Last-minute paper: Spora: the saga continues a.k.a. how to ruin your research in a week

Thursday 5 October 11:00 - 11:30, Red room

Jakub Kroustek (Avast)
Előd Kironský (ESET)

At the CARO conference this year, we gave an in-depth technical talk about what was, at the time, a brand new ransomware strain called Spora. Back then, we disassembled (decompiled of course) every single byte of Spora, which gave us a complete overview of all its parts and the techniques it used. This allowed us to cover pretty much every aspect of the ransomware in our talk. We discussed its infection vector, its worm-like spreading feature, the packers used. We reconstructed the changelog of every major code modification since its discovery in January 2017, providing a detailed description of the encryption scheme that was able to encrypt even when the infected system was offline. We also discussed some of the implementation failures and tricks that could be used to make a system immune to Spora.

Less than a week after our talk, a new wave of Spora samples appeared. We were shocked when we figured out that the authors behind Spora had changed almost everything we had previously discussed at CARO. They had basically stripped down the executable's code to a few kilobytes, removing all the parts that previously could be used to make a system immune to Spora. Furthermore, they removed most of the issues we had found and they even started using a new delivery method where the executable was embedded in a piece of JavaScript, which was used to execute it. Their focus seems once again to be to target victims in Russia (ransom notes and payment pages are in Russian), leaving users from the rest of the world only as accidental victims. We feel that at CARO, only half of the story was told. We would therefore like to tell the other half of the story at VB. More specifically, we would like to sum-up all the recent changes, depict the new unique delivery mechanism, and visualize shifts in its spread targeting.

Jakub Kroustek

Jakub Kroustek leads the Threat Intelligence team at Avast. Prior to that he led the AVG Threat Intelligence team – for seven years combined. He and his team, which is based in Brno, Czech Republic, are focused on hunting new malware strains, dissecting them, and preparing malware detection methods. Furthermore, they are active in developing tools for malware analysis (e.g. Retargetable Decompiler https://retdec.com/), malware clustering, and providing free decryption tools to victims of ransomware attacks.

Jakub is a reverse engineer with more than 15 years of experience in digging in machine code. For the last several years, his expertise has been in ransomware and botnets, but he likes to mess with all the other malware types as well.

Jakub also likes to share his findings via any available channel, such as the company blog (https://blog.avast.com/author/jakub-kroustek, https://now.avg.com/author/jakub-kroustek/), conference talks (CARO, RAID, etc.), and social media.

Jakub has a Ph.D. in machine-code analysis from Brno University of Technology.

@JakubKroustek

Előd Kironský

Előd Kironský joined ESET in September 2017 as Head of Core Technology Development. His responsibilites include leading the development of detection technologies along with designing new features and improving the detection, performance and reliability of ESET products.

Previously, Előd had been with AVG Technologies and Avast for more than 11 years, where he was responsible for behavioural detection and led the development of the Identity Protection and Behaviour Shield modules. During this time, he developed a passion for malware analysis and threat intelligence.

Előd has a university degree in computer science.

Watch video

2017 PÉTER SZŐR AWARD