MOVING LIKE A SPOOK THROUGH WALLS OR BEING JUST A SHADOW FOR APT DETECTORS presented at First 2017

by Fabio Assolini, Dmitry Bestuzhev,

Summary : Since 2006, Fabio has been a voluntary member of the security community Linha Defensiva (Defensive Line), a non-government organization. In addition, he is a member of the Alliance of Security Analysis Professionals (ASAP), a network of NGOs, professionals and individuals dedicated to providing security related support to end users. Fabio has more than five years of experience as a malware analyst and possesses a university degree in Computer Science.
It all began in the fall of 2016, or perhaps a bit earlier… We were working on the analysis of the latest developments of a known APT-threat actor when suddenly, we discovered that the network traffic we thought was just noise, was actually the exfiltration method used to bypass traditional anti-APT solutions and the analysis of Security Researchers. The threat actor actually had carefully prepared the whole theater of operations, ensuring the trespassing of well-known top security practices such as file inbound domains/network traffic inspection, file whitelisting and finally APT detection based on the outbound DNS requests. In our presentation, we will share additional details about this threat actor we named “move-through-walls” and its operation techniques causing false positives detections for some security vendors.
Strong points: Fooling traditional Anti-APT solutions Bypassing Security products abusing legitimate services you want to use Proxification and C2 obfuscation Incident response countermeasures