2025-10-23 –, Europe
A method will be presented to decrypt the HTTP(S) C2 channel of an IIS backdoor developed by an APT group reportedly linked to the People’s Republic of China.
Encrypted C2 traffic can hide attacker activity in plain sight. This talk shows a practical method to decrypt the HTTPS communication of an IIS backdoor, revealing how the malware operates and how defenders can analyze it.
Didier Stevens (SANS ISC Senior Handler) is a Senior Analyst working at NVISO. Didier has developed and published more than 100 open-source tools mostly for malware analysis, several of them popular in the security community. You can find his open source security tools on his IT security related blog https://blog.DidierStevens.com