help rake in tens of millions of dollars.

After watching their activities closely we were able to identify the attackers, work with law enforcement to have them apprehended, have their botnet completely disabled and to recover some of the stolen funds. We also identified many of the victims, the amounts stolen, which scams were most profitable, the middle men used, communication strategies and operational security details of how the gang worked.

In this talk I will discuss the techniques we used to track the attackers, the reality of working with law enforcement on a case like this and the copious amounts of data we collected about how the attackers operated their scams, managed to stay hidden for so long and how their operational security ultimately failed them. I will provide key ‘lessons learned’ and success stories that will be useful to others undertaking such investigations.

Getting to the Root of Malware to Feed the Insatiable Machine, Gregory Panakkal (K7 Computing Pvt. Ltd.)

Abstract: Precision Machine Learning (ML) requires the preliminary step of capturing the maximum number of available traits from a scannable object. These traits, known as features or vectors, are key to accurately distinguishing between malware and clean files, and even between malware families.

However the ability to extract distinct features from malware has been largely crippled by the use of commercial and custom protectors/obfuscators to hide their true code. Since static unpacking methods have proved ineffective against modern packed malware various dynamic unpacking mechanisms have been developed to capture the runtime unpacked state. However, these dynamic techniques have drawbacks too viz. they are susceptible to detection, and face severe limitations when scaled to handle the vast number of samples that must be processed to provide the core DNA for ML models.

This presentation explores the various unpacking techniques from legacy tracing and emulation to more modern techniques using DBI, Hypervisor, etc., and evaluates their efficacy with respect to modern malware families characterized by core-functional feature extraction. In addition, this presentation will exhibit an enhanced unpacking technique that is optimized for feature extraction on a much larger scale than current dynamic unpacking methods. A live demo of this enhanced technique will be given during the talk.

Rooting out what really happened last December, Anton Cherepanov and Robert Lipovský (ESET)

Abstract: December of 2016 was a very busy month for network administrators and security specialists in Ukraine. Three major disruptive cyber-attacks were carried out there toward the end of the year. The attacks were directed against several organizations responsible for Ukraine's critical infrastructure, including financial services, transport companies and a power grid operator. Each of these attacks had a very serious impact and met the definition of cyber-sabotage.

Cyber-sabotage is nothing new in the anti-malware industry, whose veterans can still remember how they fought against such disruptive threats as CIH targeting Win9x. What is relatively new in the industry, on the other hand, is targeted cyber-sabotage, especially if malware is capable of interacting with industrial control systems. One such malicious program was used in the attack against Ukraine in December.

All three of these attacks garnered a lot of attention from the media. Although both regional and international media covered these events extensively, an anti-malware industry audience will be interested in deeper technical details. That is why in our talk we will share insights about the discoveries and our research, including previously-unpublished technical information.

So join us as we get to the root of the question: What really did happen last December?  


'Disttrack-tion’ Alert: Beaconing A Ground-Zero Attack, Nicholas Ramos, Erwin Dusojan (Trend Micro)

Abstract: In the early days of digitalization, threat actors’ motivations were to destroy computer systems and become famous. Nowadays, cybercriminals’ primary goal is to remain undetected while stealing digital assets. Surprisingly, a resurgence of a destructive malware named as “Disttrack” a.k.a “Shamoon” has risen from the horizon breaking the current threat landscape.

In 2012, one of the world’s largest oil-production company in the Middle East was infested by Disttrack. In this incident, at least 30,000 computers were left devastated. Compromised machines were left crippled by wiping their files and overwriting the MBR, after stealing data. This has been considered by security experts as one of the most destructive cyber-attack on a private company.

“Disttrack” came back in 2016 with a much deadly threat. Aside from its original payload, the new variant includes attack on a specific Virtual Desktop Infrastructure (VDI) vendor. It deletes snapshots that could allow reverting to a known working state, averting possible countermeasures.

The destructive malware continues its campaign this 2017, damaging critical resources making recovery a daunting task for enterprise companies. Organizations need a thorough understanding of its behavior in order to efficiently respond to future incidents. This paper aims to cover Disttrack’s evolution, all notable characteristics, and effective strategies to defend against this threat.


Stegano Exploit Kit, Ladislav Janko, Robert Lipovsky (ESET)

Abstract: As detection and mitigation are getting better, so do methods of concealing and spreading malware. Online advertising has become an attractive platform for cybercriminals in their quest to reach for the masses. Malvertising has seen a new dimension last year, when the Stegano exploit kit was hiding in plain sight, yet it was difficult to detect and analyze due to the evasive techniques used. The most significant factor of the Stegano exploit kit was the scale and outreach it had.

Stegano is an exploit kit that had been spreading via malicious ads on a number of major news websites since at least the beginning of October 2016. Dubbed after the steganography techniques it used, it served its malicious code to millions of users by embedding it into pixels of rogue ad banners. The attackers targeted various flash player (remote code execution) vulnerabilities running in Internet Explorer in particular geographic regions. They employed several advanced self-concealment methods to remain undetected in the process for as long as possible. If successful, the victims’ systems had been left exposed to further compromise by various malicious payloads including backdoors, banking trojans, spyware, file stealers and various other downloaders.

Despite their attempts to remain undetected, many other security researchers were on their trail. Further analysis of the attacks and comparison of our findings with those of our colleagues from Proofpoint and Trend Micro has revealed a link to the AdGholas campaign, previously using the Angler and Neutrino exploit kits.

In this presentation, we will go over the highlights of our research findings, providing a technical analysis of the Stegano exploit, including details on the stealthy steganography and self-concealment techniques used in the complex attacks. We will also look into the background of this campaign and discuss possible new attack vectors.