The wolf in sheep's clothing - undressed

Presented at VB2018, Oct. 4, 2018, 9:30 a.m. (30 minutes)

Despite the breach of both Hacking Team and FinFisher, the government malware industry remains a shady market. Due to the amount of secrecy involved, it becomes increasingly more complicated to follow the technologies utilized by these companies and their modus operandi. The lack of transparency can be beneficial when one works with government-related operations. However, it can also be of benefit to any profit-driven actor, who will notice the potential for easy income in such conditions of the market. During our daily monitoring, we have managed to find a fake 'Google Chrome Update' landing page, which we believe is used by a company in its spyware campaigns. The page was designed for infection of *Windows*, *iOS* and *Android* devices. Soon, we were surprised to find a publicly open control panel server. This open C&C has given us the opportunity to collect a variety of precious data: details about the malware, photos and audio recordings from the testing phones, victims' data, and a storage of database backups of the control server. After analysis of the findings, we have figured out that this company appears to be reselling commercial spyware as government espionage spyware. Despite the surprisingly poor quality of the products, we have seen the company do business with serious companies of the legal malware market and even with a government-related institution. While oblivious to the state of its operational security, the company relies simply on making a good impression on potential customers. We propose to present to you some of the work and the achievements of a peculiar German company that 'develops advanced big data systems, cybersecurity & AI, and data extraction solutions for the government and homeland security sectors'.

Presenters:

• Aleksejs Kuprins - CSIS
  Aleksejs Kuprins Aleksejs Kuprins is a computer security researcher, living in Denmark and employed by CSIS. He initially started out as a software developer in Latvia and moved to Denmark for education, now specializing in Android malware reversing and threat analysis. Aleksejs dedicates his free time to the quadcopter building hobby, sports and malware hunting.
• Benoît Ancel - CSIS
  Benoît Ancel Benoît Ancel is a malware analyst who has worked for six years in France and now with CSIS in Denmark. His research interests include malware hunting, reversing and botnet tracking. He spends his free time monitoring honeypots and providing IOCs. @benkow_

Links:

• https://www.virusbulletin.com/conference/vb2018/abstracts/wolf-sheeps-clothing-undressed
• https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/AncelKuprins-VB2018-WolfSheep.pdf

Similar Presentations:

• Black Hat USA 2019 / The Discovery of a Government Malware and an Unexpected Spy Scandal
• 31C3 (2014) / The Invisible Committee Returns with "Fuck Off Google": Cybernetics, Anti-Terrorism, and the ongoing case against the Tarnac 10
• DEF CON 21 (2013) / The Growing Irrelevance of US Government Cybersecurity Intelligence Information