Amaury-Jacques Garçon CTI analyst, Sekoia.io
Amaury-Jacques Garçon is a cybersecurity engineer working as technical Threat Intelligence analyst and focusing on the investigation of state-sponsored threats, currently at Sekoia.io . With professional experience in open source investigation, he has worked for the French Ministry of Armed Forces.
Discussion: Malware Q&A
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Panel for the Malware block
Talk: One certificate to rule them all: the story of a Chinese-nexus botnet
Talks will be streamed on YouTube and Twitch for free.
Let's dive into the domain of edge devices and botnets through our discovery of a vast cluster of ~70,000 compromised hosts. This story stemmed from a simple error - the repeated use of a self-signed certificate across multiple hosts. In this talk, we will demonstrate how this small SecOps oversight allowed us to unveil a whole network of Operational Relay Boxes and a multi-layered cyber attack infrastructure involving the GobRAT malware and a previously undocumented backdoor, which we named Bulbature. A unique attribute of this infrastructure is the fact that a majority of the C2s possess open directories. Altogether, over 5,000 varied types of files have been analysed, enabling us to effectively place ourselves in the operators’ shoes. This infrastructure is touching corners around the globe and hints at ties to China.