From EK to DEK: An Analysis of Modern Document Exploit Kits

Presented at BSidesLV 2019, Aug. 7, 2019, 11 a.m. (55 minutes)

Exploit Kits haven't disappeared, they've simply moved to Microsoft Office. Traditional Exploit Kits (EKs) have the ability to fingerprint and compromise web browser environments, but with the advent of sandboxing and advanced security measures, there has been a shift toward using the Microsoft Office environment as a primary attack surface. Document Exploit Kits (DEKs) leverage DCOM, ActiveX controls, and logic bugs to compromise machines by packing multiple exploits into a single file.

This talk will provide an in-depth overview of the vulnerabilities and exploitation techniques used by the ThreadKit and VenomKit documents to spread well known malware families, and how they are being used in targeted attacks.

Presenters:

• Joshua Reynolds
  Joshua Reynolds is a Senior Security Researcher with CrowdStrike, where he performs malware reverse engineering and intelligence analysis. Joshua has presented at BSides Calgary, BSides Edmonton and RSAC focusing on Ransomware, malicious document analysis and cryptojacking malware. He is also the co-author of the SAIT Polytechnic Information Systems Security diploma malware analysis course.

Similar Presentations:

• VB2019 / Finding drive-by rookies using an automated active observation platform
• VB2016 / Inside Exploit Kits
• Hackfest 2016 / Exploit Kits: The Biggest Threat You Know Nothing About