Tag: conference paper
-
VB2019 paper: Finding drive-by rookies using an automated active observation platform
Exploit kits made a bit of a comeback in 2019, something we have also seen in our test lab . Detecting these kits isn’t trivial though, given the various anti-analysis measures built into them, from geo-restricting to specific countries or regions, to the detection of client-side sandboxes. In a last-minute paper presented at VB2019 in…
-
VB2019 paper: Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation state adversary
PKPLUG is the name used by Palo Alto Networks ’ Unit 42 team for a China-based threat actor engaged in cyber espionage. The actor uses both off-the-shelf and custom-made malware and some of its infrastructure overlaps with other threat groups. The group’s activities were detailed in a VB2019 paper by Unit 42 ’s Alex Hinchliffe,…
-
VB2019 paper: Static analysis methods for detection of Microsoft Office exploits
Though the typical malware attack in 2020 arrives by email and is executed via the enabling of Office macros, some attacks exploit (patched) vulnerabilities in Office that allow for the execution of malicious code when someone merely opens the file. In a paper presented at VB2019 in London, McAfee researcher Chintan Shah presented methods for…
-
VB2019 presentation: Attor: spy platform with curious GSM fingerprinting
Attor is a newly discovered cyber-espionage platform, use of which dates back to at least 2014 and which focuses on diplomatic missions and governmental institutions. The modular malware searches specifically for TrueCrypt ‑protected hard drives and the processes of specific VPN applications, suggesting a special interest in security-focused users. The most notable plug-in is one…
-
VB2019 paper: The cake is a lie! Uncovering the secret world of malware-like cheats in video games
With more than 2.5 billion gamers around the world, the video gaming industry has overtaken all other entertainment categories in size and revenue. But in tandem with the boom in video gaming has arisen a growing illegal economy: that of video game cheats and hacks. Gaming communities are riddled with messages complaining about the increasing…
-
VB2019 paper: Rich headers: leveraging the mysterious artifact of the PE format
When analysing malware, especially if it’s new and rare, researchers look for every possible clue that could give them details on the context and perhaps help them find similar samples. One such clue could be what has been called ‘rich headers’, an undocumented chunk of data inside PE files. In a paper presented at VB2019…
-
VB2019 paper: Medical IoT for diabetes and cybercrime
It is estimated that between 8% and 9% of the population worldwide suffers with some form of diabetes. People with type 1 diabetes typically have to measure their blood glucose levels several times a day and adjust their treatment according to the results. Traditionally, this has been done by means of the person pricking their…
-
VB2019 paper: Spoofing in the reeds with Rietspoof
The Rietspoof malware was first discovered by Avast researchers in August 2018 and publicly disclosed in a blog post in February 2019. The multi-stage malware utilises different file types throughout its infection chain including in one stage a CAB file. Full details of the malware, including later discoveries, were revealed in a VB2019 paper by…
-
VB2019 paper: King of the hill: nation-state counterintelligence for victim deconfliction
Past Virus Bulletin conference papers (co-)written by Juan Andrés Guerrero-Saade, such as those on fourth-party collection or false flags , have become legendary and continue to be cited across the industry. At VB2019 in London, ‘JAGS’ was back. Now Research Tsar at Chronicle , he looked at an interesting use case for threat intelligence: nation-state…
-
VB2019 presentation: Targeted attacks through ISPs
In 2019 we saw an increase in the number of targeted malware infections spread via ISPs and service providers. Some notable cases included the installation of digital certificates in the target’s browser, which would help the attackers to distinguish and decrypt traffic, and the spread of malware via HTTP 307 redirects by the StrongPity group.…