2023-10-15 –, WestIn - Munich
During a recent incident response engagement, I was assigned to reverse engineer the RAT that the threat actor had deployed in the environment. When analyzing the malware to unpack it, a suspicious string was found in the memory - and ip number with a list.txt . The list contained a not only a complete inventory that the threat actor had, but also a link to the full repository of all their tools, almost 5 GB / over 100 files and scripts of content covering every part for an intrusion -from reconnaissance to impact and everything in between. This led to an interesting labyrinth of research on all the aspects of this tooling.
This presentation goes through many of the tools that have been reverse engineered and provides advice on how to detect and mitigate the effect from this threat actor. Further, it reveals techniques used to turn off anti-virus and clear out logs, including keys used for locking down computers and much more.
To conclude I will investigate the threat intelligence part of the intrusion, showing how threat actors copy and stockpile techniques from each other and finish off showing how malware analysis in combination with threat intelligence made it possible to find an undetected spare back door that was deployed in the environment.
In this talk I will also share several indicators of compromise as well as tools, tactics, and procedures from an active and aggressive ransomware operator that can serve as inspiration for how malware analysis and threat intelligence can be operationalized to stop an intrusion.
Malware Analysis, Threat Intelligence, Incident Response
Nicklas is a Threat Research Analyst, a role that involves much reverse engineering and looking into all things malware. Nicklas is also a subject matter expert in industrial control systems and anything related to its security. He started his career programming PLCs, SCADA systems, and almost anything else possible within the industry. Before joining Truesec, Nicklas worked at the Swedish National CERT in the Swedish Civil Contingencies Agency.