SlideShare a Scribd company logo

Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin

Download as PPTX, PDF
RootedCON
RootedCON

RootedCON https://www.rootedcon.com Marzo/March 5-7 2020 Madrid (Spain)

Technology
1 of 68
VICTOR ACIN March 2020 EMOTET IS DEAD, LONG LIVE EMOTET
1. Myself 2. Emotet 1. The malware 2. The infrastructure 3. Kill chain 4. Spam analysis 3. Acting as a Loader 4. Conclusions TABLE OF CONTENT EMOTET_ROOTEDCON 2020 2
Victor Acin Threat Analyst at Blueliv • Background in ethical hacking • Currently RE Team Lead 1. MYSELF EMOTET_ROOTEDCON 2020 3
EMOTET – THE MALWARE
5 Appeared ~2012-2013 Feodo family Wasn’t considered a significant threat until later Notable for: • Using configuration file with targeted banks • Injecting DLLs into processes for monitoring • Distributed via spam messages 2. EMOTET EMOTET_ROOTEDCON 2020
Since its origins, Emotet has come a long way: • Switch from Banking Trojan to spammer/loader • Developed into modular Trojan One of the most prolific malwares of all time US Government estimates up to $1 million in remediation costs per incident 2.1 THE MALWARE EMOTET_ROOTEDCON 2020 6
7 2.1 THE MALWARE Notable features: • Multiple modules available • Use of Heaven's Gate • Multiple persistence mechanisms • Encrypted communications • protobuf • VM detection • Hash- based import resolution EMOTET_ROOTEDCON 2020
Modules: • NirSoft tools, harvesting module • Steal information from browsers, email clients • Extract information to be reused in spam campaigns • Spam module • Port forwarding • Network spreading module • Includes WIFI, network resources 2.1 THE MALWARE EMOTET_ROOTEDCON 2020 8
2.1 THE MALWARE EMOTET_ROOTEDCON 2020 9
Modules: • NirSoft tools, harvesting module • Steal information from browsers, email clients • Extract information to be reused in spam campaigns • Spam module • Port forwarding • Network spreading module • Includes WIFI, network resources 2.1 THE MALWARE EMOTET_ROOTEDCON 2020 10
Hash-based import resolution • Good for stealthiness • Peculiar algorithm choice • sdbm: Non cryptographic hash 2.1 THE MALWARE EMOTET_ROOTEDCON 2020 11
Hash-based import resolution • Good for stealthiness • Peculiar algorithm choice • sdbm: Non cryptographic hash 2.1 THE MALWARE EMOTET_ROOTEDCON 2020 12
Persistence mechanisms • Create a new service • Registry RUN key as fallback 2.1 THE MALWARE EMOTET_ROOTEDCON 2020 13
14 2.1 THE MALWARE Use of Heaven's Gate technique • Used perform x64 syscalls process from x32 • Needed by Emotet for email harvesting • Disrupts analysis • Most debuggers don't have support EMOTET_ROOTEDCON 2020
15 2.1 THE MALWARE Use of Heaven's Gate technique • Used to inject to a x64 process from x32 • Needed by Emotet for email harvesting • Disrupts analysis • Most debuggers don't have support EMOTET_ROOTEDCON 2020
EMOTET – KILL CHAIN
Everything starts with an email and an attachment... (or sometimes a link) 2.2 KILL CHAIN EMOTET_ROOTEDCON 2020 17
18 2.2 KILL CHAIN EMOTET_ROOTEDCON 2020 • Typically the document contains a vba macro which will spawn a powershell and execute the payload
2.2 KILL CHAIN EMOTET_ROOTEDCON 2020 19
2.2 KILL CHAIN Some of the macros will instead use wscript to execute a JavaScript payload instead, with a similar purpose. • Some organizations have disabled powershell execution EMOTET_ROOTEDCON 2020 20
2.2 KILL CHAIN The payload will contact a (typically) compromised server, and it will download the actual Emotet binary: EMOTET_ROOTEDCON 2020 21
2.2 KILL CHAIN The payload will contact a (typically) compromised server, and it will download the actual Emotet binary: EMOTET_ROOTEDCON 2020 22
