SANS Cyber Threat Intelligence Summit 2023Breaking the Ransomware Tool Set: When a Threat Actor Opsec FailureBecame a Threat Intelligence Gold Mine
Nicklas Keijser
During a recent incident response engagement I was assigned to reverse engineer the RAT that the threat actor had deployed in the environment. During the malware analysis a suspicious string was found in the memory, . The list contained a not only a complete inventory that the threat actor had, but also a link to the full repository of all their tools, almost 5 GB / over 100 files and scripts of content covering every part for an intrusion -from reconnaissance to impact and everything in between. This led to an interesting labyrinth of research on all the aspects of this tooling. This presentation goes through many of the tools that have been reverse engineered and provides advice on how to detect and mitigate the effect from this threat actor.
Further, it reveals techniques used to turn off anti-virus and clear out logs, including keys used for locking down computers and much more. To conclude I will look into the threat intelligence part of the intrusion, showing how threat actors copy and stockpile techniques from each other and finish off showing how malware analysis in combination with threat intelligence made it possible to find an undetected spare back door that was deployed in the environment. In this talk I will also share several indicators of compromise as well as tools, tactics, and procedures from an active and aggressive ransomware operator that can serve as inspiration for how malware analysis and threat intelligence can be operationalized to stop an intrusion.
View upcoming Summits:
Download the presentation slides (SANS account required) at
Музыка
Фильмы
ТВ Шоу
Категории видео
