schedules tabstyle

Command and Control (C2) detections play a crucial role in identifying malicious infrastructure within an environment. Whether dealing with financially motivated or nation state actors, targeting C2 infrastructure enables the potential blocking of malicious infrastructure as attackers bring it online.

As a threat analyst, it's easy to feel overwhelmed when identifying malicious infrastructure using tools like ZGrab2 or by searching databases like Censys and Shodan. In this workshop, we will explore simple and enjoyable methods for detecting and tracking malicious infrastructure. We'll utilize an open-sourced tool, NoWhere2Hide, to streamline the process from start to finish, facilitating the identification of malicious infrastructure and validation of your own C2s.

NoWhere2Hide assists threat researchers in identifying malicious infrastructure, creating C2 signatures, and continuously tracking and validating C2s. It encourages unique methods for identifying malicious infrastructure without scanning the entire internet and provides a format and framework for sharing C2 signatures within our community.

Throughout this workshop, we'll cover various methods and tools for internet scanning and demonstrate how NoWhere2Hide simplifies this process. Additionally, we'll explore general hunting and pivoting through data points, showing how these methods can serve as seeds for NoWhere2Hide scanning.

Finally, we'll put it all to the test with guided real-life exercises, demonstrating how to utilize NoWhere2Hide to uncover malicious infrastructure.

As threat actors evolve, so must our detection methods. In this workshop, we will delve
into advanced tactics, techniques, and procedures (TTPs) used by adversaries to
conceal malicious infrastructure. You will learn how to leverage passive DNS (PADNS)
data, WHOis domain registration data, SSL certificate data, content hash data (JS and
HTML), favicon hash searches, header hash values, html title searches, and more to
create effective strategies for tracking malicious infrastructure.

We will explore how IP and ASN diversity and entropy patterns can be used to identify
fresh FastFlux infrastructure. Additionally, we will demonstrate how advanced regex
searches on domain names can uncover infrastructure used for brand name spoofing
and by threat actors like Scattered Spider, enabling the detection of their newest
phishing domains.

Adversaries using domain generation algorithms often make mistakes by reusing
specific hosts/ASN ranges or having consistent processes in their deployments. We will
show you how to identify these patterns and mistakes to effectively track threat actors
such as Scattered Spider, SocGholish, and others, along with specific C2 infrastructure
and global threats.

Through real-world examples and hands-on exercises, you will gain practical skills to
enhance your threat detection capabilities and stay ahead of evolving adversaries.

During an Incident Response investigation, Mandiant discovered a malicious driver used to terminate select processes on Windows systems. In this case, the driver was used in an attempt to terminate the Endpoint Detection and Response (EDR) agent on the endpoint. Mandiant tracks the malicious driver and its loader as POORTRY and STONESTOP respectively. Soon after the initial discovery, Mandiant observed a POORTRY driver sample signed with a Microsoft Windows Hardware Compatibility Authenticode signature.

Careful analysis of the driver’s Authenticode metadata led to a larger investigation into malicious drivers signed via the Windows Hardware Compatibility Program. The investigation found a wider issue:

The malicious drivers are signed directly by Microsoft and identifying the original software vendor requires inspecting the signature with code
Several distinct malware families, associated with distinct threat actors, have been signed with this process Mandiant identified at least nine unique organization names associated with attestation signed malware

Mandiant will discuss the abuse of signed of malware, hunting methodologies to detect and escalate these samples, and the impact these findings had.

While a portion of the content being proposed was released publicly via Mandiant blog “I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware”, the main discussion points were not released and will discuss how the hunting methodology was used.

redacted

In the threat research and intelligence space, practitioners are familiar with pivoting across files, network traffic, and infrastructure to track their actors and discover new variants of evil. Many of those same principles can be used even further upstream, in the initial access phase, where actors very often leave behind fingerprints and patterns to enable clustering. This talk will explore how tracking these artifacts in email campaigns enables high fidelity detection of state-aligned actors, and will provide a behind-the-scenes look at how some of the best known threat actors leave behind a plethora of goodies for those who know where to look. This presentation will include the leakage of operator location, evidence of poorly-configured automation, common toolmarks left in email bodies or headers, and distinct threat actor naming conventions, and will present previously unpublished phishing and malware campaigns. Examples of examined actors will include TA421 (APT29), TA422 (APT28), TA427 (Kimsuky), TA453 (Charming Kitten) and multiple unnamed activity sets.