2.2 KILL CHAIN The binary contains a list of hardcoded IPs, and the necessary encryption keys to communicate with the C2 1. After being executed, it will call home 1. If not using the most recent Emotet the server will provide an updated sample 2. If using the most recent version, it will return the modules EMOTET_ROOTEDCON 2020 23
2.2 KILL CHAIN The modules are executed using different techniques depending on the module… …but we will not get into that in this talk. Depending on the campaign, Emotet will then deploy the next payload; Trickbot, Dridex, Pandabanker, etc. EMOTET_ROOTEDCON 2020 24
EMOTET – THE INFRASTRUCTURE
Emotet infrastructure has mainly three components: • Compromised servers • Drops first stage • Regular C2 servers • Module-specific C2 servers 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 26
Encrypted communications (C2 servers) 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 27 EMOTET DATA PACKET (RESPONSE) RSA_SIGNATURE(MESSAGE) AES_ENCRYPT(MESSAGE) SHA1(MESSAGE) PROTOBUF_ENCODE(ACTUAL DATA) EMOTET DATA PACKET (REQUEST) BASE64 (PAYLOAD) RSA_ENCRYPT(AES KEY) AES_ENCRYPT(MESSAGE) SHA1(MESSAGE) PROTOBUF_ENCODE(ACTUAL DATA)
Protobuf: • Protocol Buffers by Google • Data serializer Emotet uses modified version. If you want to play around with this... https://d00rt.github.io/emotet_netw work_protocol/ 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 28
The request itself has changed a lot over time: • Changes in response code • Changes in request type POST->GET • Different path generation • Based on serial number of infected bot • Based on keyword list • Data embedded in POST DATA, cookie... 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 29
2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 30
2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 31
The infrastructure is also constantly changing • Compromised servers • RSA keys used • C2 available And apparently, subdivided in different infrastructures 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 32
TRENDMICRO identified two different infrastructures in Nov 2018: • Different RSA keys • Different C2 combinations • Grouped by compilation time (EPOCH) 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 33 https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities- infrastructure/
34 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 Even before then, the research group Cryptolaemus was already sharing Emotet IOCs • Different infrastructures • Divided by Epoch • At least a month before blogpost
With time, identifying the Epochs has become more difficult: • Three infrastructures instead of two • Identified based on: • C2 relationship • RSA key (unique per Epoch) • Document dropper creation time 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 35
2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 36 Lets try to draw something as well!
2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 37
2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 38
2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 39 >=8 RSA nodes 2 RSA nodes 1 RSA node is White
2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 40
2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 41
2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 42 First rule of TI: • No one has visibility over absolutely everything • We're missing data too Tracking Emotet is not that easy • Many factors to take into account • Server responses may vary by country, time of day • Protocol changes affects emulator effectivity
