Guilherme Venere (@gvenere on Twitter)
When financially motivated threat actors begin a new campaign, their aim is to maximize gains while reducing the chances of being detected. That goal means they will use whatever delivery mechanism is trending at the time and will change behavior once the security industry becomes more efficient in detecting them. This rapid cycle sometimes causes them to leave important metadata in their IOCs, which can be used to identify and track these actors over time. In this talk we will take a look at how threat actors moved away from macro-enabled documents to Windows shortcut file format (LNK) files inside Zip/ISO files, then to OneNote when MS implemented the MoTW feature for these formats. We will also look at the current delivery mechanisms and how metadata can still be used to detect and track them.
Guilherme Venere is a threat researcher with Cisco Talos since 2022. In the past 15 years he worked in the Antivirus industry analyzing and detecting almost every kind of malware that was created. Now he spends his days hunting for new malware and analyzing various threats as they emerge and continue to evolve and trying to understand how to better detect these threats.
---
BSides Portland is a tax-exempt charitable 501(c)(3) organization founded with the mission to cultivate the Pacific Northwest information security and hacking community by creating local inclusive opportunities for learning, networking, collaboration, and teaching.
bsidespdx.org
