Profile

HomeProfilesCarel Bitter

Carel Bitter

Lead of Sigint Team at Spamhaus

Carel leads the Sigint Team, dealing with automated detections. He researches the infrastructure and tooling used by cybercrime threat actors, with a focus on using metadata and DNS. He is also co-chair of the Names and Numbers committee at M3AAWG.

AllSessions

Day 1
May 9, 2024
4:15 pm

360 degrees of malspam - What happens before, during and after a malspam campaign

Josh HopkinsCarel Bitter
9 May
Time:  4:15 pm - 4:45 pm
Location: 
Speaker:  Josh HopkinsCarel Bitter

We follow the full lifecycle of various campaigns run by a threat actor that uses reasonably sophisticated malware spam to distribute various droppers like IcedID, Darkgate and T34. Starting from the malspam we show how Netflow can be used to find the provisioning and administrative infrastructure, use this to figure out the scope of each campaign and predict future infrastructure. From the mails we look at payloads, exploits and dropped malware, eventually leading us to the C2 infrastructure.

This presentation is another example of the power of collaboration, marrying the distinct data sets of Spamhaus and Team Cymru together to provide a more complete picture of this threat actor’s activities. In addition to identifying “how” this threat actor operates, we also provide ways in which each campaign could be mitigated at various points in its lifecycle, and provide general TTPs which can be extrapolated and used to identify other similar malevolent acts.