Profile

HomeProfilesJosh Hopkins

Josh Hopkins

Lead of Team Cymru S2 research team

Now leading the S2 Threat Research Team, Josh has been a threat researcher with Team Cymru since 2017. Specialising in the tracking of infrastructure for a diverse target set that includes both nation state and criminal threat actors. Josh has an extensive background in law enforcement and national security investigations.

AllSessions

Day 1
May 9, 2024
4:15 pm

360 degrees of malspam - What happens before, during and after a malspam campaign

Josh HopkinsCarel Bitter
9 May
Time:  4:15 pm - 4:45 pm
Location: 
Speaker:  Josh HopkinsCarel Bitter

We follow the full lifecycle of various campaigns run by a threat actor that uses reasonably sophisticated malware spam to distribute various droppers like IcedID, Darkgate and T34. Starting from the malspam we show how Netflow can be used to find the provisioning and administrative infrastructure, use this to figure out the scope of each campaign and predict future infrastructure. From the mails we look at payloads, exploits and dropped malware, eventually leading us to the C2 infrastructure.

This presentation is another example of the power of collaboration, marrying the distinct data sets of Spamhaus and Team Cymru together to provide a more complete picture of this threat actor’s activities. In addition to identifying “how” this threat actor operates, we also provide ways in which each campaign could be mitigated at various points in its lifecycle, and provide general TTPs which can be extrapolated and used to identify other similar malevolent acts.