Wednesday 30 September 14:30 - 15:00, Red room
Dr. Nirmal Singh (Zscaler)
Deepen Desai (Zscaler)
Avinash Kumar (Zscaler)
To compromise a system, malicious actors need to avoid being detected at the entry point. Malware infections are increasing exponentially and so are the attack vectors. Most malware attacks start with a downloader that opens a door for the attack by downloading and installing the malicious modules and payloads. Downloaders are often observed in non-persistent form and delete themselves after installing the malicious payload in the victim's machine. This paper describes the latest trends of downloaders being used in malware delivery by leveraging multiple attack vectors to spread advanced malware. This research focuses specifically on the malware samples targeting enterprise users.
Through this research, we observed that malware attackers are targeting users with clever social engineering tricks, while in some cases, exploits have also been used to download and install malicious payloads onto victims' machines. A common theme in many of these campaigns involved a downloader malware payload being served first, which performs several checks before delivering the target payload on the compromised machine. To illustrate the trend, we have performed a large-scale analysis on a data set of tens of thousands of malicious downloader samples collected from early 2019 to early 2020 in the ZScaler cloud. Furthermore, analysis is done by constructing a taxonomy based on file formats, scripting languages, and behavioural techniques. Our research focused specifically on the downloader payloads being used by multiple threat actors in different attack campaigns over the past year.
We will look at the recent tactics, techniques, and procedures (TTPs) associated with these malicious downloaders in the wild. We will also showcase details of recent attack campaigns leveraging popular file-hosting services (i.e. Google Drives, Dropbox and AWS cloud) to download malicious modules and payloads.
This research will cover:
 |
Nirmal Singh Nirmal Singh is Senior Manager for the security research team at Zscaler ThreatLabZ located at Chandigarh, India. Nirmal has a Ph.D. in computer science and has been working in the threat research and analysis field for the past 10 years. He oversees malware research, detection and innovation at Zscaler. Prior to Zscaler, he worked with Norman as a manager for the threat response team.
|
 |
Deepen Desai Deepen Desai is responsible for running the security research operations at Zscaler ThreatLabZ. Deepen has been actively involved in the field of threat research and analysis from past 15 years and has strong affiliations with various security working groups. He is passionate about finding and reverse engineering new malware payloads to neutralize the threat with effective countermeasures. Prior to joining Zscaler, he was a senior threat research manager at Dell SonicWALL. Deepen holds a Master’s of Science in computer engineering from the San Jose State University.
|
 |
Avinash Kumar Avinash Kumar works in Zscaler ThreatLabZ as a senior security researcher. He has worked in the threat research field for more than nine years. He previously worked at Norman and Genpact as a senior malware analyst. His research areas include malware downloaders with advance malware botnet and analysing the various campaigns on daily basis. Avinash holds Master's degree in computer application from Punjab Technical University. Apart from malware research, he loves to play cricket and table tennis. |
Daniel Lunghi (Trend Micro)
Jaromir Horejsi (Trend Micro)