SlideShare una empresa de Scribd logo

Operation Buhtrap - AVAR 2015

ESET
ESET

This presentation from ESET researchers Jean-Ian Boutin, Anton Cherepanov and Jan Matusik explains the background of Operation Buhtrap.

Tecnología
1 de 58
Operation Buhtrap Jean-Ian Boutin, Anton Cherepanov, Jan Matušík AVAR – 2015
Outline • What? • How? • Campaigns • Targets • Tool • Evasion
Context: Operation Buthrap you say?
Operation Buhtrap – the basics • Financially motivated group targeting banks and businesses in Russia • Active since at least April 2014 • Uses spearphishing, exploit kits to run campaigns • Uses different people to code malware, exploit, test • Uses tools on sale in underground forums
Why are you talking about that? • More and more, groups are targeting commercial entities • They use techniques we used to see in espionage campaigns • We have seen several big attacks on businesses in the past, we believe we will see more, and operation Buhtrap is a good case study
The beginnings • We analyzed this, NSIS packed, first stage, which had interesting checks
The beginnings • We analyzed this, NSIS packed, first stage, which had interesting checks
Stealthy • Checks for system language, applications installed, URLs visited to decide which package to download • Also checks for security software to modify which application version to install
Targets • Looking at • Decoy documents • URLs and application installed • Domains used • Businesses and more specifically accounting departments seemed to be the target of this group
Certificates • As we will see later on, downloaded packages contained a lot of files • Many of which were signed by valid certificates
Group • While we progress in our research it became clear that this was a group of organized people • Malware coder • Exploit coder • Testers • As will become apparent, they also had pretty good ties with cybercriminals selling tools and services in underground forums
This seemed like a suitable research • Group of people launching spearphishing attacks against Russian businesses • Using as much stealth as possible • Code signing certificate usage • Using modular code and 3rd party tools
Campaigns
Timeline 2014 2015Q2 Q3 Q4 Q1 2015 Q2 Q3 Q4 Start of the first campaign (first known activity) 4/1/2014 Start of the second campaign 4/10/2015 Passport Scan 8/1/2015 Return of the MWI 10/1/2015 Blog post released 4/9/2015 Flash Player bundle 10/1/2015
Tools – Overall Installation process • Through spam, operators are ultimately trying to have full control of the victim computer
Targets – Detection statistics Russia 88% Ukraine 10% Other 2%
Targets • Businesses, most probably accounting departments. Why this assumption? • Decoy documents, applications and URLs check and finally domains • Malicious domains used by cybercriminals: • store.kontur-expres.com  "SKB Kontur has been simplifying business accounting in Russia since 1988“ • help.b-kontur.org • forum.buhonline.info  buhonline.ru: forum content directed towards accountant • topic.buhgalter-info.com • balans2w.balans2.com
Infection Vector • Spearphishing with business oriented decoy documents
Infection Vector • Spearphishing with business oriented decoy documents
Side Story - Microsoft Word Intruder? • It is a kit, sold in underground forums that allow to build RTF documents exploiting several CVE • Shows the connections of this group: they got it 1 year before public disclosure
Side Story - Microsoft Word Intruder • Uses four exploits • CVE-2010-3333 • CVE-2012-0158 • CVE-2013-3906 • CVE-2014-1761 • Two modes of operation: INTERNAL and EXTERNAL • No decoy, malware payload must show one if needed • Several modifications, we see the kit evolving through the buhtrap campaign as well
Tools – first stage • The first stage implant makes tons of checks to make sure the system is valuable and not a researcher’s system
Tools – first stage • The first stage implant makes tons of checks to make sure the system is valuable and not a researcher’s system
Tools – first stage • The first stage implant makes tons of checks to make sure the system is valuable and not a researcher’s system
Tools – Usage of Decoy Second Stage • If those tests fail, it downloads a decoy package instead of the real second stage implant • Remember this picture?
Tools – Usage of Decoy Second Stage • In this case, the NSIS first stage implant downloads a fake 7z self- extracting executable
