Wednesday 3 October 11:30 - 12:00, Green room
Filip Kafka (ESET)
Hacking Team first came under the spotlight of the security industry following its damaging data breach in July 2015. The leaked data revealed several 0-day exploits being used and sold to governments, and confirmed suspicions that Hacking Team had been doing business with oppressive regimes. But what happened to Hacking Team after one of the most famous hacks of recent years?
Hacking Team’s flagship product, the Remote Control System (RCS), was detected in the wild at the beginning of 2018 in 14 different countries, including some of those that had contributed to previous criticism of the company’s practices. We will present the evidence that convinced us that the new, post-hack Hacking Team samples can be traced back to a single group – not just any group, but Hacking Team’s developers themselves.
Furthermore, we intend to share previously undisclosed insights into Hacking Team’s post-leak operations, including the targeting of diplomats in Africa, to uncover the digital certificates used to sign the malware, and to share details of the distribution vectors used to target the victims. We will compare the functionality of the post-leak samples with that in the leaked source code. To help other security researchers, we’ll provide tips on how to efficiently extract details from these newer VMProtect-packed RCS samples. Finally, we will show how Hacking Team sets up companies and purchases certificates for them.
Filip Kafka is a malware analyst at ESET's Malware Analysis Laboratory. His main responsibilities include detailed malware analyses and training new reverse engineers in the ESET Virus Lab, but his professional interests, as well as his latest research, focus on APTs. His experience as a speaker includes speaking at the Virus Bulletin conference, the AVAR conference, CARO Workshop, NorthSec conference, and at several events aimed at raising awareness of malware and computer security, presented for local universities. He also teaches a reverse engineering course at the Slovak University of Technology and the Comenius University and runs workshops on reverse engineering and malware research held in London, Brno, Bratislava.
Juan Andrés Guerrero-Saade (Chronicle)
Rowland Yu (Sophos)
Axelle Apvrille (Fortinet)