Virus Bulletin Conference 2022 — Day 1

Malware Analysis
1

Virus Bulletin Conference 2022 — Day 1

For each talk/paper I attended, I try to highlight the main takeaways and my personal comments. So, this is not a summary of the paper, but rather my personal interest to it.

At the end of the conference, I will nominate the best paper. For glory only, as it’s only my opinion 

UNCOVERING A BROAD CRIMINAL ECOSYSTEM POWERED BY ONE OF THE LARGEST BOTNETS, GLUPTEBA by Luca Nagy

  • The IP addresses of backup C2s are recorded in a blockchain.
  • Perfect example of apparently merely borderline business, which actually originates from clear malicious activities: the malicious actors sell proxying services, advertisement and access to Google Ad accounts (borderline activity). The issue is that proxies are infected machines enrolled against their will, Google Ad accounts are stolen from victims etc.
  • Google identified the actors: Voltron. The attribution looks clear. I would have thought they would be quickly arrested. No, so far, Google has only managed to disrupt their service and issue lawsuits. Not surprising I find it difficult to stop Android/BianLian authors then .

PRILEX: THE PRICEY PRICKLE CREDIT CARD COMPLEX by Fabio Assolini and Fabio Marenghi

  • Prilex is not massively disturbed but targeted, and distributed by social engineering, typically by a fake technician installing the malware. It’s a bit surprising the gang isn’t caught.
  • According to this research, the malware was at least initially built from privileged information on ATM networks. I’d guess an ex- or unhappy employee of compagnies writing the software. Same, surprising this doesn’t help to catch the author.

THE THREAT IS STRONGER THAN THE EXECUTION: REALITIES OF HACKTIVISM IN THE 2020S by Blake Djavaherian

  • According to this research, hacktivists are mostly disorganized, not highly skilled and often unable to carry out their threats.
  • My personal instinct was that this was wrong. At least for the skill and execution part.
  • I listened to the talk and wasn’t convinced. So, I read the paper. It’s a very interesting paper to read, but IMHO it offers many proofs of the opposite! In a later talk at VB, we even heard about hacktivist groups in Iran who obviously showed skills and intent. So, while I find the research paper extremely interesting, surprisingly, I disagree with the conclusion.

YOU OTA KNOW: COMBATING MALICIOUS ANDROID SYSTEM UPDATERS by Łukasz Siewierski & Alec Guertin

  • This is about malicious OTA [system] apps which are installed by default on some Android devices.
  • For a given device/model, they try to conceal the malicious intent by sometimes installing the legitimate non-infected OTA, and other times, the infected one. When it’s the legitimate version, sometimes, it is upgraded later to the malicious one.
  • Several anti-debugging/anti-emulation checks, including detection of the Xposed framework.

Article Link: Virus Bulletin Conference 2022 — Day 1 | by @cryptax | Sep, 2022 | Medium