Modern reconnaissance phase on APT - protection layer

Presented at VB2017, Oct. 4, 2017, 2 p.m. (30 minutes)

The *Talos* researchers are no strangers to APT attacks. During recent research, we observed how APT actors are evolving and how the reconnaissance phase is changing to protect valuable 0-day exploit or malware frameworks. During this presentation, rather than concentrating on a specific malware actor, we will use various different cases to illustrate how the reconnaissance phase is becoming more important and more complex. The talk will focus mainly on the usage of malicious documents (*Microsoft Office* and *Hangul Word Processor*) and watering hole attacks designed to establish whether a target is the intended one. We will mention campaigns against political and/or military organizations targeting the USA, Europe and Asia. The techniques and the obfuscation put in place by these actors will be described in detail. We will explain how macros are used and how to desobfuscate them; how JavaScript and PowerShell are becoming unmissable languages, and how to analyse them using a standard debugger such as *WinDbg* or *x64dbg*; how APT actors include Flash objects in documents to bypass protection and perform reconnaissance on the target; and finally, we will see how the Python language is used by malware to execute code on *MacOS*. In some cases, the reconnaissance is performed directly by a first-stage malware (PE32) and not directly by the infection vector; we will see an example of the approach that was used to target South Korean public sectors at the end of December. At the end of the presentation, we will describe different mitigation techniques in applications (for example in *Microsoft Office* and *Hangul Word Processor)* and in the *Microsoft Windows* OS to help attendees protect their users against the threats described during the talk.

Presenters:

• Warren Mercer - Cisco Talos
  Warren Mercer Warren Mercer joined Talos coming from a network security background, having previously worked for other vendors and the financial sector. Focusing on security research and threat intelligence, Warren finds himself in the deep, dark and dirty areas of the Internet and enjoys the thrill of the chase when it comes to tracking down new malware and the bad guys! Warren has spent time in various roles throughout his career, ranging from NOC engineer to leading teams of other passionate security engineers. Warren enjoys keeping up to speed with all the latest security trends, gadgets and gizmos; anything that makes his life easier in work helps! @SecurityBeard
• Paul Rascagnères - Cisco Talos   as Paul Rascagneres
  Paul Rascagneres Paul is a security researcher within Talos, Cisco's threat intelligence and research organization. As a researcher, he performs investigations to identify new threats and presents his findings as publications and at international security conferences throughout the world. He has been involved in security research for seven years, mainly focusing on malware analysis, malware hunting and more specially on Advanced Persistent Threat campaigns and rootkit capabilities. He previously worked for several incident response teams within the private and public sectors. @r00tbsd

Links:

• https://www.virusbulletin.com/conference/vb2017/abstracts/modern-reconnaissance-phase-apt-protection-layer
• https://www.virusbulletin.com/uploads/pdf/conference_slides/2017//uploads/pdf/magazine/2017/VB2017-Rascagneres-Mercer.pdf
• https://www.virusbulletin.com/virusbulletin/2017/11/vb2017-paper-modern-reconnaissance-phase-apt-protection-layer/

Similar Presentations:

• NorthSec 2017 / Modern Reconnaissance Phase by APT - Protection Layer
• ekoparty 14 (2018) / To Execute or Not to Execute. How to Build a Malware Execution Lab
• VB2019 / Curious tale of 8.t used by multiple campaigns against South Asia