Tools – Usage of Decoy Second Stage • If we look at the installation script in the downloaded second stage, we see that they are using a malicious way to install the decoy package
Tools – Local Privilege Exploitation • They have been using several different exploits • First campaign was CVE-2013-3660 and Carberp trick in source code • Then in subsequent campaigns, we saw CVE-2014-4113, CVE-2015-2546 and CVE-2015-2387 (part of the Hacking Team leak) • Always had the x86 and x64 versions
Tools – Overall View of the Second stage Download • When the checks are satisfied, downloads the second stage malicious payload used to spy on their targets
Tools – System Preparation • xtm.exe - System preparation
Tools – mimikatz.exe • Tool used by pentesters (and others!) to access an account • Modified binary to issue following commands: privilege::debug and sekurlsa::logonPasswords to recover logon passwords
Tools – xtm.exe • 1c_export: tries to add a user to system • This package was no longer seen in later campaigns (NOT necessary for the initial compromise) • We have seen them later on they dropping it through the backdoor
Tools - Backdoor • lmpack.exe - Backdoor
Tools – lmpack.exe • Silent installation of litemanager, a remote administrator • Supposedly legit but, why silent installer? Detected as a PUA (potentially unsafe application)
Tools – Main Buhtrap module • pn_pack.exe – Spying Module
Tools – pn_pack.exe • Log all keystrokes and copy clipboard content • Enumerate smart cards present on the system • Handle C&C communications
Tools – pn_pack.exe • Uses dll-sideloading and decrypt main module on the fly • Uses well known application to hide • Yandex punto • The Guide • Teleport Pro
Tools – pn_pack.exe • RC4 for communications, but also to encrypt strings. NW is XOR with preceding byte and then RC4 encrypted • Two commands: download and execute module, download code and start new thread in it • only module present in later installment. Use existing functionalities to install all the remaining tools
New infection vector: Niteris EK
Timeline 2014 2015Q2 Q3 Q4 Q1 2015 Q2 Q3 Q4 Start of the first campaign (first known activity) 4/1/2014 Start of the second campaign 4/10/2015 Passport Scan 8/1/2015 Return of the MWI 10/1/2015 Blog post released 4/9/2015 Flash Player bundle 10/1/2015
Targets • Still (Russian) businesses • The dropper still contains the same script that checks for URLs, applications, debug app, etc
Infection Vector • They are no longer using MWI for this campaign • Spearphishing • Exploit Kit • Executable Attachments
Infection Vector – Executable attachments • Passport scan
Infection Vector – Niteris EK • Appeared in 2014 • Low prevalence, few malware distributed through it (ursnif, corkow) • Flash exploit – CVE-2014-0569
Tools – Evolved First Stage Downloaders • Distributed as Microsoft KB files • One dropper was very different, not NSIS, heavy usage of RC4 • LOTS of detection for security products • Sandbox (Sandboxie, Norman) • Virtual Machines (VMWare, VirtualBox, QEMU) • Python/Perl • Wine • User interaction • Downloads second stage if checks are satisfied
Tools – USB stealer • One component that was signed with certificate was a USB stealer • Copies file from drives A: and B: or USB drive to local folder • Skips .pdf, .doc and .mp3
The return of the MWI kit
Timeline 2014 2015Q2 Q3 Q4 Q1 2015 Q2 Q3 Q4 Start of the first campaign (first known activity) 4/1/2014 Blog post released 4/9/2015 Start of the second campaign 4/10/2015 Passport Scan 8/1/2015 Return of the MWI 10/1/2015 Flash Player bundle 10/1/2015
Targets • They shifted their focus • Businesses • Banks
Infection Vector – Microsoft Word Intruder via spam • MWI again! • Possibly due to big rewrite • The overall infection workflow changed
Infection vector – Strategic Web Compromise • Late October, we saw that Ammyy.com was distributing Buhtrap
Infection vector – Strategic Web Compromise • Other malware were distributed through ammyy.com • Lurk downloader • Corebot • Ranbyus • Netwire RAT
Evasion
Evasion – bypassing AntiVirus • Tries to prevent antivirus updates • Tries to put their malware in exclusion list • Different packages depending on which internet security product is installed
Evasion – Anti-Forensics • mbrkiller.exe : NSIS installer that destroys MBR. Possibly used to wipe the computer after they are done with it • damagewindow.exe: shows a pop up screen saying there was a HDD failure and user should reboot system
Questions ? @jiboutin Thank you

