Botconf 2023 – Day 3 Wrap Up

Ronan Mouchoux et François Moerman de XRATOR

An experimentation was conducted to centralize the knowledge of threats spread on internet. Pattern research is used rather than AI to avoid false positives. The input is 26 sources that permits to build a collection of more than 17000 articles of analyse. A treatment rules out all the elements on a page that do not bring value to the analysis (footers, etc.). A list of 500 alias of group names was build beforehand. Few cases (APT28, SANDWORM, EQUATION) give illustrations of « past » TTP matched with « consequences » TTP. 75% of the couples found this way are unique by actors. The goal of this work was to understand the habits of an attacker in order to be able to respond to incidents in threat hunting, but it was not realizing attributions.

Olivier Beaudet-Labrecque • Luca Brunoni • Renaud Zbinden (Co-author), from the Institut de lutte contre la cybercriminalité économique / Hautes Études de Gestion

The presentation gives an example with a student nicknamed “Einstein” for the study case. He would install a pirated Photoshop edition infected with TrickBot on his university computer. The situation is the base of an evaluation of the neglect and/or intent that is used to determine the judiciary consequences for the student. The study also makes comparison with the American system.

Matthieu Faou from ESET

Firstly, Matthieu Faou reminds that ESET do not work with Russia anymore since the beginning of the invasion of Ukraine: they stopped selling in Russia, give money to Ukrainians associations etc. The Russian groups took actions on three categories: destruction, espionage and cybercrime.  The group Asylum Ambuscade has a documented activity since 2020. It targets the Canadian banks, and in 2022 the Ukrainian ministry of Foreign Affairs with the same tools. These tools are simple but working; the languages used are regularly modified to avoid detection. The entry points are also classic, mail with attachments, CVE-2022-30190 (Follina). A hypothesis is made on the goals of the group: the cybercrime may finance the espionage activities.

Erwan Chevalier (Twitter : https://twitter.com/r1chev) and Guillaume Couchard (Twitter : https://twitter.com/Wellan129), from Sekoia

Sekoia gets various logs from its clients. These elements are converted and face Sigma rules after, an anomaly detection engine and a CTI base in order to detect infection. Every rule is evaluated based on a radar implying many criteria: rarity of the target, maintenance difficulty, specificity, false positive rates, handling. In a second time, the Sigma detections are correlated amongst each other according to the timeline of events: an executable is launch manually from the content of an archive received as an attachment and extracted implies different rules that see their cumulated alert level rising. The pipeline of production is a cycle YARA, FAME[1], Sandbox, C2 detection.

Yohann Sillam d’Imperva

The human based internet traffic represents merely half the exchanges; the remains are covered by legitimate bots (e.g.: search engines), but almost 25% of the traffic corresponds to a malicious activity: connection test with user/password association, account creations (e.g.: AYCD[2]), clicking automation etc. The field of automation is growing, and Reddit joins the movement by creating a discussion channel about development of scraping[3] methods.

[1] https://github.com/certsocietegenerale/fame

[2] https://aycd.io/

[3] https://www.reddit.com/r/webscraping