Report for the Botconf 2022 conference
Date : May 07, 2022
Botconf is a conference created in 2013 to fight against botnets. But it also covers all the topics related to fight against malware and cyber-attacks (from cyber-criminals as well as States). It takes place in France (in a different city each year), but it is an English-speaking conference that brings together all the major companies in the field. This year's speakers were from (in order of appearance): ProDaft, Group-IB, ESET (3 times), Trend Micro, Flashpoint, NTT (Japan), BlueLiv, Avast, Alibaba Cloud, Imperva, CheckPoint Research, Kaspersky, CrowdStrike, Human, Akamai, Intel471 and ThreatRay.
300 people were present in Nantes from 27 to 29 April. The agenda, presentation materials and video recordings of the sessions are available on the conference website.
Global overview
Many presentations were dedicated this year to the study of "Loader" malware, and the following "Loader" were detailed: Qbot, PrivateLoader, SmokeLoader, SilentNight (Zloader), Cyax-sharp. Loaders are malware that infect thousands of computers (forming a botnet of infected systems) and then sell to others criminals the service of installing malware on those computers. The other pieces of malware that has been presented during a talk are: Formbook (an InfoStealer), Sysrc (a miner), Winnti (a RAT) and RTM botnet.
Note: the name "Loader" is also used to describe the stage of an infection where the payload of the malware is installed, but that is not the meaning we are using here.
During the presentations InfoStealers were often mentioned: this is a piece of malware specialised in data theft (typically login and password theft). The most mentioned InfoStealers were: Vidar, Racoon, AZORult, Taurus, Redline and Formbook.
Other presentations were devoted to attacker groups: TA410 (and the subgroups JollyFrog, FlowingFrog and LookingFrog), Gambling Puppet, Sandyblacktail as well as a review of all the groups that have used the ProxyShell attack against Exchange (see ESET's presentation titled "ProxyChaos").
In the rest of this review, we talk about 3 other presentations that we found very interesting.
Fingerprinting Bot Shops: Venues, Stealers, Sellers (Flashpoint)
In 2018, a new type of marketplace for cyber criminals emerged on the Internet: the Bot Shops (also called Log Shops): rather than simply selling stolen credentials (login and password pairs), the Bot Shop sells a complete set of stolen "Logs" on a computer: the credentials, the cookies, but also the technical characteristics of the computer (screen resolution, CPU, RAM). This set of information allows the buyer to mimic the victim's computer, to bypass some anti-fraud protections (bot detection tools) and even in some cases to bypass MFA authentication (the CERT-FR has just published the note CERTFR-2022-CTI-005 on this subject).
Bot Shops are particularly active since 2021. The best known are: Genesis, Russian Market, 2Easy and Amigos. Other second tier players include DarkLog, TopCCWorld, MouseInBox, RossLog.
Note: This article from BankInfoSecurity.com further explains the principle of Bot Shops.
Detecting Emerging Malware On Cloud Before VirusTotal Can See It (Alibaba Cloud)
This presentation starts from the observation that there are multiple variants of the same malware and that very often a service like VirusTotal does not know about these variants even when it has already analysed samples of the malware. To fill this gap, Alibaba Cloud has created a database that contains fuzzy-hashes for binaries they encounter. A fuzzy-hash (e.g. "ssdeep") is a cryptographic hash that is constructed so that 2 binaries that are similar have close fuzzy-hashes. If some of the binaries in the database are known to be malicious by VirusTotal then the binaries with a close fuzzy-hash are probably also malicious.
The database built by Alibaba Cloud contains around 100 million fuzzy-hashes. It increases the detection that a solution like VirusTotal provides.
Jumping The Air-Gap: 15 Years Of Nation-State Efforts (ESET)
ESET conducted a historical survey of malware designed to exfiltrate data from an isolated system (not connected to the corporate network). It identified 17 of them, the oldest of which (named USB-Stealer) dates back to 2005. Despite all the methods already documented for exfiltration over an air-gap, the only ones actually found in real attacks are exfiltration using USB keys.
There are two problems to solve to implement such USB attack:
- How to infect the internal system with an USB key? This aspect is quite classical and relies for example on the use of a vulnerability (cf. the CVE-2010-2568 for Stuxnet), or by replacing the authentic documents on the key with booby-trapped documents.
- How to hide the data to be exfiltrated on the USB key (without them being seen by user) to send them to the external system? One of the techniques that has been seen is to create anomalies in the file-system of the USB key to make certain files or directories invisible.
During the question and answer session for this presentation, one of the attendees proposed a system to detect data exfiltration attempts via USB keys. The principle is to analyse the USB key on a control station (under Linux), before and after it is put on the air-gapped system, to detect and report hidden files to the operator.
Conclusion
This Botconf 2022 conference was one of the first face-to-face security conferences after 2 years of COVID, and the participants were plenty. Attendance was similar to the Bordeaux conference in late 2019 and everyone was obviously happy to be back for this 2022 edition. Two presentations had nevertheless been pre-recorded since the speakers were unable to travel due to pandemic restrictions. The next edition of the Botconf has been announced: it will take place in Strasbourg in April 2023.
For more information
Here are the other reports that have been published about the Botconf 2022