The Hitchhiker's Guide to the North Korean malware galaxy

Presented at VB2018, Oct. 4, 2018, 2 p.m. (30 minutes)

The Lazarus, Silent Chollima, Group 123, Hidden Cobra, DarkSeoul, Blockbuster, Operation Troy and 10 Days of Rain attacks are all believed to originate from North Korea. But how can they be attributed with certainty? And what connection does a DDoS and disk-wiping attack from 4 July 2009 have with WannaCry, one of the largest cyber attacks in the history of the cyber sphere?

From the Mydoom variant Brambul, to the more recent FallChill, WannaCry, and targeting of cryptocurrency exchanges, there is a distinct timeline of attacks beginning from the moment North Korea entered the world stage as a significant threat actor. Bad actors have a tendency to unwittingly leave fingerprints on their attacks, allowing researchers to connect the dots between them. North Korean actors have left many of these clues in their wake and throughout the evolution of their malware arsenal. In this session, attendees will view never-before-seen code analysis illustrating key similarities between samples attributed to North Korea, a shared networking infrastructure, and other revealing data hidden within the binaries. All of these puzzle pieces will be put together to illustrate the connections between the many attacks attributed to North Korea and to categorize different tools used by specific teams of their cyber army.

Presenters:

• Itai Tevet - Intezer Labs
  Itai Tevet Tevet possesses a combination of in-depth technical expertise and leadership experience in mitigating state-level cyber threats. He previously served as the head of IDF CERT, the Israeli Defense Force's Cyber Incident Response team, where he led an elite group of cybersecurity professionals in digital forensics, malware analysis, incident response and reverse engineering. @itaitevet
• Jay Rosenberg - Intezer Labs
  Jay Rosenberg Jay Rosenberg, senior security researcher at Intezer Labs, leads the research behind Intezer's code reuse detection technology. He has been programming and reverse engineering since the tender age of 12. He has spoken at various conferences around the world, identified new threats, and published his threat intelligence research on some of the largest cyber attacks. @JayTezer

Links:

• https://www.virusbulletin.com/conference/vb2018/abstracts/hitchhikers-guide-north-korean-malware-galaxy

Similar Presentations:

• Black Hat Europe 2020 Virtual / From Zero to Sixty: The Story of North Korea's Rapid Ascent to Becoming a Global Cyber Superpower
• 32C3 (2015) / Lifting the Fog on Red Star OS: A deep dive into the surveillance features of North Korea's operating system
• Still Hacking Anyway (SHA2017) / Hack North Korea: Flash Drives for Freedom