A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


OSX/Pirrit - Reverse engineering mac OSX malware and the legal department of the company who makes it - Amit Serper, Niv Yona, Yuval Chuddy Derbycon 2018 (Hacking Illustrated Series InfoSec Tutorial Videos)

OSX/Pirrit - Reverse engineering mac OSX malware and the legal department of the company who makes it
Amit Serper, Niv Yona, Yuval Chuddy
Derbycon 2018

Back in 2016 I discovered a new OSX strain of the Pirrit adware/malware which up until then only targeted windows machines. I completely reverse engineered the malware, which runs with root privileges, hijacks all the HTTP traffic on the infected machine, and employs several other nefarious tricks. Due to some stunning opsec mistakes (which I will cover) I found the malware’s authors downright to their full names and the company that they work for. Fast forward almost two years later, OSX/Pirrit was back with a vengeance, employing new techniques and learning their lessons from everything I wrote about in my previous reports. Nevertheless, after lots of binary reverse engineering, going through thousands of lines of JavaScript, bash, and AppleScript code - I managed to reveal just how sinister the new version of OSX/pirrit is which is virtually impossible to remove without deep OSX knowledge. Due to more opsec mistakes by the authors I managed to tie this new wave of infections back to On top of that, TargetingEdge, the company who makes this adware/malware, bombarded us with cease and desist letters, threatening my employer and myself personally - trying to keep us from publishing our report. In my talk I will highlight all of the methods that were used by the authors of the malware to abuse systems, I will guide the attendees through the process of reverse engineering such malware and share with everyone the amazing and hilarious story behind this whole incident. There will be IDA screenshots, there will be stunning opsec mistakes by the authors and there will lolz galore.Join me for a session about reverse engineering, browser hooking tricks on OSX and interesting tales about my time with our corporate attorney battling these legal threats. This talk is meant for beginners and experienced audiences alike as I intend to walk through all the phases of my research. Attendees will walk out this talk knowing a lot about the security and the process of malware analysis on macs along with how to handle situations where the malware authors are sending their attorneys on you.

Amit Serper, Head of security research, Cybereason Nocturnus group:Amit leads the security research at Cybereason's Nocturnus global security practice. He specializes in low-level, vulnerability and kernel research, malware analysis and reverse engineering. Whenever he is not taking apart malware and exploring the dark and undocumented corners of operating systems at the office, you could find him in his lab at home reverse engineering routers and other IoT devices and finding horrible bugs on them. Prior to joining Cybereason, Amit spent nine years leading security research projects and teams for the Israeli government, specifically in embedded system security. Niv Yona, Threat hunting and research lead, EMEA at Cybereason Nocturnus group - Niv began his career as a team leader of the security operations center in the Israeli Air Force, where he focused on incident response, forensics, and malware analysis. At Cybereason, Niv focuses on threat research that directly enhances product detections and the Nocturnus hunting playbook. Yuval Chuddy, Threat hunter and Security researcher at Cybereason Nocturnus group Yuval began his career as a security researcher in the cyber security department of the Israeli Air Force, where he focused on incident response, forensics, and malware analysis. At Cybereason, Yuval focuses on investigating targeted and complex attacks and conducts threat hunting in customer environments.

@0xAmit

Back to Derbycon 2018 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast