Botconf 2017

In a World where oil is scarce and people click mail attachments they really shouldn’t, One Man sets out on an epic journey for glory, conquest, and other people’s money. So begins the amazing tale of the “Oil bot” campaign: a tale of a single man who ran a sting operation on a good share of the industrial sector, armed with nothing but his supply of off-the-shelf RATs, his very subpar OPSEC standards, and his Nigerian hutzpah. The talk will follow the entire course of Check Point’s investigation into this affair – from the few emails that didn’t add up, through the campaign’s not-so-intricate C&C infrastructure, to the point where we were inside the campaign, looking at all the incredulous details. How do you scam people into scamming other people? What leads a fraudster to leave a trail of incriminating footprints?

And what does a Nigerian scammer want with an energy company, anyway? One thing’s for sure: In this brave new world, the Nigerian prince is no longer happily calling to inform you that you should transfer your money to them; it is you who is angrily calling your bulk provider, asking where all your money went.

Stantinko is a botnet that we estimate infects around half a million machines mainly located in the Russian Federation and Ukraine. In addition to its prevalence, Stantinko stands out because of its use of advanced anti-analysis techniques, the heavy usage of encryption to hide malicious code and the use of anti-virus evasion tricks that allowed them to stay under the radar for the past five years. While its main purpose is to commit advertisement fraud, Stantinko also installs a backdoor allowing them to run arbitrary code on the victim’s machine.

The Stantinko malware family dates back to at least 2012. We noticed a significant change in the group’s toolset that occured at the beginning of 2015, which made it way more difficult to track them and to gather all the pieces necessary to conduct a complete analysis of this notably undocumented threat.

When we began our analysis, we were not sure at what kind of malware we were looking at. It took us some time to understand Stantinko’s purpose because of its fileless modular architecture. After reverse-engineering its network protocol, we were able to collect the modules that contain the actual malicious code and were able to slowly draw the big picture. We found out that its malicous activities include advertising fraud, Facebook fraud and brute-forcing administrator credentials of Joomla and WordPress Content Management Systems. At this point, it became clear to us that we were looking at a crimeware botnet.

This presentation will cover the findings from our six-month hunt after this large-scale stealthy botnet.

Due to it’s flexibility and capacity for embedding other objects, the rich text format (RTF) is a preferred file type used by both precision and quantity focused threat actors. This presentation will discuss the state of threats making use of the file format and provide a brief overview of how the file format is constructed. The presentation will also explain results of exploratory experiments conducted to achieve a deep comprehension of the file format’s structure. Best practices for building protections in organizations will be discussed. Techniques developed while hunting for specific features across large sample sets will be shared.

The 27th of June 2017, a new wormable malware variant has surfaced. Talos is identifying this new malware variant as Nyetya. The sample leverages EternalBlue, EternalRomance, WMI, and PsExec for lateral movement inside an affected network. The presentation will be divided in two parts:

the first part will describe Nyetya: how it works, the integrated exploits, Doublepulsar modifications, the “encryption” of the infected systems… This part will be focused on the analysis of the malware (reverse engineering)
the second part will describe the incident response performed by Cisco Advanced Services Incident Response in Ukraine focused on M.E.Doc software. This part will contains the techniques used by the attackers to massively compromised M.E.Doc users. A timeline will be exposed and detailed

Email threats have always been a major part of the threat landscape. As the use of exploit kits and other malware distribution techniques have decreased, malicious spam campaigns play an even greater role in the distribution of malware to organizations around the globe.


Enter Necurs, the biggest player in the spam game today. Over the past couple of years, Necurs has singlehandedly transformed the email threat landscape and continues to innovate with regards to the distribution of malware downloaders. Widely considered to be the largest spam botnet on the planet, Necurs is responsible for a large percentage of the overall spam volumes seen around the globe every day. For being such a major threat, very little information has been published regarding its makeup and how it’s being operated by cybercriminals.


This talk will take a deep dive on the botnet itself and the ways in which C2 is handled. This includes analysis of some of the major spam campaigns for which it has been responsible including both malware distribution and other non-malware based campaigns, including stock based pump-and-dump. Additionally, we will discuss details of the C2 infrastructure and DGA capabilities we’ve observed over the last several months. We will also cover the modular nature of the Necurs malware itself, and how this multi-faceted threat is capable of generating revenue and damaging organizations without sending a single email.

Many threat intelligence teams are small and must make limited resources work in the most efficient way possible. The data these teams rely on may be quite high volume and potentially low signal to noise ratio. The tools used to collect and exploit this data have finite resources and must be leveraged at the highest utilization possible. Additionally, these tools must be applied to the most valuable data first.

This talk presents a process that your team can implement to make your threat and malware hunting more efficient. The core of this process uses YARA rules to process files from an arbitrary source in volume. From that core, it covers methods of prioritizing the output of the rules based on the team’s priority and the confidence in the quality of the rules. Using this process, files are submitted to sandboxes for automated analysis. The output of each of these systems is then parsed for certain qualities that would increase or decrease the value of the information to the team. Attendees will take away not only a solid process that they can implement in their own organizations, but also a list of gotchas and problems that they should avoid.