Recomendados

2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat ReviewESET
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
 
penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux pptAbhayNaik8
 
Hack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingHack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingSteve Phillips
 
Kali presentation
Kali presentationKali presentation
Kali presentationZain Ul abadin
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 

Recomendados

2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat ReviewESET
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
 
penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux pptAbhayNaik8
 
Hack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingHack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingSteve Phillips
 
Kali presentation
Kali presentationKali presentation
Kali presentationZain Ul abadin
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 
Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber SecuritySatria Ady Pradana
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012Andrew Morris
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCanSecWest
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
Linux/Unix Night - (PEN) Testing Toolkits (English)
Linux/Unix Night - (PEN) Testing Toolkits (English)Linux/Unix Night - (PEN) Testing Toolkits (English)
Linux/Unix Night - (PEN) Testing Toolkits (English)Jelmer de Reus
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 
Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014TGodfrey
 
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCsw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCanSecWest
 
Malware for Red Team
Malware for Red TeamMalware for Red Team
Malware for Red TeamSatria Ady Pradana
 
(03 2013) guide to kali linux
(03 2013) guide to kali linux(03 2013) guide to kali linux
(03 2013) guide to kali linuxjulius77
 
Kali linux and some features [view in Full screen mode]
Kali linux and some features [view in Full screen mode]Kali linux and some features [view in Full screen mode]
Kali linux and some features [view in Full screen mode]abdou Bahassou
 
Pa or die
Pa or diePa or die
Pa or dieSetia Juli Irzal Ismail
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali LinuxJason Murray
 
Mengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatMengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatCharles Lim
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Kali Linux
Kali LinuxKali Linux
Kali LinuxChanchal Dabriya
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
 
Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP FRSecure
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent ThreatsESET
 

Más contenido relacionado

La actualidad más candente

CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012Andrew Morris
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCanSecWest
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
Linux/Unix Night - (PEN) Testing Toolkits (English)
Linux/Unix Night - (PEN) Testing Toolkits (English)Linux/Unix Night - (PEN) Testing Toolkits (English)
Linux/Unix Night - (PEN) Testing Toolkits (English)Jelmer de Reus
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 
Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014TGodfrey
 
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCsw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCanSecWest
 
(03 2013) guide to kali linux
(03 2013) guide to kali linux(03 2013) guide to kali linux
(03 2013) guide to kali linuxjulius77
 
Kali linux and some features [view in Full screen mode]
Kali linux and some features [view in Full screen mode]Kali linux and some features [view in Full screen mode]
Kali linux and some features [view in Full screen mode]abdou Bahassou
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali LinuxJason Murray
 
Mengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatMengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatCharles Lim
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
 
Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP FRSecure
 

La actualidad más candente (20)

Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber Security
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
Linux/Unix Night - (PEN) Testing Toolkits (English)
Linux/Unix Night - (PEN) Testing Toolkits (English)Linux/Unix Night - (PEN) Testing Toolkits (English)
Linux/Unix Night - (PEN) Testing Toolkits (English)
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
 
Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014
 
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCsw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
 
Malware for Red Team
Malware for Red TeamMalware for Red Team
Malware for Red Team
 
(03 2013) guide to kali linux
(03 2013) guide to kali linux(03 2013) guide to kali linux
(03 2013) guide to kali linux
 
Kali linux and some features [view in Full screen mode]
Kali linux and some features [view in Full screen mode]Kali linux and some features [view in Full screen mode]
Kali linux and some features [view in Full screen mode]
 
