Presented at
NolaCon 2018,
May 18, 2018, 10 a.m.
(Unknown duration).
In August 2017, a targeted attack was attempted against a well-established corporation.
he attack was carried out using innovative exploitation methods and unknown and heavily packed malware.
The first stage of the attack was exploiting websites, but once the attacker established a beachhead he dropped his arsenal and started a complex and innovative tactic importing and executing his tools together with a Sandboxie DLL. The DLL was used to bypass the signature and defuse security controls such as the Antivirus, the Host Intrusion Prevention System and Windows Security controls.
The adoption of this undocumented technique allow the attacker to implant his heavily packed malware and start harvesting data from the Company.
This is our story, the story starts from a strange webpage loaded by a user and goes along for the entire investigation and remediation processes, where a team of specialists hired to fight an unknown attacker who has already taken the upper hand upon several segments of the corporate network.
The presentation will show the initial exploitation method, the subsequent tools used by the attacker to move laterally to core networks and the technique adopted by the Adversary to implant his malware to the core systems.
Presenters:
-
Stefano Maccaglia
Malware Analyst, part of RSA IR team. I have worked in several IR investigations worldwide.
I was an active hacker in the eighties and nineties partecipating to early hackers and underground communities.
I have worked for top IT companies worldwide before joining RSA such as: Digital, HP, Cisco, Accenture.
I am also a security researcher with papers and presentations performed in several conferences such as RSA Conference, Infosecurity, Isaca, etc.
Links:
Similar Presentations: