Botconf 2018 – Day 1 Wrap Up
During the whole day researchers presented their research and although I barely know reverse engineering compared to them, I noticed a couple of reoccurring themes.
If you follow the news you will have noticed that the ransomware craze is over and the new thing to do is doing cryptocoin mining on your victim’s machine.
I must say I have never really looked into the whole cryptominer issue, but there was one talk today that gave a good foundation on how it works. Combining that knowledge with another talk about an incident response scenario where the threat actor made a mistake blowing his own mining operation up, it really gave me a better insight into why it is so successful . It comes basically down to:
- you need some vulnerable server and exploit it
- install your kit and kick off any other cryptominers
It reminded me of similar behavior I saw in a couple of other malware campaigns in the past.
Were most of the talks on malware are usually about a specific sample or malware family, there was a talk was different in that sense that they approached it from the ‘career’ of a specific botnet herder and the programmer.
It was interesting because you see the evolution and basically a mental game of go between the researchers (who helped with the take down of the botnets) and the botnet herder. In the end it took the botnet herder 20 minutes to redeploy after take down. An disaster recovery capability most organizations would like to have I guess. We could speak of malicious devops or maldevops.
Bad Operational Security
Another thing I noticed today that another reoccurring theme is that a certain number of threat actors have bad operational security. It is possible that they have the idea they are untouchable or they have basically no idea how to protect themselves. This is reflected in behavior as well as in code but in the end a researcher seemed to have picked up on it. On the other hand I am aware of the survivor bias, you will not come and speak on stage if your research was a failure.