Conferences

Guerilla Reversing: SMALI steps towards Android reversing

REcon - Montreal, Canada - June 28-30, 2024

As consumers move to using their phones as their primary device, the financial opportunity for threat actors to deploy mobile malware becomes more appealing. People store their money, memories and digital identities in their pockets, making their phones a ripe avenue for attackers. From the high level threat landscape, down to the nitty gritty of the implementation of mobile malware TTPs, understanding the basics of Android reverse engineering can give an analyst the necessary cutting edge. This workshop will take people from zero to hero in order to give them a more thorough understanding of the Android malware landscape through...

An Uninvited House Guest: How PROXYLIB Overstayed its Welcome on Android Devices

Insomni'hack - Lausanne, Switzerland - April 25, 2024

Cybercriminal threat actors sell access to residential proxy networks to other threat actors who are looking to hide malicious behavior behind residential IPs, including credential stuffing attacks, password spraying or large-scale ad fraud. In May 2023, we identified a cluster of VPN apps available on the Google Play Store that transformed the user’s device into a proxy node without their knowledge. We’ve dubbed this operation PROXYLIB after the common library in each of the apps. Researchers at IAS identified this malicious behavior in a single free VPN application — Oko VPN— on Google’s Play Store, and projected that the operators earned $2...

One SMALI Step for Man, One Giant Leap for Researchers

FIRST TC - Amsterdam, Netherlands - March 5, 2024

With more and more people using their phones as their primary device, mobile malware's prevalence skyrocketed. People nowadays store their money, memories and digital identities in their pockets, making their phones a ripe avenue for attackers. From the high-level threat landscape down to the nitty-gritty of every specific actor, understanding the basics of Android reverse engineering can give an analyst the necessary cutting edge. This is what this workshop wants to deliver: taking people from zero to hero in order to give them a more thorough understanding of the Android malware landscape.

Started from the Bottom, Now We’re Here: The Evolution of ESXi Ransomware

SEC-T - Stockholm, Sweden - September 13, 2023

Ransomware targeting Linux/ESXi has existed since 2015, but since then has gained popularity and become more sophisticated; what was once a niche tool was later adopted by groups focused on “Big Game Hunting” and later became a key piece of ransomware threat actors’ toolkits. Ransomware targeting ESXi has become substantially more popular, and is now used by high-profile groups such as ALPHV, BlackBasta, Royal and LockBit. The shift towards ESXi stems from the virtualization of entire organizations’ infrastructure, with minimal defensive capabilities available. As a result, this provides more incentive for a threat actor looking to extort the organization into...

Till There Was Unix: Defending ESXi Against Ransomware Attacks

FIRST Conference - Montreal, Canada - June 9, 2023

Over the past 18 months, ransomware targeting ESXi has become substantially more popular, with several high-profile groups such as ALPHV, BlackBasta, Hive, and LockBit developing their own lockers. The shift towards ESXi stems from the virtualization of entire organizations' infrastructure, with minimal defensive capabilities available. As a result, this provides more incentive for a threat actor looking to extort the organization into paying the ransom.Our talk will provide a technical discussion and overview of the specific TTPs ransomware operators employ to target ESXi systems prior to dropping ransomware. We will also discuss techniques we can use to detect and defend...

Maturing Threat Hunting Capabilities Leveraging Threat Intelligence

HammerCon - Laurel, Maryland - May 18, 2023

Abstract coming soon!

Harder, Better, Faster, Locker: Ransomware Groups Flex On Defenders

FIRST Technical Colloquium - Amsterdam, Netherlands - April 18, 2023

Ransomware actors continue to evolve their tools and TTPs; innovation by cybercriminals in response to global and local events is nothing new. However, recently we have observed several interesting innovations - some very successful for the threat actors, some not so much. We will present case studies, including technical deep-dives on a few of these, including: ALPHV’s Morph AV-evasion tool, usage of an access token to prevent chat hijacking, ARM locker and blog of indexed victim files, LockBit’s adoption of the BlackMatter code, PLAY ransomware’s evolution to use ROP, and multiple actors’ implementations of intermittent file encryption. We will also...

Turn and Face the Strange: Ch-Ch-Changes In Ransomware Techniques

Insomni'hack - Lausanne, Switzerland - March 23, 2023

Everyone makes mistakes - including threat actors who deploy ransomware. Sometimes, “technical innovation” on the locker goes sideways and makes it easier to track or reverse engineer, or a false flag operation doesn’t quite pin enough blame on the intended party. We will highlight some interesting examples of ransomware techniques, such as PLAY’s usage of ROP, LockBit’s acquisition of BlackMatter code, ALPHV’s Morph obfuscation tool, and the myriad of threat actors who use custom-designed crypto or hard-coded, cryptographically insecure keys, and the opportunities they presented for us as defenders to signature and detect their malicious behavior. We will present technical...

Turn and Face the Strange: Ch-Ch-Changes in Ransomware Techniques

Disobey - Helsinki, Finland - February 18, 2023

Ransomware actors continue to evolve their tools and TTPs; innovation by cybercriminals in response to global and local events is nothing new. However, recently we have observed several interesting innovations - some very successful for the threat actors, some not so much. We will present case studies, including technical deep-dives on a few of these, including: ALPHV’s Morph AV-evasion tool, usage of an access token to prevent chat hijacking, ARM locker and blog of indexed victim files, LockBit’s adoption of the BlackMatter code, PLAY ransomware’s evolution to use ROP, and multiple actors’ implementations of intermittent file encryption. We will also...

Crossing the Event Horizon: Intergalactic Travels of a Ransomware Crew

GreHack - Grenoble, France - November 18, 2022

Ransomware, and malware as a whole, does not exist in a vacuum; it is often developed to accomplish a goal, whether to further an espionage campaign or for monetary gain. Ransomware, in particular, is a fast-moving landscape driven by an intricate web of operators, tools and mystery. BlackMatter ransomware emerged in July 2021 as the successor to DarkSide ransomware, only to be shut down a few short months later…or was it? Besides amassing a large portfolio of victims, the BlackMatter operators released several versions of the ransomware. Recorded Future was the first to openly publish technical details on BlackMatter, as...

Crossing the Event Horizon: Intergalactic Travels of a Ransomware Crew

GRRcon - Michigan, United States - October 13, 2022

Ransomware, and malware as a whole, does not exist in a vacuum; it is often developed to accomplish a goal, whether to further an espionage campaign or for monetary gain. Ransomware, in particular, is a fast-moving landscape driven by an intricate web of operators, tools and mystery. BlackMatter ransomware emerged in July 2021 as the successor to DarkSide ransomware, only to be shut down a few short months later…or was it? Besides amassing a large portfolio of victims, the BlackMatter operators released several versions of the ransomware. Recorded Future was the first to openly publish technical details on BlackMatter, as...

Pop, Log, And Drop It: Credential Access to Ransomware

Recorded Future Predict - Virginia, United States - October 5, 2022

Ransomware remains a looming threat to organizations in nearly every industry, and we see the specific groups themselves frequently evolve their tools, disband, rebrand and reemerge. Outside of all this change, what remains consistent is the need for ransomware threat actors to gain initial access to organizations in order to conduct these attacks, and largely, the key methods in which they do so. Infostealer malware infections, initial access brokerage services on dark web and special-access forums, or the purchase of infostealer logs from dark web shops and marketplaces are key sources of initial access for these actors. Other attack vectors,...

It’s Just a Jump To The Left (of Boom): Prioritizing Detection Implementation With Intelligence and ATT&CK

FIRST Conference - Dublin, Ireland - June 28, 2022

Many organizations ask: 'Where do I start, and where do I go next' when prioritizing behavior-based detections. We often hear 'use threat intelligence!', but goals must be qualified & quantified in order to properly prioritize relevant TTPs. A wealth of open-source resources now exists, giving teams greater access to detections & red team tests, but intelligence is essential to ensure that efforts are focused. This session covers a new prioritization approach, starting with an analysis of the current defensive landscape (measured by ATT&CK coverage for more than a dozen repos and technologies) and guidance on sourcing TTP intelligence. We then...

Malware Wars: DarkSide Strikes Back as BlackMatter

REcon - Montreal, Canada - June 4, 2022

Ransomware, and malware as a whole, does not exist in a vacuum; it is often developed to accomplish a goal, whether to further an espionage campaign or for monetary gain. Ransomware, in particular, is a fast-moving landscape driven by an intricate web of operators, tools and mystery. BlackMatter ransomware emerged in July 2021 as the successor to DarkSide ransomware, only to be shut down a few short months later...or was it? Besides amassing a large portfolio of victims, the BlackMatter operators released several versions of the ransomware. Recorded Future was the first to openly publish technical details on BlackMatter, as...

Malware Wars: DarkSide Strikes Back as BlackMatter

BSides Charm City - Maryland, United States - April 28, 2022

Ransomware, and malware as a whole, does not exist in a vacuum; it is often developed to accomplish a goal, whether to further an espionage campaign or for monetary gain. Ransomware, in particular, is a fast-moving landscape driven by an intricate web of operators, tools and mystery. BlackMatter ransomware emerged in July 2021 as the successor to DarkSide ransomware, only to be shut down a few short months later...or was it? Besides amassing a large portfolio of victims, the BlackMatter operators released several versions of the ransomware. Recorded Future was the first to openly publish technical details on BlackMatter, as...

Malware Wars: DarkSide Strikes Back as BlackMatter

FIRST Technical Colloquium - Amsterdam, Netherlands - April 13, 2022

Ransomware, and malware as a whole, does not exist in a vacuum; it is often developed to accomplish a goal, whether to further an espionage campaign or for monetary gain. Ransomware, in particular, is a fast-moving landscape driven by an intricate web of operators, tools and mystery. BlackMatter ransomware emerged in July 2021 as the successor to DarkSide ransomware, only to be shut down a few short months later...or was it? Besides amassing a large portfolio of victims, the BlackMatter operators released several versions of the ransomware. Recorded Future was the first to openly publish technical details on BlackMatter, as...