EMOTET – SPAM
2.4 SPAM The success of Emotet is driven by: • Quality of spam sent • Sheer volume of spam the botnet is capable of producing EMOTET_ROOTEDCON 2020 44
2.4 SPAM Spam quality: • Even when using "generic" spam messages, these are tailored for the targeted countries EMOTET_ROOTEDCON 2020 45
2.4 SPAM Spam quality: • Even when using "generic" spam messages, these are tailored for the targeted countries EMOTET_ROOTEDCON 2020 46
2.4 SPAM EMOTET_ROOTEDCON 2020 47
2.4 SPAM EMOTET_ROOTEDCON 2020 48 Spam quality: • Replying to existing emails
2.4 SPAM EMOTET_ROOTEDCON 2020 49
2.4 SPAM Volume: • Distributed samples • Emails sent EMOTET_ROOTEDCON 2020 50
2.4 SPAM EMOTET_ROOTEDCON 2020 51 Volume: • Distributed samples • Emails sent
52 2.4 SPAM Spam by topic (based on subject): EMOTET_ROOTEDCON 2020 Topic Subject Name Name of the victim No subject No subject Response Reply-related subject Finance Invoices, budgeting Info Information-related subject Spam Literal spam subject Work Job offers, workplace
2.4 SPAM Spam by language (top 9) EMOTET_ROOTEDCON 2020 53 Language Emails English 772435 Italian 298895 German 281624 Spanish 214543 Korean 86879 Portuguese 66133 Japanese 63563 Romanian 39538 Catalan 38289
2.4 SPAM Spam by domain recipient (top 9) EMOTET_ROOTEDCON 2020 54 domain count gmail.com 124442 hotmail.com 72160 libero.it 54088 NPS.K12.NJ.US 48091 liconsa.gob.mx 46686 dyauto.kr 37668 yahoo.com 35803 emirates.net.ae 17076 comcast.net 16878
2.4 SPAM EMOTET_ROOTEDCON 2020 55
2.4 SPAM Spam by domain recipient EMOTET_ROOTEDCON 2020 56 Domain #Email marriottluxurybrands.com 16691 powerlinksworld.com 16389 yahoo.es 15492 daimler.com 12320 indeedemail.com 12168 arsial.it 12051 amarasanctuary.com 11559
2.4 SPAM The Emotet gang has also taken advantage of other events or public figures such as: • Climate-change related emails mentioning Greta Thunberg • Coronavirus EMOTET_ROOTEDCON 2020 57 Image source: Proofpoint
2.4 SPAM Renting/side-gig with sextortion emails: • Claiming to have videos of someone "satisfying" themselves • Threaten to send to all contacts • Get infected with Emotet anyway.. EMOTET_ROOTEDCON 2020 58
ACTING AS A LOADER
3. ACTING AS A LOADER EMOTET_ROOTEDCON 2020 60
3. ACTING AS A LOADER Emotet’s main objective is to act as a loader. It has been seen distributing many different types of malware, but some of the most relevant today are: • Dridex • Trickbot • Pandabanker EMOTET_ROOTEDCON 2020 61
3. ACTING AS A LOADER Many of these also combine themselves with ransomware, creating a d evastating combination for many companies • Triple threat: Emotet + Trickbot + Ryuk Image Credit: Cybereason EMOTET_ROOTEDCON 2020 62
4. ACTING AS A LOADER There have been some reported incidents: • Berlin High Court (Kammergericht) • Frankfurt (preemtive shutdown) • Prosegur • Cadena Ser But many happen under the radar EMOTET_ROOTEDCON 2020 63
4. ACTING AS A LOADER New trends in ransomware: • Maze • Doppelpaymer • Nemty EMOTET_ROOTEDCON 2020 64
CONCLUSIONS
5. CONCLUSIONS Emotet will keep growing its assets: • Ramping up distribution • Better spam campaigns New tendencias in ransomware • More groups will join the leak-threat EMOTET_ROOTEDCON 2020 66
5. CONCLUSIONS Next steps: • Contacting cryptolaemus about data discrepancy • Keep investigating Emotet gang Educate users on this threat: • Spam techniques used • Infection vectors Learn about their TT&P EMOTET_ROOTEDCON 2020 67
5. CONCLUSIONS EMOTET_ROOTEDCON 2020 68 https://community.blueliv.c om

