Modern Reconnaissance Phase by APT – Protection Layer

The Talos researchers are no stranger to APT attacks. During recent research, we observed how APT actors are evolving and how the reconnaissance phase is changing to protect their valuable 0-day exploit or malware frameworks. During the presentation, we will not speak about a specific malware actor but we will use various different cases to illustrate how the reconnaissance phase is becoming more important and more complex.
This talk will mainly focus on the usage of malicious documents (Microsoft Office and Hangul Word Processor) and watering hole attacks designed to establish if the target is the intended one. We will mention campaigns against political or military organizations targeting USA, Europa and Asia.

The techniques and the obfuscation put in place by these actors will be described in detail. We will explain how the Macros are used and how to desobfuscated them; how the JavaScript and the PowerShell are becoming unmissable languages and how to analyse these languages with standard debugger such as WinDBG or x64dbg; how APT actors includes Flash objects in document to bypass protection and perform reconnaissance on the target; finally, we will see how Python language is used by malware to execute code on MacOS. In some cases, the reconnaissance is performed directly by a first stage malware (PE32) and not directly by the infection vector, we will see an example of the approach that targeted South Korea public sectors at the end of December.
At the end of the presentation, we will show different mitigations in applications (for example in Microsoft Office and Hangul Word Processor) and in the Microsoft Windows Operating System to help attendees protect their constituents against the treats described during the talk.

Paul Rascagneres

Paul is a security researcher within Talos, Cisco’s threat intelligence and research organization. As a researcher, he performs investigations to identify new threats and presents his findings as publications and at international security conferences throughout the world. He has been involved in security research for 7 years, mainly focusing on malware analysis, malware hunting and more specially on Advanced Persistence Threat campaigns and rootkit capabilities. He previously worked for several incident response team within the private and public sectors.