Contact

About Us

Service

Home

THE ANATOMY OF A MALWARE CAMPAIGN: FROM INFECTION TO EXFILTRATION

WHO AM I?

Contact

About Us

Service

Home

This is Manivannan Arumugam from Tamil Nadu, India. I have been working as a Cyber Forensics Investigator for over 8 years and hold a Computer Hacking Forensics Investigator certification from EC-Council. I collaborate with the Tamil Nadu Government cyber cells to solve numerous cyber-related cases.

AGENDA

Contact

About Us

Service

Home

• UNDERSTANDING MALWARE
• INITIAL INFECTION
• PROPAGATION AND PERSISTENCE
• PAYLOAD DELIVERY
• COMMAND AND CONTROL (C2)
• DATA EXFILTRATION
• DEFENSE AND MITIGATION STRATEGIES

​

UNDERSTANDING MALWARE

Contact

About Us

Service

Home

Malware, or malicious software, is any software intentionally designed to cause damage to a computer, server, client, or network. There are several types of malware:

​

Viruses, Worms, Trojans, Ransomware, Spy ware, Adware and Rootkit

Contact

About Us

Service

Home

MOTIVATIONS BEHIND MALWARE

Financial Gain

Espionage

Sabotage

Political Motivations

MALWARE CREATION

Contact

About Us

Service

Home

Attackers use programming languages like Python and C/C++ along with development kits such as Metasploit and Cobalt Strike to create their malware. These tools provide the necessary frameworks and exploits to craft sophisticated malware.

For example, the Mirai botnet used simple scripts written in Go language to compromise IoT devices, turning them into bots for a massive DDoS attack.

INITIAL INFECTION

Contact

About Us

Service

Home

Phishing Emails

01

Malicious Downloads

02

Exploit Kits

03

USB Drives

04

Social Engineering

05

INITIAL INFECTION

Contact

About Us

Service

Home

Case Studies

​

“Consider the WannaCry ransomware attack. It spread primarily through phishing emails containing malicious attachments. Once a user opened the attachment, the ransomware encrypted their files and demanded a ransom.”

​

01

PROPAGATION MECHANISMS

Contact

About Us

Service

Home

After initial infection, malware seeks to spread and persist.

​

1) Network Worms

Malware that spreads itself across networks by exploiting vulnerabilities. The Conficker worm infected millions of machines by exploiting a Windows vulnerability.

​

2) File Infector Viruses

Attaches itself to executable files and spreads when the file is executed. The CIH virus, also known as Chernobyl, is an example.

​

3) Spear Phishing

Targeted phishing attacks aimed at specific individuals or organizations. The 2013 Target breach started with a spear-phishing email to an HVAC contractor.

01

PERSISTENCE TECHNIQUES

Contact

About Us

Service

Home

Malware uses various techniques to maintain persistence on a system.

​

1) Registry Modifications

Altering the system registry to ensure the malware runs on startup. For instance, the ZeuS Trojan modifies registry keys to achieve persistence.

​

2) Scheduled Tasks

Creating tasks that run the malware at specified times. APT29, linked to Russian intelligence, used scheduled tasks for persistence.

​

3) Rootkits

Concealing the malware’s presence and maintaining control. The Sony BMG rootkit scandal involved software that hid on users’ computers to prevent piracy.

01

PAYLOAD DELIVERY

Contact

About Us

Service

Home

Once malware is on a system, it delivers its payload

​

1) Data Theft

Exfiltrating sensitive information such as login credentials or personal data. The Equifax breach involved malware that stole personal information of millions of people.

​

2) Ransomware Encryption

Encrypting files and demanding ransom for decryption. CryptoLocker is an early example of ransomware that encrypted user files.

​

3) Botnets

Compromising machines to be used for malicious purposes, like DDoS attacks. Mirai Botnet, which targeted IoT devices, is a notable example.

​

4) Keyloggers

Recording keystrokes to capture sensitive information. The SpyEye malware toolkit included keylogging capabilities.

​

01

COMMAND AND CONTROL

Contact

About Us

Service

Home

Malware needs to communicate with its operators. This is done through Command and Control (C2) infrastructure

​

1) Server

2) DNS

3) Fast Flux

​

01

COMMUNICATION METHODS

Contact

About Us

Service

Home

• HTTP/HTTPS: Using web traffic to communicate, making it harder to detect. The Dridex banking Trojan used HTTP for C2 communication.

​

• IRC: Internet Relay Chat used for C2 communication. The GTbot family used IRC to receive commands.

​

• Peer-to-Peer: Decentralized control without a central server. The GameOver Zeus botnet employed a peer-to-peer network.

​

• Social Media: Using platforms like Twitter or Facebook to send commands. The Stegano exploit kit hid malicious code in advertising banners.

​

01

DATA EXFILTRATION

Contact

About Us

Service

Home

Once data is stolen, it needs to be exfiltrated:

​

• Direct Download:

Transferring data directly from the victim to the attacker. The TJX data breach involved direct download of credit card information.

​

• Email:

Sending stolen data via email. The Operation Aurora attack involved exfiltrating intellectual property via email.

​

• DNS Tunneling:

Encoding data in DNS queries to bypass firewalls. The Feederbot malware used DNS tunneling for data exfiltration.

​

• Cloud Services: Uploading stolen data to cloud storage services. Attackers have used services like Dropbox and Google Drive for this purpose.

​

01

Contact

About Us

Service

Home

THANK YOU