Recommended

[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA RulesLionel Faleiro
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsSam Bowne
 
CNIT 141: 12. Elliptic Curves
CNIT 141: 12. Elliptic CurvesCNIT 141: 12. Elliptic Curves
CNIT 141: 12. Elliptic CurvesSam Bowne
 
IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai RevisitedClare Nelson, CISSP, CIPP-E
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with FridaSatria Ady Pradana
 

Recommended

[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA RulesLionel Faleiro
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsSam Bowne
 
CNIT 141: 12. Elliptic Curves
CNIT 141: 12. Elliptic CurvesCNIT 141: 12. Elliptic Curves
CNIT 141: 12. Elliptic CurvesSam Bowne
 
IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai RevisitedClare Nelson, CISSP, CIPP-E
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with FridaSatria Ady Pradana
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk
 
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesMITRE - ATT&CKcon
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations♟Sergej Epp
 
Deception technology for advanced detection
Deception technology for advanced detectionDeception technology for advanced detection
Deception technology for advanced detectionJisc
 
Alamo ACE - Threat Hunting with CVAH
Alamo ACE - Threat Hunting with CVAHAlamo ACE - Threat Hunting with CVAH
Alamo ACE - Threat Hunting with CVAHBrandon DeVault
 
DEC algorithm
DEC algorithmDEC algorithm
DEC algorithmvss gowtham
 
CompTIA Security+: Everything you need to know about the SY0-601 update
CompTIA Security+: Everything you need to know about the SY0-601 updateCompTIA Security+: Everything you need to know about the SY0-601 update
CompTIA Security+: Everything you need to know about the SY0-601 updateInfosec
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)Umesh Kolhe
 
Building the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseBuilding the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseDon Murdoch GSE CyberGuardian CISSP
 
WPA-3: SEA and Dragonfly
WPA-3: SEA and DragonflyWPA-3: SEA and Dragonfly
WPA-3: SEA and DragonflyNapier University
 
Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304
Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304
Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304Linaro
 
Post Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewPost Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewRamesh Nagappan
 
2022 October Patch Tuesday
2022 October Patch Tuesday2022 October Patch Tuesday
2022 October Patch TuesdayIvanti
 
Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummiesIvo Depoorter
 
Post quantum cryptography - thesis
Post quantum cryptography - thesisPost quantum cryptography - thesis
Post quantum cryptography - thesisSamy Shehata
 
Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
Subnetting
SubnettingSubnetting
SubnettingKishore Kumar
 
Attribute Based Encryption
Attribute Based EncryptionAttribute Based Encryption
Attribute Based EncryptionUT, San Antonio
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
BlueHat v18 || A turla gift - popping calc.exe by sending an email
BlueHat v18 || A turla gift - popping calc.exe by sending an emailBlueHat v18 || A turla gift - popping calc.exe by sending an email
BlueHat v18 || A turla gift - popping calc.exe by sending an emailBlueHat Security Conference
 
Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.Senad Aruc
 

More Related Content

What's hot

Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk
 
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesMITRE - ATT&CKcon
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations♟Sergej Epp
 
Deception technology for advanced detection
Deception technology for advanced detectionDeception technology for advanced detection
Deception technology for advanced detectionJisc
 
Alamo ACE - Threat Hunting with CVAH
Alamo ACE - Threat Hunting with CVAHAlamo ACE - Threat Hunting with CVAH
Alamo ACE - Threat Hunting with CVAHBrandon DeVault
 
CompTIA Security+: Everything you need to know about the SY0-601 update
CompTIA Security+: Everything you need to know about the SY0-601 updateCompTIA Security+: Everything you need to know about the SY0-601 update
CompTIA Security+: Everything you need to know about the SY0-601 updateInfosec
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)Umesh Kolhe
 
Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304
Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304
Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304Linaro
 
Post Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewPost Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewRamesh Nagappan
 
2022 October Patch Tuesday
2022 October Patch Tuesday2022 October Patch Tuesday
2022 October Patch TuesdayIvanti
 
Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummiesIvo Depoorter
 
Post quantum cryptography - thesis
Post quantum cryptography - thesisPost quantum cryptography - thesis
Post quantum cryptography - thesisSamy Shehata
 
Attribute Based Encryption
Attribute Based EncryptionAttribute Based Encryption
Attribute Based EncryptionUT, San Antonio
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 

What's hot (20)

Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat Hunting
 
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations
 
Deception technology for advanced detection
Deception technology for advanced detectionDeception technology for advanced detection
Deception technology for advanced detection
 
Alamo ACE - Threat Hunting with CVAH
Alamo ACE - Threat Hunting with CVAHAlamo ACE - Threat Hunting with CVAH
Alamo ACE - Threat Hunting with CVAH
 
