Friday 4 October 14:00 - 14:30, Red room
Alex Hinchliffe (Unit 42, Palo Alto Networks)
Discoveries of two malware families – HenBox for Android; and recently Farseer for Windows – with significant, mostly infrastructure-based overlaps with previously seen malware, such as 9002, PlugX, PIVY and FHAPPI, has led us towards what appears to be an undocumented nation-state group, or groups, in China whom we refer to as PKPLUG. The malware families, infrastructure, and campaign delivery used by PKPLUG highlights broad targeting of multiple sectors and victims in and around the South East Asia region and beyond. This research will detail some of the PKPLUG campaigns, describing the tooling used and, with MITRE's ATT&CK framework and other models that underpin Unit 42's Adversary Playbooks, highlight PKPLUG's behaviour with some overlapping TTPs.
Alex Hinchliffe is a threat intelligence analyst with Unit 42 at Palo Alto Networks. Based in EMEA, his main responsibilities include research into security threats and the groups behind them – their motivations, tactics, and resources – curating and enriching data to share threat intelligence with the community and wider public. He started his career as an intern at the then Dr Solomon's Anti-Virus Company in the United Kingdom. Almost two decades later, his research has largely focused on Windows and Android malware. He regularly speaks on these and related topics. While previously working for McAfee Labs Alex co-created the industry's first cloud-based anti-malware reputation system, Artemis, using DNS to decrease time to protection without signatures to help fight the huge growth in malicious threats.
Paul Chichester (National Cyber Security Centre, UK)
Bobby Filar (Endgame)
Daniel Kapellmann Zafra (FireEye)