Watch SophosLabs experts present their research on Hacking Team, PDF malware and APTs

sophoslabs-150You might not have had a chance to make it to Budapest, Hungary for the Hacktivity 2015 conference, to see live presentations by some of our crack team of SophosLabs researchers.

Well, now we have videos from the event, so you can see three of our researchers give their talks, almost as if you were there! Their presentations cover some interesting topics.

Attila Marosi gives us an introduction to the Hacking Team malware exposed last year by a breach of the Italian hacking-for-hire company. Jason Zhang investigates new techniques used in recent PDF malware campaigns. And Gábor Szappanos analyzes and compares different malware authors on the advanced persistent threats (APT) scene.

 Attila Marosi – Hacking Team Malware

The huge amount of data stolen from Hacking Team let us inside the work of the company that develops malware and exploits for its clients on the country level.

Attila’s presentation is broken into three parts. The first part is a quick introduction to Hacking Team’s exploit delivery network, how the malware was delivered to the targets, and how the infected devices were controlled through the proxy chain.

The second part is a detailed analysis of the exploits Hacking Team used to infect Android devices, including the installation (infection) process, and how they were used to elevate privileges on those devices.

The third part examines a collection of interesting techniques Hacking Team used to keep the malware as silent and undetectable as possible.

Jason Zhang – Making the Invisible Visible: Case Studies in PDF Malware

Jason’s talk investigates recent PDF malware campaigns and the new techniques adversaries are using to deliver malware via web downloads, email attachments and other infection vectors, in both targeted and non-targeted attacks.

PDF attackers can break detection with polymorphic techniques to hide malicious code. Jason’s research explores some new techniques used by malware writers to bypass detection:

  • A simple but effective URL aliasing technique to download malware.
  • Using PDF to deliver specific topic-related content for search engine poisoning.
  • Encapsulating PDF malware inside a PDF file to break detection.

Gábor Szappanos – Comparing the Incomparables

Gábor analyzes some APT malware families, and shows us how we can compare the different malware authors on the basis of their skill level.

His presentation details the exploitation of the CVE-2014-1761 vulnerability, investigates the different malware families that were using this vulnerability, and discusses the depth of modification into the exploit.

The comparative analysis allowed Gábor to draw a relationship chart between the different malware families, showing strong correlation with previously known intelligence, and adding a couple of new relations.

As Gábor says, this research allows us to understand the strengths and weaknesses of our adversaries.

About SophosLabs

SophosLabs is the global network of threat centers staffed by Sophos researchers and analysts.

Keep up to date with our latest industry-leading research and technical papers, expert opinion, and security advice at Naked Security and right here on the Sophos Blog.

Sign up for our Sophos Blog newsletter by entering your email address in the field at the top right of the blog’s webpage. Follow us on your favorite social media networks, chat with us in our forums, download our informative podcasts, or sign up for our RSS feeds.

Leave a Reply

Your email address will not be published. Required fields are marked *