The mother of supply chain attacks: APT vs Internet Service Providers

di Emanuele De Lucia

The telecommunications sector is a vital component to the operational success of nearly every existing connected entity.

Due to the critical role, organizations operating in this vertical face a multitude of cyber threats stemming from targeted intrusion, criminal, and hacktivist adversaries. This talk provides a summary of malicious cyber activity and how threat actors moves against them.

The predominant threat to this sector over the past year originates from targeted intrusion are suspected of seeking information that could support espionage operations, infrastructure access and access to customer data.

Targeted intrusion adversaries that have targeted or are suspected of targeting this sector have included those operating in support of China, Iran, Russia, Vietnam, and the Democratic People’s Republic of Korea (DPRK).

The talk examines the current threats, the levels of risk and the related methodologies (infection vectors, exfiltration methods, code obfuscation, persistence) that allow APT actors to remain undetected for long time within the victim networks.

2020: A Phishing Odyssey

di Mariano Graziano

Phishing is still an open problem and a severe threat for many organizations. In many cases, attackers do not need 0days and advanced techniques but it is enough to send a link pretending to be a familiar service to the victim. In this talk we will discuss about phishing from several perspectives.

We first see how to hunt for phishing sites and phishing kits. Second, we will see how we can efficiently detect and prevent these cases with Yara rules. Finally, we will introduce a raising trend for phishing: phishing documents. Specifically, we will see how to detect and hunt these cases and how they are related with traditional phishing and malware campaigns.

The Secure Kernel and Virtual Secure Mode

di Andrea Allievi

This talk will explore the internal architecture of the Secure Kernel and VSM, especially from an attacker point of view, and will concentrate in particular on the following:

  • Understanding why the Secure Kernel is important, enabled by default from 19H1 and why is a big advantage from a defensive perspective.
  • Introduce the main services provided by VSM and the Secure Kernel.
  • Introduce some internals of the Hypervisor, Secure Kernel and the link between them and the Root OS

Assisted Threat Tracking Via Automatically Generated YARA Rules

di Jason Zhang & Stefano Ortolani

Growing cybersecurity threats and ever-evolving complexity pose great challenges to malware detection, classification, and threat hunting. One well-known phenomenon witnessed by malware analysts is a seemingly endless stream of artifacts related to the sample used in an initial attack. For example, Winnti has evolved into an advanced and sophisticated toolkit since its first attack as a RAT nearly a decade ago. Emotet, which started as a banking Trojan in 2014, has now evolved into one of the most dangerous botnets with payload delivery services for other threat actors. Tracking the evolution of malware in an efficient manner is therefore of paramount importance for the security industry.

Traditional approaches to track the evolution of malware require intensive manual reverse engineering work to analyse individual samples, which is ineffective and not scalable. In recent years, automated processes capable of dealing with large-scale data have been highly demanded and adopted by the security community.

In this study, we present a practical approach to track malware evolution over time based on detonating malicious artifacts through dynamic analysis, and generating YARA rules automatically. More specifically, a statistical model periodically learned with data generated from executing labeled training samples inside Windows OS-based sandbox environments is used to automatically identify malicious code segments from a test dataset collected over a given period of time. Subsequently the identified code segments from the dynamic analysis are assembled to build the YARA rules which are then applied to payloads (most likely packed) to track known and new variants of the malware. We validate the feasibility of this approach by analyzing the code evolution of Emotet as seen from the samples collected in the wild in late 2019 by the community-driven task force known as Cryptolaemus.

Ursnif: attack on Italian bank accounts

di Federico Girotto & Michele Zuin

The talk we are proposing will explore the technical details of the various campaigns of the malware known as Ursnif / Gozi that have hit Italian users in recent years.
We will analyze the following topics in detail:

  • Diffusion method: malspam, follow-up malware, etc.
  • Chain of infection and the obfuscation techniques of the various types of dropper used for the distribution of the Trojan Banker Ursnif.
  • Persistence and technical analysis of the functionalities of the Trojan Banker Ursnif with a detail on the various types of credential stolen (home banking credential, passwords, etc.).
  • Evolution over time of the versions of Malware and the related groups that seems associated with the campaigns that have specifically affected Italian users.

The Journey of Malware Families Evade Sandbox

di Venkatachalabathy S.R.

In recent years, malware threat landscape grown exponential and employed various evasion technique to bypass behavioral analysis and detection. The dominant category of evasion falls on sandbox evasion technique as defenders use sandboxes as part of the ecosystem to replicate the malicious files in an automated and controlled virtualized environment and gather the behaviour information within a short span of time. Malware authors are aware of the sandbox technologies, they employed malware with sandbox evasion techniques and mimic malware files to behave as benign files inside sandbox environment and show the malicious payload only in physical machine (ie., non-virtualized environment). As malware authors develop more new evasion techniques to hide from sandbox radar, consequence of it, defenders make various improvement to their sandbox technology to identify the sandbox evasion and defeat it. The improvement cycle done by defenders to protect against malwares and attackers to thwart from sandbox detection is never ending story which resembles Cat and Mouse game.

In this paper I will explain the improvements done by malware authors towards new sandbox evasion and reuse of old sandbox evasion techniques in recent ransomwares, Banking Trojans, Advanced Persistent Threats and how malware authors use Windows API's, office features and functionalities of virtualized environment to achieve sandbox evasion and defeat detection. I will also include countermeasures to bypass sandbox evasion as a defender.

Some of the latest evasion technique seen in malware families in recent years will be covered in the paper includes as below:

  • How windows WMI query misused by malware authors to gather the system information’s?
  • How Thermal zone temperature used to evade from sandbox?
  • How country check evades sandbox detection?
  • How file-less technique employed by malware authors to evade from traditional sandbox product (focus mainly on file, registry and network activities)?
  • Many more.

Suspected Cross platform attack that hit Windows and Android users in South Asia.

di Niranjan Jayanand

This research paper would cover long running multiple attack campaigns targeting South Asian officials mainly working in Government, Oil, Media, Maritime, defense contractors, universities (particularly those with military research ties), legal organizations. The main motivation behind these waves of attacks is Espionage aligned with commercial and South China Sea issues for Intellectual property theft and military espionage.

A common trait that was identified was use of a file name “8.t” for shellcode when the vulnerable RTF file was executed in a vulnerable environment before dropping different Remote Administrative Tools.

In one campaign, a PlugX was dropped connecting to a Command and control IP which helped us identify Infostealer Android malwares hitting South Asian victims. This made us believe that the campaign was hitting Cross platform to target wider victims.