DEC algorithm
DEC algorithmDEC algorithm
DEC algorithm
 
CompTIA Security+: Everything you need to know about the SY0-601 update
CompTIA Security+: Everything you need to know about the SY0-601 updateCompTIA Security+: Everything you need to know about the SY0-601 update
CompTIA Security+: Everything you need to know about the SY0-601 update
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)
 
Building the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseBuilding the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAse
 
WPA-3: SEA and Dragonfly
WPA-3: SEA and DragonflyWPA-3: SEA and Dragonfly
WPA-3: SEA and Dragonfly
 
Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304
Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304
Demystifying Security Root of Trust Approaches for IoT/Embedded - SFO17-304
 
Post Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewPost Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical Overview
 
2022 October Patch Tuesday
2022 October Patch Tuesday2022 October Patch Tuesday
2022 October Patch Tuesday
 
Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummies
 
Post quantum cryptography - thesis
Post quantum cryptography - thesisPost quantum cryptography - thesis
Post quantum cryptography - thesis
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
 
Subnetting
SubnettingSubnetting
Subnetting
 
Attribute Based Encryption
Attribute Based EncryptionAttribute Based Encryption
Attribute Based Encryption
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
 

Similar to Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin

BlueHat v18 || A turla gift - popping calc.exe by sending an email
BlueHat v18 || A turla gift - popping calc.exe by sending an emailBlueHat v18 || A turla gift - popping calc.exe by sending an email
BlueHat v18 || A turla gift - popping calc.exe by sending an emailBlueHat Security Conference
 
Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.Senad Aruc
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
Travelling to the far side of Andromeda
Travelling to the far side of AndromedaTravelling to the far side of Andromeda
Travelling to the far side of AndromedaJose Miguel Esparza
 
binary analysis for botnet reverse engineering.pptx
binary analysis for botnet reverse engineering.pptxbinary analysis for botnet reverse engineering.pptx
binary analysis for botnet reverse engineering.pptxAhmedHamouda68
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Julia Yu-Chin Cheng
 
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...CODE BLUE
 
paper review about botnet
paper review about botnetpaper review about botnet
paper review about botnetJhang Raymond
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomwareSophos Benelux
 
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEric Vanderburg
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...Felipe Prado
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
 
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...APNIC
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablowISSA LA
 
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted BottleVirus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted BottlePeter Kálnai
 
Kalnai_Jirkal-vb-2016-malicious-osx-cocktail
Kalnai_Jirkal-vb-2016-malicious-osx-cocktailKalnai_Jirkal-vb-2016-malicious-osx-cocktail
Kalnai_Jirkal-vb-2016-malicious-osx-cocktailMartin Jirkal
 
20221110 MetaCoin
20221110 MetaCoin20221110 MetaCoin
20221110 MetaCoinHu Kenneth
 

Similar to Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin (20)

BlueHat v18 || A turla gift - popping calc.exe by sending an email
BlueHat v18 || A turla gift - popping calc.exe by sending an emailBlueHat v18 || A turla gift - popping calc.exe by sending an email
BlueHat v18 || A turla gift - popping calc.exe by sending an email
 
Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Travelling to the far side of Andromeda
Travelling to the far side of AndromedaTravelling to the far side of Andromeda
Travelling to the far side of Andromeda
 
I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart Stuxnet
 
binary analysis for botnet reverse engineering.pptx
binary analysis for botnet reverse engineering.pptxbinary analysis for botnet reverse engineering.pptx
binary analysis for botnet reverse engineering.pptx
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
 
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
 
Private Date and PRYING Eyes - Talking Cybersecurity at After Work Network
Private Date and PRYING Eyes - Talking Cybersecurity at After Work NetworkPrivate Date and PRYING Eyes - Talking Cybersecurity at After Work Network
Private Date and PRYING Eyes - Talking Cybersecurity at After Work Network
 
paper review about botnet
paper review about botnetpaper review about botnet
paper review about botnet
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
 
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablow
 
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted BottleVirus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle
 
Kalnai_Jirkal-vb-2016-malicious-osx-cocktail
Kalnai_Jirkal-vb-2016-malicious-osx-cocktailKalnai_Jirkal-vb-2016-malicious-osx-cocktail
Kalnai_Jirkal-vb-2016-malicious-osx-cocktail
 