Pa or die
Pa or diePa or die
Pa or die
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
 
2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux
 
Mengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatMengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih Dekat
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Kali Linux
Kali LinuxKali Linux
Kali Linux
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
 
Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP
 

Similar a Operation Buhtrap - AVAR 2015

Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent ThreatsESET
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityLumension
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive SecurityAndy Hoernecke
 
Attackers process
Attackers processAttackers process
Attackers processbegmohsin
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
NGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkNGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkWallarm
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...SegInfo
 
Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive securityScott Behrens
 
VMI based malware detection in virtual environment
VMI based malware detection in virtual environmentVMI based malware detection in virtual environment
VMI based malware detection in virtual environmentAyush Gargya
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesSam Bowne
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalHarsimran Walia
 
The adoption of FOSS workfows in commercial software development: the case of...
The adoption of FOSS workfows in commercial software development: the case of...The adoption of FOSS workfows in commercial software development: the case of...
The adoption of FOSS workfows in commercial software development: the case of...dmgerman
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 

Similar a Operation Buhtrap - AVAR 2015 (20)

Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs Security
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
 
Attackers process
Attackers processAttackers process
Attackers process
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
NGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkNGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talk
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
Metasploit
MetasploitMetasploit
Metasploit
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
 
Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive security
 
VMI based malware detection in virtual environment
VMI based malware detection in virtual environmentVMI based malware detection in virtual environment
VMI based malware detection in virtual environment
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
The adoption of FOSS workfows in commercial software development: the case of...
The adoption of FOSS workfows in commercial software development: the case of...The adoption of FOSS workfows in commercial software development: the case of...
The adoption of FOSS workfows in commercial software development: the case of...
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 

Más de ESET

ESET Cybersecurity students
ESET Cybersecurity studentsESET Cybersecurity students
ESET Cybersecurity studentsESET
 
ESET Cybersecurity training
ESET Cybersecurity trainingESET Cybersecurity training
ESET Cybersecurity trainingESET
 
How to implement a robust information security management system?
How to implement a robust information security management system?How to implement a robust information security management system?
How to implement a robust information security management system?ESET
 
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...ESET
 
Visiting the Bear Den
Visiting the Bear DenVisiting the Bear Den
Visiting the Bear DenESET
 
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...ESET
 
ESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection RegulationESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection RegulationESET
 
Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinBootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinESET
 
Shopping Online
Shopping OnlineShopping Online
Shopping OnlineESET
 
Banking Online
Banking OnlineBanking Online
Banking OnlineESET
 
Is Anti-Virus Dead?
Is Anti-Virus Dead?Is Anti-Virus Dead?
Is Anti-Virus Dead?ESET
 
Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct? Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct? ESET
 
Unpack your troubles*: .NET packer tricks and countermeasures
Unpack your troubles*: .NET packer tricks and countermeasuresUnpack your troubles*: .NET packer tricks and countermeasures
Unpack your troubles*: .NET packer tricks and countermeasuresESET
 
ESET: #DoMore With Our Comprehensive Range of Business Products
ESET: #DoMore With Our Comprehensive Range of Business ProductsESET: #DoMore With Our Comprehensive Range of Business Products
ESET: #DoMore With Our Comprehensive Range of Business ProductsESET
 
ESET: Delivering Benefits to Enterprises
ESET: Delivering Benefits to EnterprisesESET: Delivering Benefits to Enterprises
ESET: Delivering Benefits to EnterprisesESET
 
ESET: Delivering Benefits to Medium and Large Businesses
ESET: Delivering Benefits to Medium and Large BusinessesESET: Delivering Benefits to Medium and Large Businesses
ESET: Delivering Benefits to Medium and Large BusinessesESET
 
#DoMore with ESET
#DoMore with ESET#DoMore with ESET
#DoMore with ESETESET
 
Learn more about ESET and our soulutions for mobile platforms
Learn more about ESET and our soulutions for mobile platformsLearn more about ESET and our soulutions for mobile platforms
Learn more about ESET and our soulutions for mobile platformsESET
 
