Some of my talks

The Wolf in Sheep's Clothing - How Cybercriminals Leverage OneNote for Stealthy Malware Delivery

code.talks (ehem. Developer Conference) Hamburg 2023

by Duy-Phuc Pham

Microsoft OneNote has surprisingly emerged as a new vector for delivering sophisticated malware. In this presentation, I will discuss how the infamous Qakbot malware operation has evolved to exploit OneNote documents for covert distribution and evasion.

Multiple malware campaigns that use specially crafted OneNote files to distribute malware payloads will be investigated in depth. I will reveal the key technical details behind recent campaigns that use specially crafted OneNote files to bypass defenses, such as encryption, obfuscation, and process injection techniques. We will investigate the infection chain and unpacking techniques used to covertly deliver the Qakbot payload.

I will demonstrate through case studies how the threat actors behind Qakbot continue to innovate their social engineering and technical tactics. I’ll also discuss how other sophisticated malware operations, such as IcedID, ASyncRAT, etc., have adopted similar OneNote techniques.

This presentation will equip developers and security engineers with the knowledge necessary to detect and defend against this fresh breed of highly evasive malware attacks. I will outline specific recommendations for detecting OneNote malware based on behavioral analytics and industry standards. By showcasing OneNote’s emerging role in sophisticated cybercrime operations, we can close this new attack vector and protect our users, customers, and organizations.

Obfuscation Revealed - Leveraging Electromagnetic Emanations for IoT Malware Classification USA 2022, 6th - 10th June 2022 Santa Clara, CA


Research about IoT malware and tools developed for automated IoT malware classification are limited. IoT and embedded technologies use numerous customized firmware and hardware, without taking into consideration security issues, which make them an attractive attack surface for cybercriminals, especially malware authors. Various types of state-of-the-art malware on Microsoft Windows took decades from the first known malicious software to happen in the wild, now start emerging on IoT devices in a shorter time.

We present a novel, robust and promissing approach of leveraging electromagnetic emanations to identify the kinds of malware that are targeting the Raspberry Pi device. Using our approach, malware analysts can obtain accurate information about the type and identity of IoT malware, even with obfuscation techniques that can prevent static and symbolic binary analysis. We recorded traces of more than 100K measurements from IoT devices infected with various malware samples and realistic benign activity. Our method allows deployment independent of available resources with no overhead. Moreover, our approach has the advantage that malware authors are less likely to detect and bypass. In our experiments, we were able to predict three common types of malware vs. benign activities with 99.82% accuracy.

Mac-A-Mal An Automated Platform for Mac Malware Hunting

Blackhat Asia 2018

As Mac systems grow in popularity, so does macOS malware - whilst macOS malware analysis is still lagging behind - particularly when we deal with malicious behaviors in the user space. To amend this shortcoming, we have come up with macOS analyzer for malware – Mac-A-Mal: a system for behavioral monitoring of components at kernel level which allows analysts to automatically investigate malware on macOS, broadly extending what is available today with Cuckoo sandbox. Full Abstract & Presentation Materials

When Electromagnetic Signals Reveal Obfuscated Malware-Deep and Machine Learning Use cases

SemSecuElec, DGA-MI. October 22, 2021

The Internet of Things (IoT) is constituted of devices that are expo-nentially growing in number and in complexity. They use plentiful customized firmware and hardware, ignoring potential security issues, which make them a perfect victim for cybercriminals, especially malware authors. We described a new usage of side channel information to identify threats that are targeting the device. Using our approach, a malware analyst is able to accuracy know about malware type and identity, even in the presence of obfuscation techniques which may avoid static or symbolic binary analysis. We captured 100,000 leakage traces from an IoT device infected by a miscellaneous and representative in-the-wild malware samples and realistic benign activity. Our technique does not need to modify the target device. Thus, it can be deployed independently from the resources available without any overhead. Moreover, our approach has the advantage that it can hardly be detected and evaded by the malware authors. In our experiments, we were able to classify three generic malware types (and one benign class) with an accuracy of 99.82%. Even more, we show that our solution permits to classify altered malware samples with unseen obfuscation techniques during the training phase, and to determine what kind of obfuscations were applied to the binary, which makes our approach particularly useful for malware analysts. Video

Electromagnetic Side-Channel Analysis for Obfuscated Malware classification

Israeli Conference on Hardware and Side-Channel Attacks (ICHSA) 2021

macOS malware analyzer

Trend Micro global internal meeting (09/2017)

Malware classification using EM leakages

Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI), Oct. 2021