Public Papers, Publications and Talks #

Kobalos – A complex Linux threat to high performance computing infrastructure - (2021-02) #

• A white paper about an unique multiplatform malware

Operation NightScout: Supply‑chain attack targets online gaming in Asia - (2021-02) #

• A supply-chain attack used in a cyberespionage operation targeting online‑gaming communities in Asia

Operation SignSight: Supply‑chain attack against a certification authority in Southeast Asia ’ (2020-12) #

• A supply-chain attack on the website of a government in Southeast Asia.

Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks - (2020-05) #

• An implant designed to operate and spread through air-gapped networks
• Presentation
• WhitePaper

Linux.Rekoobe Operating Undetected - (01-2020) #

• Rekoobe is a minimalistic trojan with a complex CNC authentication protocol originally targeting SPARC and Intel x86, x86-64 systems back in 2015, reemerging in early 2020.

ELF Crafting. Uncovering Advance Anti-analysis techniques for the Linux Platform (r2con2019) #

A presentation covering the intricacies of the ELF file format, and how could it be abused by threat-actors to make their malware more challenging to analyze for malware researchers.

• Presentation
• Slides

ChinaZ updates toolset - (12-2019) #

• Analysis of new samples of ChinaZ, a Chinese-speaking cybercrime group authors of Elknot, and BillGates among other botnets.

ACBackdoor - The story of a multiplatform trojan - (10-2019) #

• Analysis of a Linux trojan in which authors tried to port to Windows.

How we disrupted 15 active ransomware campaigns targeting Linux file-storage servers - (07-2019) #

• How to temporarily DoS’d the operation of a ransomware targeting Linux-based file storage systems (NAS servers) abusing on a bug in the logic of the malware.

Watching the Watchbog, new Cython sample and Linux Exploits - (07-2019) #

• Analysis of a new version of Linux.WatchBog writen in Cython that was suspected to have compromised more than 4,500 linux machines, highlighting how effective Cython could be for obfuscation purposes.

HiddenWasp - Linux implant targeting Linux systems - (95-2019) #

• Analysis of a Linux implant with ties to Winnti malware used by Chinese state-nexus actors.

War in the cloud: East Asian Cybercrime actors compete for persistance - (05-2019) #

• Pacha Group, a Chinese-speaking group targeting cloud-based infrastructure was disrupting foothold of other crypto-mining groups, namely Rocke Group/Iron Group which was also known to target cloud environments at the time.

Analysis of Pacha Group unconventional toolset - (02-2019) #

• Pacha Group, a suspected Chinese-speaking ecrime group showcased unconventional Linux malware at the time, with no ties to other known threat actors.

Muhstik reloaded - New Linux variants target phpmyadmin servers - (11-2018) #

• This was my first public malware analysis report, nothing too special really. Staying here for historic purposes

ELF 101 Series: #

• Part 3 - (04-2018)
• Part 2 - (02-2018)
• Part 1 - (01-2018)

Glibc Heap Analysis with Radare2 (r2con2016) #

Talk intended to document the internals of the Linux heap layout formed by the glibc malloc dynamic memory allocator algorithm along with its analysis using radare2.

• Presentation
• Slides