Trends for 2014: The Challenge of Internet Privacy
Trends for 2014: The Challenge of Internet PrivacyTrends for 2014: The Challenge of Internet Privacy
Trends for 2014: The Challenge of Internet PrivacyESET
 
ESET Technology From
ESET Technology FromESET Technology From
ESET Technology FromESET
 

Más de ESET (20)

ESET Cybersecurity students
ESET Cybersecurity studentsESET Cybersecurity students
ESET Cybersecurity students
 
ESET Cybersecurity training
ESET Cybersecurity trainingESET Cybersecurity training
ESET Cybersecurity training
 
How to implement a robust information security management system?
How to implement a robust information security management system?How to implement a robust information security management system?
How to implement a robust information security management system?
 
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...
#AntimalwareDay: The ESET Celebration of the Origins of Computer Defense in N...
 
Visiting the Bear Den
Visiting the Bear DenVisiting the Bear Den
Visiting the Bear Den
 
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
AVAR Sydney 2014: Lemming Aid and Kool Aid: Helping the Community to Help Its...
 
ESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection RegulationESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection Regulation
 
Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinBootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus Bulletin
 
Shopping Online
Shopping OnlineShopping Online
Shopping Online
 
Banking Online
Banking OnlineBanking Online
Banking Online
 
Is Anti-Virus Dead?
Is Anti-Virus Dead?Is Anti-Virus Dead?
Is Anti-Virus Dead?
 
Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct? Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct?
 
Unpack your troubles*: .NET packer tricks and countermeasures
Unpack your troubles*: .NET packer tricks and countermeasuresUnpack your troubles*: .NET packer tricks and countermeasures
Unpack your troubles*: .NET packer tricks and countermeasures
 
ESET: #DoMore With Our Comprehensive Range of Business Products
ESET: #DoMore With Our Comprehensive Range of Business ProductsESET: #DoMore With Our Comprehensive Range of Business Products
ESET: #DoMore With Our Comprehensive Range of Business Products
 
ESET: Delivering Benefits to Enterprises
ESET: Delivering Benefits to EnterprisesESET: Delivering Benefits to Enterprises
ESET: Delivering Benefits to Enterprises
 
ESET: Delivering Benefits to Medium and Large Businesses
ESET: Delivering Benefits to Medium and Large BusinessesESET: Delivering Benefits to Medium and Large Businesses
ESET: Delivering Benefits to Medium and Large Businesses
 
#DoMore with ESET
#DoMore with ESET#DoMore with ESET
#DoMore with ESET
 
Learn more about ESET and our soulutions for mobile platforms
Learn more about ESET and our soulutions for mobile platformsLearn more about ESET and our soulutions for mobile platforms
Learn more about ESET and our soulutions for mobile platforms
 
Trends for 2014: The Challenge of Internet Privacy
Trends for 2014: The Challenge of Internet PrivacyTrends for 2014: The Challenge of Internet Privacy
Trends for 2014: The Challenge of Internet Privacy
 
ESET Technology From
ESET Technology FromESET Technology From
ESET Technology From
 

Último

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Último (20)

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Operation Buhtrap - AVAR 2015