As more attention is given to mercenary groups that offer exploits and surveillance capabilities to government clients, disclosures about organisations like NSO Group and Intellexa have exposed the comprehensive ecosystem that fuels government espionage through commercial surveillance tools. These insights highlight the spread of advanced spyware and provide crucial information to avoid inaccuracies in constructing actor profiles. However, apart from the pivotal iSoon leak, information about the Chinese mercenary companies remains scarce.

In this presentation, I will share my research toward Poison Carp (aka Evil Eye), a Chinese espionage group disclosed by Citizenlab and Lookout using both Android and iOS exploits with implants to target Tibetan and Uyghurs groups in the large-scale surveillance campaign. By tracking their malware and C2 infrastructure in the latest campaign, we were able to identify a significant tool that allows us to understand the exploitation approach and gain more insights into the attacker's operation workflow. Beside new tools, we also uncover a Chinese mercenary group that likely sold tools or operated for Poison Carp. We were also able to identify the arsenal and perform technical analysis on their tools.

This presentation will not only unveil our latest discoveries about the mercenary company but also share our strategic approach to pivoting and analysis. Additionally, I'll delve into the intriguing journey this research took me on, and disclose some of the rabbit hole with unresolved mysteries.

Among all the major cybercriminal threat actors currently operating today, one stands out for its creativity, sophistication, and frustration to defenders: TA577. In our talk, we will discuss the history of this unique actor, tips for tracking and creating detections to defend against them, how law enforcement activity impacted its malware distribution, and why it’s one of the most difficult actors to defend against currently in operation.

TA577 was one of two prominent distributors of the Qbot botnet. In fact, the success and spread of Qbot was due in large part to the efforts of TA577. This actor demonstrates the ability to rapidly develop and iterate attack chains, and frequently paves the way for other threat actors to follow their novel techniques. With a combination of campaign volume; evasion techniques; unwavering persistence; and the turnaround to ransomware, TA577 remains one of the biggest threats in the ecrime landscape.

But what happened when global law enforcement disrupted Qbot in August 2023, which was this group’s most useful means of conducting large-scale cybercrime? It pivoted.

Proofpoint observed TA577 return in the fall of 2023 to deliver DarkGate – an unusual payload that took the ecrime landscape by storm in September and October – before eventually appearing to settle on Pikabot. Pikabot’s main objective is to download additional payloads, though it also has information gathering capabilities. TA577 may not write its own malware, but the malware it uses is sure to have significant impacts.

The targeting of edge devices without EDR continues to remain a common vector amongst particular threat actors. The targeting of these devices alongside the deployment of sophisticated malware, zero-days, router botnets, and novel techniques remains a significant challenge for defenders. Since 2021, a sophisticated Chinese state-sponsored threat actor has conducted a global campaign targeting vulnerable edge devices and embedding themselves deep into target networks. Analysis of this campaign revealed a well-resourced actor who continues to remain active today.

In this talk, we will take a set of known infrastructure attributed to this actor and walk through the analytical methodologies and pivots used to expand our knowledge and visibility over time. We will introduce faults in the tooling and methodologies used along the way and attempt to identify meaningful solutions. Attendees should walk away from this talk with a deeper understanding of the analytical methodologies and pivots used, tracking the actor or similar clusters, and the importance of maintaining visibility.

We follow the full lifecycle of various campaigns run by a threat actor that uses reasonably sophisticated malware spam to distribute various droppers like IcedID, Darkgate and T34. Starting from the malspam we show how Netflow can be used to find the provisioning and administrative infrastructure, use this to figure out the scope of each campaign and predict future infrastructure. From the mails we look at payloads, exploits and dropped malware, eventually leading us to the C2 infrastructure.

