This year, we observed an attack in Taiwan using DLL sideloading malware. This could have started around 2021 and continued until we started monitoring and making discoveries. The DLL was named "TSVIPSvr.dll" and was loaded by the SessionEnv service and was ultimately intended for C&C communication by Cobalt Strike. We dealt with this attack by working effectively with our monitoring team, endpoint forensics team, and malware analysis team. In this presentation, we will talk about a series of attack techniques and countermeasures, focusing on malware analysis methods and analysis results. This malware was written with .NET. The malware was obfuscated and contained anti-analysis techniques. The malware also attempted to evade detection by reading another Cobalt Strike-encrypted file, decrypting it, and injecting it into the newly executed process. We will explain what problems we encountered in this analysis, how we solved them, and how this malware works. By this presentation, you'll learn about the necessity and usefulness of teamwork, some points in analyzing .NET malware, and the techniques malware uses to evade security.SANS DFIR Summit 2023
Speaker: Hirokazu Murakami, Senior Researcher, CyCraft
View upcoming Summits:
Музыка
Фильмы
ТВ Шоу
Категории видео