  • 1. Operation Buhtrap Jean-Ian Boutin, Anton Cherepanov, Jan Matušík AVAR – 2015
  • 2. Outline • What? • How? • Campaigns • Targets • Tool • Evasion
  • 4. Operation Buhtrap – the basics • Financially motivated group targeting banks and businesses in Russia • Active since at least April 2014 • Uses spearphishing, exploit kits to run campaigns • Uses different people to code malware, exploit, test • Uses tools on sale in underground forums
  • 5. Why are you talking about that? • More and more, groups are targeting commercial entities • They use techniques we used to see in espionage campaigns • We have seen several big attacks on businesses in the past, we believe we will see more, and operation Buhtrap is a good case study
  • 6. The beginnings • We analyzed this, NSIS packed, first stage, which had interesting checks
  • 7. The beginnings • We analyzed this, NSIS packed, first stage, which had interesting checks
  • 8. Stealthy • Checks for system language, applications installed, URLs visited to decide which package to download • Also checks for security software to modify which application version to install
  • 9. Targets • Looking at • Decoy documents • URLs and application installed • Domains used • Businesses and more specifically accounting departments seemed to be the target of this group
  • 10. Certificates • As we will see later on, downloaded packages contained a lot of files • Many of which were signed by valid certificates
  • 11. Group • While we progress in our research it became clear that this was a group of organized people • Malware coder • Exploit coder • Testers • As will become apparent, they also had pretty good ties with cybercriminals selling tools and services in underground forums
  • 12. This seemed like a suitable research • Group of people launching spearphishing attacks against Russian businesses • Using as much stealth as possible • Code signing certificate usage • Using modular code and 3rd party tools
  • 14. Timeline 2014 2015Q2 Q3 Q4 Q1 2015 Q2 Q3 Q4 Start of the first campaign (first known activity) 4/1/2014 Start of the second campaign 4/10/2015 Passport Scan 8/1/2015 Return of the MWI 10/1/2015 Blog post released 4/9/2015 Flash Player bundle 10/1/2015
  • 15. Tools – Overall Installation process • Through spam, operators are ultimately trying to have full control of the victim computer
  • 16. Targets – Detection statistics Russia 88% Ukraine 10% Other 2%
  • 17. Targets • Businesses, most probably accounting departments. Why this assumption? • Decoy documents, applications and URLs check and finally domains • Malicious domains used by cybercriminals: • store.kontur-expres.com  "SKB Kontur has been simplifying business accounting in Russia since 1988“ • help.b-kontur.org • forum.buhonline.info  buhonline.ru: forum content directed towards accountant • topic.buhgalter-info.com • balans2w.balans2.com
  • 18. Infection Vector • Spearphishing with business oriented decoy documents
  • 19. Infection Vector • Spearphishing with business oriented decoy documents
  • 20. Side Story - Microsoft Word Intruder? • It is a kit, sold in underground forums that allow to build RTF documents exploiting several CVE • Shows the connections of this group: they got it 1 year before public disclosure
  • 21. Side Story - Microsoft Word Intruder • Uses four exploits • CVE-2010-3333 • CVE-2012-0158 • CVE-2013-3906 • CVE-2014-1761 • Two modes of operation: INTERNAL and EXTERNAL • No decoy, malware payload must show one if needed • Several modifications, we see the kit evolving through the buhtrap campaign as well
  • 22. Tools – first stage • The first stage implant makes tons of checks to make sure the system is valuable and not a researcher’s system
  • 23. Tools – first stage • The first stage implant makes tons of checks to make sure the system is valuable and not a researcher’s system
  • 24. Tools – first stage • The first stage implant makes tons of checks to make sure the system is valuable and not a researcher’s system
  • 25. Tools – Usage of Decoy Second Stage • If those tests fail, it downloads a decoy package instead of the real second stage implant • Remember this picture?
  • 26. Tools – Usage of Decoy Second Stage • In this case, the NSIS first stage implant downloads a fake 7z self- extracting executable
  • 27. Tools – Usage of Decoy Second Stage • If we look at the installation script in the downloaded second stage, we see that they are using a malicious way to install the decoy package