This presentation is another example of the power of collaboration, marrying the distinct data sets of Spamhaus and Team Cymru together to provide a more complete picture of this threat actor’s activities. In addition to identifying “how” this threat actor operates, we also provide ways in which each campaign could be mitigated at various points in its lifecycle, and provide general TTPs which can be extrapolated and used to identify other similar malevolent acts.

Operation Crimson Palace is a months-long intrusion by Chinese state-sponsored adversaries targeting a southeast Asian organization. The campaign includes clusters of activities that align with TTPs used by APT15 (Backdoor Diplomacy), Earth Longzhi (APT41 Subgroup), and one additional unattributed operator. Sophos’ time-of-day analysis of threat actor activity lines up with working hours in China and illustrates the clusters working at different times in an orchestrated manner.

Sophos was able to observe in detail the actions of the adversary over several months and specifically track their actions when they were blocked by software controls. They exhibited precision to limit exposure of their custom tooling and rotated tactics to continue their actions of objectives. Some of these interesting observations include:

• Use of a niche EDR evasion tactic that relies on timing, volume, and a good understanding of Windows internals to bypass kernel hooks.
• Reversion back to credential dumping and abuse of valid credentials when their tools were prevented from running.
• Use of multiple tools to achieve the objectives, indicating a well-funded operation with a deep toolbox
• The threat actor took special care to routinely delete their tools and scripts after use. And would return and redeploy a functionally similar tool with a slight variation each time.

During this presentation, we will provide context on how we conducted our analysis, as well as additional technical insight into the more novel malware used by the attackers, which has been previewed on social media.

In this landscape of extinction, precision is next to Godliness - Samuel Beckett

Since 2020 Chinese Espionage operations have fundamentally changed. Gone are the days of actor registered infrastructure and command and control reuse. A new practice of "Operational Relay Box" (ORB) networks has risen to obfuscate CNE network traffic via a TOR like network of registered VPS space and compromised end of life home routers.

This presentation will:
• Demonstrate the ways ORBs have made blocking network IOCs Extinct
• Provide a 4 quadrant signature and detection approach that will allow defenders and threat hunters to pivot through these complex networks. (Censys, YARA, Netflow, Active Scanning)
• Define a scalable universal anatomy for talking about ORB networks and map signature types to these components.
• Utilize an active PLA and MSS leveraged ORB network to provide real world examples of what manifestations of these ORB networks look like.
• And Finally Shift the world view of network defenders from IOC blocking to detecting ephemeral infrastructure networks leveraged by multiple malicious APT actors.

redacted

In an era where threat actors constantly evolve their techniques to evade detection, the intelligence community faces significant challenges in tracking their digital footprints. Technologies like onion routing have long been exploited by adversaries to conceal the origin and content of malicious traffic. Recently, Microsoft has identified a shift in behaviour, with threat actors eschewing traditional Tor/VPS-based obfuscation methods in favour of bespoke networks built from compromised SOHO routers.

This new landscape presents an array of analytical hurdles:

• Differentiating actor traffic from benign usage.
• Associating specific actors with the networks they utilize.
• Unravelling the construction and operation of these clandestine networks.

In response to these challenges, Microsoft threat researcher Charles Price unveils "CoTravel," an innovative threat intel tracking process. CoTravel examines actor identifiers and IP egress events over time, distinguishing patterns that reveal the shared infrastructure among seemingly disparate indicators. During the presentation, he will cover technical nuances of CoTravel, its integration into Microsoft's actor tracking effort, and the broader implications for threat intelligence research.

On December 12th, millions of Ukrainians trying to connect on Kyivstar's mobile and internet services were met with silence. The outage, it turned out, was no accident, but a carefully planned attack that had been brewing for months. One day later, a message saying “We take full responsibility for the cyber attack on Kyivstar” appeared on social media accounts belonging to a group calling itself ‘Solntsepek’.

