2024-09-12 –, Main hall
Since the end of 2022, we have identified multiple espionage-related intrusions targeting governmental entities in the Middle East Africa and Asia. According to our findings, the main goal of the attacks was to obtain highly confidential and sensitive information, specifically related to politicians, geopolitical events, military activities, and ministries of foreign affairs.
The threat actor behind the attacks used a very rare set of tactics, techniques, and procedures (TTPs), which sets it apart from other known threat actors. Some of TTPs were never reported before in the wild, such as a novel and evasive in-memory webshell implant and custom-built family of backdoors. Other rare techniques that we observed included a novel Exchange email exfiltration technique that was used by the attackers only on a few selected targets, and a credential stealing technique that was rarely seen in the wild.
In our presentation, we will explore the TTPs employed by the sophisticated threat actor throughout each phase of the attack life cycle and share some exclusive information that has not been published yet about the attackers’ playbook. After understanding how this threat actor operates, what exactly they were looking for, and how to hunt them down, we will delve into the attribution process and establish the connection to the Chinese Nexus through different facets.
Lior Rochberger is a senior threat researcher at Palo Alto Networks, focusing on threat hunting and malware research. Lior has a decade of experience, where she mostly focused on OSINT, incident response, threat hunting and malware analysis.
Tom Fakterman is a Senior Threat Researcher at Palo Alto Networks. On his day to day, Tom focuses on threat hunting, malware research, and threat intelligence. Tom has a decade of experience, where he mostly focused on incident response and malware analysis