BSidesLV 2019 - From EK to DEK: An Analysis of Modern Document Exploit Kits

Exploit Kits haven’t disappeared, they’ve simply moved to Microsoft Office. Traditional Exploit Kits (EKs) have the ability to fingerprint and compromise web browser environments, but with the advent of sandboxing and advanced security measures, there has been a shift toward using the Microsoft Office environment as a primary attack surface. Document Exploit Kits (DEKs) leverage DCOM, ActiveX controls, and logic bugs to compromise machines by packing multiple exploits into a single file.

This talk will provide an in-depth overview of the vulnerabilities and exploitation techniques used by the ThreadKit and VenomKit documents to spread well known malware families, and how they are being used in targeted attacks.

BSides Edmonton 2018 - Mo’ Monero Mo’ Problems: An Analysis of Cryptomining Malware

As cryptocurrency popularity continues to grow and alt-coins continue to proliferate, malware authors are increasingly using Cryptomining as a means of generating income. This talk will provide an in-depth overview of methods being used to distribute and infect systems with Cryptomining malware. Strategies for collecting intelligence and combatting malicious mining activities will also be discussed.

BSides Calgary 2017 - Attack of the Document Clones

Microsoft Office documents sent by email remain an excellent infection vector. Despite security awareness training and Microsoft’s best efforts, users still open malicious documents and enable the macros within. Ross Gibb and Josh Reynolds’ presentation will examine in-the-wild malicious documents sent to a variety of targets over time, and will introduce techniques to programmatically group and cluster malicious documents. In addition to improving detection, these techniques can also be used to track the actors creating and disseminating document clones.