Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Slides:



Advertisements
Similar presentations
Monnappa KA  Info Security Cisco  Core Member of SecurityXploded  Focus on Threat Intelligence  Reverse Engineering, Malware Analysis,
Advertisements

MIRAGE MALWARE SIDDARTHA ELETI CLEMSON UNIVERSITY.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
1 Introduction to OBIEE: Learning to Access, Navigate, and Find Data in the SWIFT Data Warehouse Lesson 2: Logging in and out of OBIEE This course, Introduction.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
“Consistency is Key!” A Quick Guide to Online Marketing By Virtual Marketing Empire, LLC
Defeating public exploit protections (EMET v5.2 and more)
4/20/2017 7:57 PM.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Introduction to Android Swapnil Pathak Advanced Malware Analysis Training Series.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
APT29 HAMMERTOSS Jayakrishnan M.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.
Influence of Social Media
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Software Security Testing Vinay Srinivasan cell:
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics 
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Amit Malik SecurityXploded Research Group FireEye Labs.
Topic 5: Basic Security.
Practice 4 – traffic filtering, traffic analysis
DIGITAL MARKETING COMPETENCY TRAINING WEB | SMO | SEM | SEA | SEO | MOBILE.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Advanced Persistent Threats (APT) Sasha Browning.
1 Wireless Threats 1 – Cracking WEP Cracking WEP in Chapter 5 of Wireless Maximum Security by Peikari, C. and Fogie, S.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Role Of Network IDS in Network Perimeter Defense.
1 of 26 For Oracle employees and authorized partners only. Do not distribute to third parties. © 2009 Oracle Corporation – Proprietary and Confidential.
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
Goals Be able to identify the parts of a URL Determine the safeness of a link Know the best places to find the info you need Know how to deal with toolbars.
1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.
R ANSOMWARE CAN ORIGINATE FROM A MALICIOUS WEBSITE THAT EXPLOITS A KNOWN VULNERABILITY, PHISHING CAMPAIGNS,
SAMET KARTAL No one wants to share own information with unknown person. Sometimes while sharing something with someone people wants to keep.
SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
Critical Security Controls
Instructor Materials Chapter 7 Network Security
Systems Security Keywords Protecting Systems
Overview 1. Phishing Scams
Intelligence Driven Defense, The Next Generation SOC
TOPIC 8 ADVANCED PERSISTENT THREAT (APT) 進階持續性滲透攻擊
Lesson Objectives Aims You should be able to:
Introduction to LinkedIn
Bring new levels of visibility to your datacenter with Cisco Tetration
Advanced Security Architecture System Engineer Cisco: practice-questions.html.
9/14/2018 2:22 AM THR2026 Set up secure and efficient collaboration for your organization with Office 365 Joe Davies Senior Content Developer Brenda Carter.
practice-questions.html If you Are Thinking about your dumps? Introduction:
Advanced Security Architecture for System Engineers Cisco Dumps Get Full Exam Info From: /cisco-question-answers.html.
Little work is accurate
IT Security awareness Training.
4 ways to stay safe online 1. Avoid viruses and phishing scams
CS4622: Computer Networking
SPRING DRAGON APT - A CASE STUDY OF TARGETED ATTACKS IN APAC COUNTRIES
Unit 1.6 Systems security Lesson 2
Encryption and Hacking
Security Delivery Platform for the Micro-segmented Data Center
This presentation document has been prepared by Vault Intelligence Limited (“Vault") and is intended for off line demonstration, presentation and educational.
Presentation transcript:

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the Trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here.

Acknowledgement  Special thanks to Null community for their extended support and co-operation.  Special thanks to ThoughtWorks for the beautiful venue.  Thanks to all the trainers who have devoted their precious time and countless hours to make it happen.

Advanced Malware Analysis Training This presentation is part of our Advanced Malware Analysis Training program. Currently it is delivered only during our local meets for FREE of cost. For complete details of this course, visit our Security Training page.Security Training page

Who am I Monnappa  m0nna  Member of SecurityXploded  Info Security Cisco  Reverse Engineering, Malware Analysis, Memory Forensics    LinkedIn:

Contents  Overview of Advanced threats  HeartBeat APT campaign  Part 1A – Demo (Decrypting the communications of HeartBeat RAT)  Part 1B – Demo (Reverse Engineering the HeartBeat RAT)  References

Overview of advanced threats  Sophisticated  Stealthy  Multistaged  Targeted  Uses zero day exploits  Designed for long term manipulation

HeartBeat APT Campaign  Targeted attack exposed by Trend Micro document  Targeted organizations related to the South Korean government (political parties, media outfits, South Korean military)  “HeartBeat RAT" was used to gain access over their targets network  In this session, we will o Part 1a) Decrypt the communications of HeartBeat RAT o Part 1b) Reverse Engineer the HeartBeat RAT

HeartBeat RAT Network Traffic Below screenshot shows the HeartBeat RAT traffic on port 80 and also shows connection to a malicious domain

Encrypted communications of HeartBeat RAT The one shown in Red is the Header and green shows the Encrypted Traffic

Decryption Script (heart_decrypt.py) The below screenshot shows the script usage

Decrypted Communication The below screenshot shows the Decrypted C2 check-in. The one marked in RED is the hostname of the infected machine

Decrypted Communication (contd...)

Malware Decrypts Strings Below screenshots show the malware decrypting the C2 domain

Malware Decrypts Strings (contd...) Below screenshots show the malware decrypting the campaign password “qawsed”

Malware Decrypts Strings (contd...) Below screenshots show the malware decrypting the campaign code “jpg-jf-0925”

Malware Resolves C2 Domain Below screenshots show the malware resolving the C2 domain and the corresponding network traffic

Malware Connects to C2 Domain Below screenshots show the malware establishing connection to the C2 domain

Malware Collects System Information Below screenshots show the malware collecting the system information

Malware Collects Hostname Information Below screenshots show the malware collecting the hostname information

Malware uses XOR encryption malware uses xor algorithm (key 0x2) to encrypt the collected data

Malware uses XOR encryption (contd...) Below screenshot shows the encrypted data

Malware Sends the Encrypted Data Malware sends the encrypted data to the C2

Malware Sends the Encrypted Data (contd...) The packet capture shows the encrypted traffic

References Complete Reference Guide for Advanced Malware Analysis Training [Include links for all the Demos & Tools]

Thank You !

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.