You're Not George Clooney, and This Isn't Ocean's Eleven

Presented at DEF CON 31 (2023), Aug. 11, 2023, noon (45 minutes)

One common thread runs through a recent wave of (initially, successful) targeted malware attacks I've investigated: The attackers communicated with their targets, personally, using social engineering in real-time, in order to lay the groundwork for the rest of the attack to succeed. Throughout the course of several post-breach investigations, it became apparent that -- for a certain kind of target and a particular class of attacker -- engaging the victim in direct conversation was far more effective at assuring the target infected their computer than crafting a believable-looking "malspam" email that would "fool" the target into clicking a link or opening a file. The attackers did not need to be charismatic for the technique to succeed. In fact, so long as the attacker "got into character" and treated the interaction as a normal, everyday event (from their perspective), the targets went along for the ride, and in many cases, self-infected with malware that was capable of snooping through their most sensitive files. In this session, we'll discuss both the social engineering and technical aspects of the attacks, and why this combination of tactics is particularly dangerous and hard to defend against. REFERENCES: Brandt, Andrew. “Tax Firms Targeted by Precision Malware Attacks.” Sophos X-Ops Blog, Sophos News, 13 Apr. 2023, news.sophos.com/en-us/2023/04/13/tax-firms-targeted-by-precision-malware-attacks/ @x86matthew. “EmbedExeLnk - Embedding an EXE inside a LNK with Automatic Execution.” www.x86matthew.com, 22 Apr. 2022, www.x86matthew.com/view_post?id=embed_exe_lnk

Presenters:

• Andrew Brandt / Spike - Principal Researcher at Sophos X-Ops   as Andrew "Spike" Brandt
  Andrew Brandt is a former investigative reporter turned network forensics investigator and malware analyst, who serves as a Principal Researcher for Sophos X-Ops. Brandt has worked in information security since 2006 and, prior to working in the industry, covered it extensively as the security editor for PC World for nearly a decade. He has applied his knowledge about the behavior of malicious software and threat actors to profile identifiable characteristics of undesirable or criminal activity, specializing in attackers who target the finance, energy, and government sectors. His analysis techniques seek to determine general principles that can help analysts and defenders rapidly and comprehensively identify the root cause of infection and data loss, putting real-time network data analysis at the front line of prevention.

Links:

• https://forum.defcon.org/node/245759

Similar Presentations:

• VB2019 / Discretion in APT: recent APT attack on crypto exchange employees
• ekoparty 14 (2018) / To Execute or Not to Execute. How to Build a Malware Execution Lab
• DEF CON 31 (2023) / The Art of Compromising C2 Servers: A Web Application Vulnerabilities Perspective