Cloud Native SDN
Cloud Native SDNCloud Native SDN
Cloud Native SDN
 
20221110 MetaCoin
20221110 MetaCoin20221110 MetaCoin
20221110 MetaCoin
 

More from RootedCON

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRootedCON
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...RootedCON
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRootedCON
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_RootedCON
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...RootedCON
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...RootedCON
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...RootedCON
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRootedCON
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...RootedCON
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRootedCON
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...RootedCON
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRootedCON
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...RootedCON
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRootedCON
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRootedCON
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...RootedCON
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...RootedCON
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRootedCON
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRootedCON
 

More from RootedCON (20)

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
 

Recently uploaded

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 

Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin

  • 1. VICTOR ACIN March 2020 EMOTET IS DEAD, LONG LIVE EMOTET
  • 2. 1. Myself 2. Emotet 1. The malware 2. The infrastructure 3. Kill chain 4. Spam analysis 3. Acting as a Loader 4. Conclusions TABLE OF CONTENT EMOTET_ROOTEDCON 2020 2
  • 3. Victor Acin Threat Analyst at Blueliv • Background in ethical hacking • Currently RE Team Lead 1. MYSELF EMOTET_ROOTEDCON 2020 3
  • 5. 5 Appeared ~2012-2013 Feodo family Wasn’t considered a significant threat until later Notable for: • Using configuration file with targeted banks • Injecting DLLs into processes for monitoring • Distributed via spam messages 2. EMOTET EMOTET_ROOTEDCON 2020
  • 6. Since its origins, Emotet has come a long way: • Switch from Banking Trojan to spammer/loader • Developed into modular Trojan One of the most prolific malwares of all time US Government estimates up to $1 million in remediation costs per incident 2.1 THE MALWARE EMOTET_ROOTEDCON 2020 6
  • 7. 7 2.1 THE MALWARE Notable features: • Multiple modules available • Use of Heaven's Gate • Multiple persistence mechanisms • Encrypted communications • protobuf • VM detection • Hash- based import resolution EMOTET_ROOTEDCON 2020
  • 8. Modules: • NirSoft tools, harvesting module • Steal information from browsers, email clients • Extract information to be reused in spam campaigns • Spam module • Port forwarding • Network spreading module • Includes WIFI, network resources 2.1 THE MALWARE EMOTET_ROOTEDCON 2020 8
  • 10. Modules: • NirSoft tools, harvesting module • Steal information from browsers, email clients • Extract information to be reused in spam campaigns • Spam module • Port forwarding • Network spreading module • Includes WIFI, network resources 2.1 THE MALWARE EMOTET_ROOTEDCON 2020 10
  • 11. Hash-based import resolution • Good for stealthiness • Peculiar algorithm choice • sdbm: Non cryptographic hash 2.1 THE MALWARE EMOTET_ROOTEDCON 2020 11
  • 12. Hash-based import resolution • Good for stealthiness • Peculiar algorithm choice • sdbm: Non cryptographic hash 2.1 THE MALWARE EMOTET_ROOTEDCON 2020 12
  • 13. Persistence mechanisms • Create a new service • Registry RUN key as fallback 2.1 THE MALWARE EMOTET_ROOTEDCON 2020 13
  • 14. 14 2.1 THE MALWARE Use of Heaven's Gate technique • Used perform x64 syscalls process from x32 • Needed by Emotet for email harvesting • Disrupts analysis • Most debuggers don't have support EMOTET_ROOTEDCON 2020
