talks
Some of my talks
IoT Malware and Rookit Detections Using Electromagnetic Insights- Unveiling the Unseen
The Botnet & Malware Ecosystems Fighting Conference (Botconf) Nice 2024
by Duy-Phuc Pham, Damien Marion, Annelie Heuser
The Internet of Things (IoT) is a network of interconnected devices, becoming increasingly complicated and suffering from inadequate security measures. Cybercriminals, especially those who specialise in malware and rootkits, recently target them because they often use outdated technology without taking security risks into account.
In this session, we will discuss two challenges: rootkit detection and malware classification in the help of leveraging electromagnetic (EM) side channels. EM allows us to operate outside of the “box” (literary device), with no resource requirement on the target device. Our approach focuses on the ARM and MIPS architectures of Raspberry Pi and Creator CI20 real-world devices. The solution employs multiple data preprocessing methods, allowing analysts to select a variety of machine learning and deep learning models based on their specific requirements. Both approaches resulted in high accuracy (upto 100%) for multiple malware classification and real-time detection scenarios.
See more: https://www.botconf.eu/wp-content/uploads/formidable/2/BOTCONF2024-Pham-Marion.pdf
The Wolf in Sheep's Clothing - How Cybercriminals Leverage OneNote for Stealthy Malware Delivery
code.talks (ehem. Developer Conference) Hamburg 2023
by Duy-Phuc Pham
Microsoft OneNote has surprisingly emerged as a new vector for delivering sophisticated malware. In this presentation, I will discuss how the infamous Qakbot malware operation has evolved to exploit OneNote documents for covert distribution and evasion.
Multiple malware campaigns that use specially crafted OneNote files to distribute malware payloads will be investigated in depth. I will reveal the key technical details behind recent campaigns that use specially crafted OneNote files to bypass defenses, such as encryption, obfuscation, and process injection techniques. We will investigate the infection chain and unpacking techniques used to covertly deliver the Qakbot payload.
I will demonstrate through case studies how the threat actors behind Qakbot continue to innovate their social engineering and technical tactics. I’ll also discuss how other sophisticated malware operations, such as IcedID, ASyncRAT, etc., have adopted similar OneNote techniques.
This presentation will equip developers and security engineers with the knowledge necessary to detect and defend against this fresh breed of highly evasive malware attacks. I will outline specific recommendations for detecting OneNote malware based on behavioral analytics and industry standards. By showcasing OneNote’s emerging role in sophisticated cybercrime operations, we can close this new attack vector and protect our users, customers, and organizations.
Obfuscation Revealed - Leveraging Electromagnetic Emanations for IoT Malware Classification
Hardwear.io USA 2022, 6th - 10th June 2022 Santa Clara, CA
DAMIEN MARION, DUY-PHUC PHAM & ANNELIE HEUSER
Research about IoT malware and tools developed for automated IoT malware classification are limited. IoT and embedded technologies use numerous customized firmware and hardware, without taking into consideration security issues, which make them an attractive attack surface for cybercriminals, especially malware authors. Various types of state-of-the-art malware on Microsoft Windows took decades from the first known malicious software to happen in the wild, now start emerging on IoT devices in a shorter time.
We present a novel, robust and promissing approach of leveraging electromagnetic emanations to identify the kinds of malware that are targeting the Raspberry Pi device. Using our approach, malware analysts can obtain accurate information about the type and identity of IoT malware, even with obfuscation techniques that can prevent static and symbolic binary analysis. We recorded traces of more than 100K measurements from IoT devices infected with various malware samples and realistic benign activity. Our method allows deployment independent of available resources with no overhead. Moreover, our approach has the advantage that malware authors are less likely to detect and bypass. In our experiments, we were able to predict three common types of malware vs. benign activities with 99.82% accuracy.
Mac-A-Mal An Automated Platform for Mac Malware Hunting
Blackhat Asia 2018
As Mac systems grow in popularity, so does macOS malware - whilst macOS malware analysis is still lagging behind - particularly when we deal with malicious behaviors in the user space. To amend this shortcoming, we have come up with macOS analyzer for malware – Mac-A-Mal: a system for behavioral monitoring of components at kernel level which allows analysts to automatically investigate malware on macOS, broadly extending what is available today with Cuckoo sandbox. Full Abstract & Presentation Materials
When Electromagnetic Signals Reveal Obfuscated Malware-Deep and Machine Learning Use cases
SemSecuElec, DGA-MI. October 22, 2021
The Internet of Things (IoT) is constituted of devices that are expo-nentially growing in number and in complexity. They use plentiful customized firmware and hardware, ignoring potential security issues, which make them a perfect victim for cybercriminals, especially malware authors. We described a new usage of side channel information to identify threats that are targeting the device. Using our approach, a malware analyst is able to accuracy know about malware type and identity, even in the presence of obfuscation techniques which may avoid static or symbolic binary analysis. We captured 100,000 leakage traces from an IoT device infected by a miscellaneous and representative in-the-wild malware samples and realistic benign activity. Our technique does not need to modify the target device. Thus, it can be deployed independently from the resources available without any overhead. Moreover, our approach has the advantage that it can hardly be detected and evaded by the malware authors. In our experiments, we were able to classify three generic malware types (and one benign class) with an accuracy of 99.82%. Even more, we show that our solution permits to classify altered malware samples with unseen obfuscation techniques during the training phase, and to determine what kind of obfuscations were applied to the binary, which makes our approach particularly useful for malware analysts. Video
Obfuscation defeated - Leveraging electromagnetic signals for malware classification with Deep learning
GDR Hands-on Machine Learning for Security, Sep 2021.
Electromagnetic Side-Channel Analysis for Obfuscated Malware classification
Israeli Conference on Hardware and Side-Channel Attacks (ICHSA) 2021
Malware classification using EM leakages
Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI), Oct. 2021