  • 28. Tools – Local Privilege Exploitation • They have been using several different exploits • First campaign was CVE-2013-3660 and Carberp trick in source code • Then in subsequent campaigns, we saw CVE-2014-4113, CVE-2015-2546 and CVE-2015-2387 (part of the Hacking Team leak) • Always had the x86 and x64 versions
  • 29. Tools – Overall View of the Second stage Download • When the checks are satisfied, downloads the second stage malicious payload used to spy on their targets
  • 30. Tools – System Preparation • xtm.exe - System preparation
  • 31. Tools – mimikatz.exe • Tool used by pentesters (and others!) to access an account • Modified binary to issue following commands: privilege::debug and sekurlsa::logonPasswords to recover logon passwords
  • 32. Tools – xtm.exe • 1c_export: tries to add a user to system • This package was no longer seen in later campaigns (NOT necessary for the initial compromise) • We have seen them later on they dropping it through the backdoor
  • 33. Tools - Backdoor • lmpack.exe - Backdoor
  • 34. Tools – lmpack.exe • Silent installation of litemanager, a remote administrator • Supposedly legit but, why silent installer? Detected as a PUA (potentially unsafe application)
  • 35.
  • 36. Tools – Main Buhtrap module • pn_pack.exe – Spying Module
  • 37. Tools – pn_pack.exe • Log all keystrokes and copy clipboard content • Enumerate smart cards present on the system • Handle C&C communications
  • 38. Tools – pn_pack.exe • Uses dll-sideloading and decrypt main module on the fly • Uses well known application to hide • Yandex punto • The Guide • Teleport Pro
  • 39. Tools – pn_pack.exe • RC4 for communications, but also to encrypt strings. NW is XOR with preceding byte and then RC4 encrypted • Two commands: download and execute module, download code and start new thread in it • only module present in later installment. Use existing functionalities to install all the remaining tools
  • 40. New infection vector: Niteris EK
  • 41. Timeline 2014 2015Q2 Q3 Q4 Q1 2015 Q2 Q3 Q4 Start of the first campaign (first known activity) 4/1/2014 Start of the second campaign 4/10/2015 Passport Scan 8/1/2015 Return of the MWI 10/1/2015 Blog post released 4/9/2015 Flash Player bundle 10/1/2015
  • 42. Targets • Still (Russian) businesses • The dropper still contains the same script that checks for URLs, applications, debug app, etc
  • 43. Infection Vector • They are no longer using MWI for this campaign • Spearphishing • Exploit Kit • Executable Attachments
  • 44. Infection Vector – Executable attachments • Passport scan
  • 45. Infection Vector – Niteris EK • Appeared in 2014 • Low prevalence, few malware distributed through it (ursnif, corkow) • Flash exploit – CVE-2014-0569
  • 46. Tools – Evolved First Stage Downloaders • Distributed as Microsoft KB files • One dropper was very different, not NSIS, heavy usage of RC4 • LOTS of detection for security products • Sandbox (Sandboxie, Norman) • Virtual Machines (VMWare, VirtualBox, QEMU) • Python/Perl • Wine • User interaction • Downloads second stage if checks are satisfied
  • 47. Tools – USB stealer • One component that was signed with certificate was a USB stealer • Copies file from drives A: and B: or USB drive to local folder • Skips .pdf, .doc and .mp3
  • 48. The return of the MWI kit
  • 49. Timeline 2014 2015Q2 Q3 Q4 Q1 2015 Q2 Q3 Q4 Start of the first campaign (first known activity) 4/1/2014 Blog post released 4/9/2015 Start of the second campaign 4/10/2015 Passport Scan 8/1/2015 Return of the MWI 10/1/2015 Flash Player bundle 10/1/2015
  • 50. Targets • They shifted their focus • Businesses • Banks
  • 51. Infection Vector – Microsoft Word Intruder via spam • MWI again! • Possibly due to big rewrite • The overall infection workflow changed
  • 52. Infection vector – Strategic Web Compromise • Late October, we saw that Ammyy.com was distributing Buhtrap
  • 53. Infection vector – Strategic Web Compromise • Other malware were distributed through ammyy.com • Lurk downloader • Corebot • Ranbyus • Netwire RAT
  • 55. Evasion – bypassing AntiVirus • Tries to prevent antivirus updates • Tries to put their malware in exclusion list • Different packages depending on which internet security product is installed
  • 56. Evasion – Anti-Forensics • mbrkiller.exe : NSIS installer that destroys MBR. Possibly used to wipe the computer after they are done with it • damagewindow.exe: shows a pop up screen saying there was a HDD failure and user should reboot system
  • 57.