“We attacked Kyivstar because the company provides communications to the Armed Forces of Ukraine” the message continued. The Ukrainian users found themselves an audience of another hacking stunt in the ongoing war that started with the Russian invasion of Ukraine. Almost one month later, the pro-Ukraine hacker group “BlackJack” claimed to have breached the Russian internet provider M9com as revenge for the Kyivstar attack.

These attacks demonstrate a rising trend where groups, ostensibly state-sponsored yet posing as hacktivists, execute cyber and influence operations. This approach provides plausible deniability and an appearance of legitimacy, avoiding the direct implications of government involvement. These actors, often using various group names, leverage grassroots facades for anonymity and to minimize international backlash.

But what if the inflation in the trend is its weakest point? This is where yet another trendy topic comes in handy— Machine Learning (And yes, AI as well). We analyzed thousands of public messages from Hacktivist groups in Europe and the Middle East and combined classic Cyber threat-intelligence practices with modern ML models to learn about their motives over time and more importantly — tie some of these groups together and improve the way we do attribution when it comes to Hacktivism.

As it often does, it started with an email: “Invitation to discussion”. Several email lures, fake login portals, SSL certificates and typosquat domains later, what started as a credential phishing campaign targeting think tanks in the United States and United Kingdom became an information operation (IO) targeting Ukraine.

This presentation unpicks White Dev 162, an emerging threat actor still under investigation that the PwC Threat Intelligence Team started tracking in the summer of 2023. Since then, we have observed White Dev 162 conducting what appears to be both likely espionage and IOs. Is this a state-sponsored threat actor conducting espionage with the intent of using information in cyber-dependent IOs? Is it a new threat actor at all; or a spinoff, or even a campaign, of an existing one? And, to what degree do White Dev 162’s operations align with Russian interests?

With White Dev 162, we retrace the process of identifying new activity, building out a new cluster of threat activity, and ending up with open questions.

While we are all focused on hunting the cutting-edge techniques deployed by top-tier adversaries, many “second-tier” adversaries continue grinding away in the shadows with more limited attention from the larger security community. While not always as sophisticated in their operations, many of these adversaries remain highly motivated – compensating for their lack of sophistication with clever and often resourceful approaches to their operations.

This talk focuses on one such adversary, SideCopy, and how a serendipitous re-encounter with a curious, previously unattributed malware sample serves as a reminder that these adversaries are also worth checking up on from time to time. This talk will discuss the current state of SideCopy’s network infrastructure derived through the lens of NetFlow analysis, techniques for pivoting through NetFlow data and combining it with other data sources to develop a more comprehensive picture of multiple tiers of adversary infrastructure, and the increasing relevance of data science techniques for triaging and visualizing these large data sets.

Attendees should walk away from this presentation with a solid grasp of the current state of SideCopy network infrastructure, a better understanding of NetFlow as a telemetry source, analytical approaches to extract unique insights out of NetFlow which may not be available from other sources, and a framework for how to think about adversary operations beyond the first tier of victim-facing infrastructure.

In this talk, we reveal previously undisclosed details about several North Korean APT activities we have unearthed over the past months. Our objective is to enrich the accumulated intelligence on the North Korean cyber threat landscape within the community and contribute to a deeper understanding of the evolving tactics used by its constituent groups.

This presentation begins by revealing deceptive lateral movement tactics observed during our investigation into an intrusion at NPO Mashinostroyeniya, a Russian missile engineering firm. We then explore ScarCruft's testing grounds — a collection of malware recovered during the planning and testing phases of the group's development cycle, likely intended for future campaigns. We disclose here our insights into ScarCruft's infrastructure, malware implementation processes, and experimentation with staging and evasive techniques. In concluding the technical discussion, we share curious relationships to cryptocurrency scams, highlighting North Korea's evolving interest in the cryptocurrency industry.

During times of major shifts in the North Korean foreign policy, the future trajectory of the country's cyber activities is uncertain. We conclude our presentation by speculating on potential changes in North Korea's cyber strategies and their implications for threat intelligence collection and effective defense.