  • 15. 15 2.1 THE MALWARE Use of Heaven's Gate technique • Used to inject to a x64 process from x32 • Needed by Emotet for email harvesting • Disrupts analysis • Most debuggers don't have support EMOTET_ROOTEDCON 2020
  • 17. Everything starts with an email and an attachment... (or sometimes a link) 2.2 KILL CHAIN EMOTET_ROOTEDCON 2020 17
  • 18. 18 2.2 KILL CHAIN EMOTET_ROOTEDCON 2020 • Typically the document contains a vba macro which will spawn a powershell and execute the payload
  • 20. 2.2 KILL CHAIN Some of the macros will instead use wscript to execute a JavaScript payload instead, with a similar purpose. • Some organizations have disabled powershell execution EMOTET_ROOTEDCON 2020 20
  • 21. 2.2 KILL CHAIN The payload will contact a (typically) compromised server, and it will download the actual Emotet binary: EMOTET_ROOTEDCON 2020 21
  • 22. 2.2 KILL CHAIN The payload will contact a (typically) compromised server, and it will download the actual Emotet binary: EMOTET_ROOTEDCON 2020 22
  • 23. 2.2 KILL CHAIN The binary contains a list of hardcoded IPs, and the necessary encryption keys to communicate with the C2 1. After being executed, it will call home 1. If not using the most recent Emotet the server will provide an updated sample 2. If using the most recent version, it will return the modules EMOTET_ROOTEDCON 2020 23
  • 24. 2.2 KILL CHAIN The modules are executed using different techniques depending on the module… …but we will not get into that in this talk. Depending on the campaign, Emotet will then deploy the next payload; Trickbot, Dridex, Pandabanker, etc. EMOTET_ROOTEDCON 2020 24
  • 26. Emotet infrastructure has mainly three components: • Compromised servers • Drops first stage • Regular C2 servers • Module-specific C2 servers 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 26
  • 27. Encrypted communications (C2 servers) 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 27 EMOTET DATA PACKET (RESPONSE) RSA_SIGNATURE(MESSAGE) AES_ENCRYPT(MESSAGE) SHA1(MESSAGE) PROTOBUF_ENCODE(ACTUAL DATA) EMOTET DATA PACKET (REQUEST) BASE64 (PAYLOAD) RSA_ENCRYPT(AES KEY) AES_ENCRYPT(MESSAGE) SHA1(MESSAGE) PROTOBUF_ENCODE(ACTUAL DATA)
  • 28. Protobuf: • Protocol Buffers by Google • Data serializer Emotet uses modified version. If you want to play around with this... https://d00rt.github.io/emotet_netw work_protocol/ 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 28
  • 29. The request itself has changed a lot over time: • Changes in response code • Changes in request type POST->GET • Different path generation • Based on serial number of infected bot • Based on keyword list • Data embedded in POST DATA, cookie... 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 29
  • 32. The infrastructure is also constantly changing • Compromised servers • RSA keys used • C2 available And apparently, subdivided in different infrastructures 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 32
  • 33. TRENDMICRO identified two different infrastructures in Nov 2018: • Different RSA keys • Different C2 combinations • Grouped by compilation time (EPOCH) 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 33 https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities- infrastructure/
  • 34. 34 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 Even before then, the research group Cryptolaemus was already sharing Emotet IOCs • Different infrastructures • Divided by Epoch • At least a month before blogpost
  • 35. With time, identifying the Epochs has become more difficult: • Three infrastructures instead of two • Identified based on: • C2 relationship • RSA key (unique per Epoch) • Document dropper creation time 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 35
  • 36. 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 36 Lets try to draw something as well!
  • 39. 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 39 >=8 RSA nodes 2 RSA nodes 1 RSA node is White
