It has been a while since I posted my last wrap-up. With the COVID break, many conferences have been canceled or postponed. But Botconf, one of my favorites, has been scheduled for a long time in my (busy) planning. This edition is located in Strasbourg. I arrived yesterday afternoon to attend a workshop about YARA rules. Today was the first conference day. After a quick introduction by Eric Freysinnet and some information about this edition: That’s already the 10th edition with 400 attendees from multiple continents, and I attended all of them! Patrick Penninckw from the Council of Europe (one of the sponsors), Head of Information Society Department, passed a quick message: Today, everything is digitalized and we need to protect this. There are also more and more links with human rights and the rule of law. Let’s have a quick look at the different talks scheduled today.
The first slot was “Perfect Smoke and Mirrors of Enemy: Following Lazarus group by tracking DeathNote campaign” by Seongsu Park. Who’s Lazarus? They have been a well-known threat actor since 2014, looking for financial profit, espionage, data theft. Seongsu reviewed the different techniques they used to compromise their victims and how it involved with years. If the first TTPs were pretty simple, they increased the complexity. More focus was given to DeathNote.
The next talk was “RAT as a Ransomware – An Hybrid Approach” by Nirmal Singh, Avinash Kumar and Niraj Schivtarkar. After an introduction to RATs (“Remote Access Tools”) and some popular ones like Remcos, they explained how some RATs have the capabilities to deploy ransomware on their victims’ computers.
Then, Larry Cashdollar and Allen West presented “A Dissection of the KmsdBot“. This bot has been written in Go. A good point is the fact that C2 communications are in clear text. This is much more convenient to reverse engineer the protocol used between bots and the C2 server. Larry explained how they reversed the botnet and how they wrote a fake bot being able to interact with the C2 to learn even more details.
After a good lunch (the food is always a blast at Botconf!), Mr Paul Vixie, himself, came on stage as the keynote speaker and presented “Security Implications of QUIC”. QUIC is a protocol developed initially at Google. The goal was to solve a key problem with existing protocols like HTTPS: end-to-end encryption. QUIC relies on UDP and all data sent or received is not seen by the kernel. This means that most solutions like EDR will become “blind” and useless. There is no more connect() or accept() system calls. At the oppostive, TCP is implemented in the kernel,and QUIC is implemented in user land. Paul reviewed many facts about this need to more privacy but that will make our life, as defenders, more difficult. DoH (“DNS over HTTPS”) is another good example. Most of our classic security devices or controls will be impacted (firewalls, load-balancers). Reverse engineering of malware will also be impacted. Where to put breakpoints to learn how the malware talk to its C2 server is classic API calls are not used?
The next slot was assigned to Alec Guertin and Lukas Siewierski: “You OTA Know: Combating Malicious Android System Updaters”. OTA means “Over The Air” and is related to updates. Android devices have a feature to get updates before being sold to user or at other times. They demonstrated how this technique can be (ab)used by attackers to deploy malware on device even before they are delivered to their owners.
After the afternoon coffee break, we had two less technical talks but interesting ones: «Digital Threats Against Civil Society in the Rest of the World» by Martijn Grooten and “India’s Answer to the Botnet and Malware Ecosystems” by Pratiksha Ashok. Both focussed on the protection of regular users on the Internet and how communication can be organized to share useful information. Here is the site developed by the Indian government: https://www.csk.gov.in/alerts.html.
I expected a lot from the next talk: “Syslogk Linux Kernel Rootkit – Executing Bots via Magic Packets” by David Alvarez Pérez. This is a crazy idea: just by sending “magic packets” to the compromised host, the attacker is able to take action. David reviewed the different components of the rootkit, how it works, what are the system calls hooked by the malware and the capabilities. Because NetFilter functions are hooked, magic packets will not be intercepted by the local firewall in place. Really cool! Note that the rootkit has multiple components: one running in kernel mode, and one running (not all the time) in userland. It can also emulate another layer 7 protocols (SMTP, HTTP, …) and act as a proxy to forward magic packets to another host.
The next talk covered “RTM Locker” and was presented by Max “Libra” Kersten, a regular speaker at Botconf. Max explained in detail the ransomware features and how it performs encryption of the victim’s file. He reversed the malware and showed all features based on pieces of code. Awesome job!
Finally, the day ended with “The Fodchat Botnet We Watched” by Lingming Tu. Interesting research about this botnet, especially because the research was performed by Netlab 360. The botnet looked a regular one but the fact that it was analyzed from a Chinese point of view was interesting, despite the fact that the speaker was difficult to understand.
The day ended with some pizza and local “flammekueche” (a specialty from the region of Alsace). See you tomorrow for day 2!