Virus Bulletin Conference 2022 — Day 1
For each talk/paper I attended, I try to highlight the main takeaways and my personal comments. So, this is not a summary of the paper, but rather my personal interest to it.
At the end of the conference, I will nominate the best paper. For glory only, as it’s only my opinion 😃
Update Sept 30, 2022. Somehow, I managed to forget to mention the NSO talk. Let’s add this. + adding a picture for OTA talk.
Update Oct 4, 2022. Links for Day 2, Day 3 and Best Paper.
EXPLOIT ARCHAEOLOGY: A FORENSIC HISTORY OF IN-THE-WILD NSO GROUP EXPLOITS Donncha O’Cearbhaill and Bill Marczak
- I hadn’t realized there were so many remote 0-click attacks on iOS.
- The only reason this hasn’t evolved in numerous malware against the platform is that their life is short (a few days). NSO Group manages to use those 0-click attacks during this short time frame.
- Google Project Zero discovered several vulnerabilities in iMessage in 2019. They disclosed their findings to Apple. It looks like this actually pulled the rug out under NSO Group, who wasn’t able to use several of its exploits after Project Zero’s vulnerabilities were fixed. Lovely 😃
UNCOVERING A BROAD CRIMINAL ECOSYSTEM POWERED BY ONE OF THE LARGEST BOTNETS, GLUPTEBA by Luca Nagy
- The IP addresses of backup C2s are recorded in a blockchain.
- Perfect example of apparently merely borderline business, which actually originates from clear malicious activities: the malicious actors sell proxying services, advertisement and access to Google Ad accounts (borderline activity). The issue is that proxies are infected machines enrolled against their will, Google Ad accounts are stolen from victims etc.
- Google identified the actors: Voltron. The attribution looks clear. I would have thought they would be quickly arrested. No, so far, Google has only managed to disrupt their service and issue lawsuits. Not surprising I find it difficult to stop Android/BianLian authors then 😉.
PRILEX: THE PRICEY PRICKLE CREDIT CARD COMPLEX by Fabio Assolini and Fabio Marenghi
- Prilex is not massively distributed but targeted, and distributed by social engineering, typically by a fake technician installing the malware. It’s a bit surprising the gang isn’t caught.
- According to this research, the malware was at least initially built from privileged information on ATM networks. I’d guess an ex- or unhappy employee of compagnies writing the software. Same, surprising this doesn’t help to catch the author.
THE THREAT IS STRONGER THAN THE EXECUTION: REALITIES OF HACKTIVISM IN THE 2020S by Blake Djavaherian
- According to this research, hacktivists are mostly disorganized, not highly skilled and often unable to carry out their threats.
- My personal instinct was that this was wrong. At least for the skill and execution part.
- I listened to the talk and wasn’t convinced. So, I read the paper. It’s a very interesting paper to read, but IMHO it offers many proofs of the opposite! In a later talk at VB, we even heard about hacktivist groups in Iran who obviously showed skills and intent. So, while I find the research paper extremely interesting, surprisingly, I disagree with the conclusion.
YOU OTA KNOW: COMBATING MALICIOUS ANDROID SYSTEM UPDATERS by Łukasz Siewierski & Alec Guertin
- This is about malicious OTA [system] apps which are installed by default on some Android devices.
- For a given device/model, they try to conceal the malicious intent by sometimes installing the legitimate non-infected OTA, and other times, the infected one. When it’s the legitimate version, sometimes, it is upgraded later to the malicious one.
- Several anti-debugging/anti-emulation checks, including detection of the Xposed framework.