  • 42. 2.3 THE INFRASTRUCTURE EMOTET_ROOTEDCON 2020 42 First rule of TI: • No one has visibility over absolutely everything • We're missing data too Tracking Emotet is not that easy • Many factors to take into account • Server responses may vary by country, time of day • Protocol changes affects emulator effectivity
  • 44. 2.4 SPAM The success of Emotet is driven by: • Quality of spam sent • Sheer volume of spam the botnet is capable of producing EMOTET_ROOTEDCON 2020 44
  • 45. 2.4 SPAM Spam quality: • Even when using "generic" spam messages, these are tailored for the targeted countries EMOTET_ROOTEDCON 2020 45
  • 46. 2.4 SPAM Spam quality: • Even when using "generic" spam messages, these are tailored for the targeted countries EMOTET_ROOTEDCON 2020 46
  • 48. 2.4 SPAM EMOTET_ROOTEDCON 2020 48 Spam quality: • Replying to existing emails
  • 50. 2.4 SPAM Volume: • Distributed samples • Emails sent EMOTET_ROOTEDCON 2020 50
  • 51. 2.4 SPAM EMOTET_ROOTEDCON 2020 51 Volume: • Distributed samples • Emails sent
  • 52. 52 2.4 SPAM Spam by topic (based on subject): EMOTET_ROOTEDCON 2020 Topic Subject Name Name of the victim No subject No subject Response Reply-related subject Finance Invoices, budgeting Info Information-related subject Spam Literal spam subject Work Job offers, workplace
  • 53. 2.4 SPAM Spam by language (top 9) EMOTET_ROOTEDCON 2020 53 Language Emails English 772435 Italian 298895 German 281624 Spanish 214543 Korean 86879 Portuguese 66133 Japanese 63563 Romanian 39538 Catalan 38289
  • 54. 2.4 SPAM Spam by domain recipient (top 9) EMOTET_ROOTEDCON 2020 54 domain count gmail.com 124442 hotmail.com 72160 libero.it 54088 NPS.K12.NJ.US 48091 liconsa.gob.mx 46686 dyauto.kr 37668 yahoo.com 35803 emirates.net.ae 17076 comcast.net 16878
  • 56. 2.4 SPAM Spam by domain recipient EMOTET_ROOTEDCON 2020 56 Domain #Email marriottluxurybrands.com 16691 powerlinksworld.com 16389 yahoo.es 15492 daimler.com 12320 indeedemail.com 12168 arsial.it 12051 amarasanctuary.com 11559
  • 57. 2.4 SPAM The Emotet gang has also taken advantage of other events or public figures such as: • Climate-change related emails mentioning Greta Thunberg • Coronavirus EMOTET_ROOTEDCON 2020 57 Image source: Proofpoint
  • 58. 2.4 SPAM Renting/side-gig with sextortion emails: • Claiming to have videos of someone "satisfying" themselves • Threaten to send to all contacts • Get infected with Emotet anyway.. EMOTET_ROOTEDCON 2020 58
  • 59. ACTING AS A LOADER
  • 60. 3. ACTING AS A LOADER EMOTET_ROOTEDCON 2020 60
  • 61. 3. ACTING AS A LOADER Emotet’s main objective is to act as a loader. It has been seen distributing many different types of malware, but some of the most relevant today are: • Dridex • Trickbot • Pandabanker EMOTET_ROOTEDCON 2020 61
  • 62. 3. ACTING AS A LOADER Many of these also combine themselves with ransomware, creating a d evastating combination for many companies • Triple threat: Emotet + Trickbot + Ryuk Image Credit: Cybereason EMOTET_ROOTEDCON 2020 62
  • 63. 4. ACTING AS A LOADER There have been some reported incidents: • Berlin High Court (Kammergericht) • Frankfurt (preemtive shutdown) • Prosegur • Cadena Ser But many happen under the radar EMOTET_ROOTEDCON 2020 63
  • 64. 4. ACTING AS A LOADER New trends in ransomware: • Maze • Doppelpaymer • Nemty EMOTET_ROOTEDCON 2020 64
  • 66. 5. CONCLUSIONS Emotet will keep growing its assets: • Ramping up distribution • Better spam campaigns New tendencias in ransomware • More groups will join the leak-threat EMOTET_ROOTEDCON 2020 66
  • 67. 5. CONCLUSIONS Next steps: • Contacting cryptolaemus about data discrepancy • Keep investigating Emotet gang Educate users on this threat: • Spam techniques used • Infection vectors Learn about their TT&P EMOTET_ROOTEDCON 2020 67

Editor's Notes

  1. [1] https://www.us-cert.gov/ncas/alerts/TA18-201A
  2. [2] http://www.alex-ionescu.com/
  3. [2] http://www.alex-ionescu.com/
  4. (https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware)