Hackfest 2020

Peek-a-Boo: A Game with Threat Actors&Researchers
2020-11-20, 11:25–12:15, Hackfest - Sponsor room (and workshops)
Language: English

Threat actors have always played the game of emotions. Fear is the emotion they are using right now to lure users to click on an email or manipulate them to install an application. In the last four months, cyber criminals have used fear as their main weapon to compromise users by using pandemic-related themes to deliver malware. The dropped malwares are deadlier and stealthier and are hybrid in nature. There is a need for advanced investigation techniques, like memory forensics that are raiding energy/power sectors and entropy-based detection for new-age trojan exfiltrations. The talk discusses how we use traditional methods to identify these threats, how we cracked some emotet epoch's stealthy nature and also how we added a pinch of new-age forensics tricks to do some big reveals.

Threat actors have always played the game of emotions. Fear is the emotion they are using right now to lure users to click on an email or manipulate them to install an application. In the last four months, cyber criminals have used fear as their main weapon to compromise users by using pandemic-related themes to deliver malware. The dropped malwares are deadlier and stealthier and are hybrid in nature.

Here is how the talk will progress:

  1. Pandemic Threat Landscape

  2. New stealthy methods : Hiding macros inside hidden excel sheet and hiding macros inside form elements in VBA

  3. How popular tools failed to detect these threats ?

  4. Azerbaijan Targets and Energy Sectors hit : RAT trojans that are upgraded

  5. Evasion of Agent Tesla and how they have defeated sandboxes.

  6. Rise of False positives with Sodinobki ransomware spraying legit domains in config files.

  7. Using Entropy to solve image exfiltration by malwares.

  8. How can we convict the extracted domains and IP from malware config files, C2 communication using Cisco Umbrella and crack the malware infra.

Are you releasing a tool? – no
Shyam Sundar Ramaswami

Shyam Sundar Ramaswami is a Lead Threat Researcher with Cisco Umbrella. Shyam is a two-time TEDx speaker, GREM certified malware analyst, Cisco Security Ninja black belt and a teacher of cyber security. Shyam has delivered talks for several conferences such as Black Hat (Las Vegas), Qubit Forensics (Serbia), Nullcon 2020 (Goa), Cisco Live (Barcelona), and for several universities and IEEE forums in India. Shyam has also taught “Advanced malware attacks and defenses” class in Stanford University’s cyber security program and runs a mentoring program called “Being Robin” where he mentors students all over the globe on cyber security. Shyam’s interviews have been published in leading websites like Zdnet and CISO MAG.