It’s Just a Jump To The Left (of Boom): Prioritizing Detection Implementation With Intelligence and ATT&CK

ATT&CKCON 3.0 - Virginia, United States - March 29, 2022

Many organizations ask: 'Where do I start, and where do I go next' when prioritizing behavior-based detections. We often hear 'use threat intelligence!', but goals must be qualified & quantified in order to properly prioritize relevant TTPs. A wealth of open-source resources now exists, giving teams greater access to detections & red team tests, but intelligence is essential to ensure that efforts are focused. This session covers a new prioritization approach, starting with an analysis of the current defensive landscape (measured by ATT&CK coverage for more than a dozen repos and technologies) and guidance on sourcing TTP intelligence. We then...

Detecting Cobalt Strike Across the Enterprise

Recorded Future Predict - Virtual - October 13, 2021

Cobalt Strike is a commercial post-exploitation tool designed to aid penetration testers and red team operators in conducting authorized intrusions. Despite its original goal, since its release in 2012, Cobalt Strike has gained widespread popularity among state-sponsored threat actors and financially motivated threat actors. sing adversarial emulation to recreate scenarios of the tool’s use, Insikt Group analyzed Cobalt Strike to identify detection opportunities from the earliest stages of its use across the enterprise. Come hear from the team behind the research in a panel discussion on taking a multifaceted approach to combat the use of Cobalt Strike by threat actors...

Egregor Awakens: Taking a Tour Of A Threat Actor’s New Digs

BSides Dublin 2021 - Virtual

Egregor ransomware made its debut in September 2020 and has since been used against several organizations across many industries while also employing anti-analysis techniques that complicate reverse engineering and in some cases, make it impossible. With connections to the threat actors behind Maze and Qakbot at the infrastructure, technical and contextual levels, Egregor presents a fascinating case study of how a ransomware threat actor morphs their operations. This talk will cover what we know about the threat actors behind Egregor, including a technical deep dive on the ransomware and discussion of TTP overlaps with other related ransomware threat actors. We...

Egregor Awakens: Taking a Tour Of A Threat Actor’s New Digs

BSides Tampa 2021 - Virtual

Egregor ransomware made its debut in September 2020 and has since been used against several organizations across many industries while also employing anti-analysis techniques that complicate reverse engineering and in some cases, make it impossible. With connections to the threat actors behind Maze and Qakbot at the infrastructure, technical and contextual levels, Egregor presents a fascinating case study of how a ransomware threat actor morphs their operations. This talk will cover what we know about the threat actors behind Egregor, including a technical deep dive on the ransomware and discussion of TTP overlaps with other related ransomware threat actors. We...

Dump Me If You Can: Malware Hide and Seek with Obfuscation

BSides Kobenhavn - Virtual - September 18, 2020

When a new piece of malware is discovered, some of the first questions an incident responder asks are: What does it do? What command and control infrastructure is involved? What is the impact on my organization? How can I detect it using commonly used tools?. With the rise in the use of code obfuscation by malware authors, answering these questions becomes significantly more complicated - taking apart sophisticated malware that employs obfuscation is often more time and resource-intensive and can require a more skilled analyst. In this talk, we will provide current, real-world examples of malware employing obfuscation techniques and...

Off the Record: Unleash the Beast: Cerberus Android Goes Open Source

BlackHat Asia 2020 - Virtual

Global Speaking Events

Upcoming Conferences

Unmasking 'Evil Twin' Apps: The Next Frontier in Mobile Ad Fraud

Past Conferences

Guerilla Reversing: SMALI steps towards Android reversing

An Uninvited House Guest: How PROXYLIB Overstayed its Welcome on Android Devices

One SMALI Step for Man, One Giant Leap for Researchers

Started from the Bottom, Now We’re Here: The Evolution of ESXi Ransomware

Till There Was Unix: Defending ESXi Against Ransomware Attacks

Maturing Threat Hunting Capabilities Leveraging Threat Intelligence

Harder, Better, Faster, Locker: Ransomware Groups Flex On Defenders

Turn and Face the Strange: Ch-Ch-Changes In Ransomware Techniques

Turn and Face the Strange: Ch-Ch-Changes in Ransomware Techniques

Crossing the Event Horizon: Intergalactic Travels of a Ransomware Crew

Crossing the Event Horizon: Intergalactic Travels of a Ransomware Crew

Pop, Log, And Drop It: Credential Access to Ransomware

It’s Just a Jump To The Left (of Boom): Prioritizing Detection Implementation With Intelligence and ATT&CK

Malware Wars: DarkSide Strikes Back as BlackMatter

Malware Wars: DarkSide Strikes Back as BlackMatter

Malware Wars: DarkSide Strikes Back as BlackMatter

It’s Just a Jump To The Left (of Boom): Prioritizing Detection Implementation With Intelligence and ATT&CK

Detecting Cobalt Strike Across the Enterprise

Egregor Awakens: Taking a Tour Of A Threat Actor’s New Digs

Egregor Awakens: Taking a Tour Of A Threat Actor’s New Digs

Dump Me If You Can: Malware Hide and Seek with Obfuscation

Off the Record: Unleash the Beast: Cerberus Android Goes Open Source