This year was Botconf’s 12th edition, located in Angers, where I gave a four hour workshop diving into Ghidra. Some of talks were rated as TLP:GREEN or higher, this decreases the details which I can include in the blog, as well as the information on the given talks. The listed talks are covered in chronological order of the talks, with intermittent information on other activities during the conference days.
Upon arriving in the afternoon on Monday the 19th, I met up with Bea and Suw, who I met at other conferences, such as Botconf 2024, Botconf 2023, and Summercamp 2024. After exchanging some Dutch cookies for Canadian cookies, we went to grab a Neapolitan pizza. Meeting up with old friends is one of the great joys of conferences!
On Tuesday, my workshop started at 1330 at the Grande École D’ingénieurs Généralistes. The lunch prior to the workshops was organised by Botconf, making it a great place to meet others. I met two more familiar faces: Kyle Cucci and Randy Pargman. They are both working for ProofPoint and gave a workshop titled Defeating Malware Evasion: Techniques and Countermeasures. Kyle also wrote a book about this topic, named Evasive Malware.
With the expertise from both Kyle and Randy, I would’ve signed up for this workshop if my schedule had allowed! Aside from catching up with friends old and new, the lunch’s location and great weather further added to the experience. The third floor’s ‘peninsula’ provided a great view over the city of Angers.
The attendees in my workshop were enthusiastic, driven, and completed more of the given exercises than I had estimated. Not to worry, I always provide more work than can be done in the allotted time, so you won’t twiddle your thumbs. Overall, the workshop went really well and smooth, which I’m happy with. Hearing this from the attendees and seeing them complete the exercises based on the workshop’s theory is a great feeling.
The speaker dinner was on the roof of a theater, with an even better view than the lunch. The food raised the bar for any future Botconf dinner.
During the dinner, I sat next to Tristan Pourcelot, which is a nice segue to the first talk I will mention here: 10 Years of Large-Scale Malware Comparison: Going Deeper With Machoke. Tristan dives, together with Stéfan Le Berre, into code comparison between binaries using Machoc and their newly developed Machoke. The latter is not open-source, but available as-a-service instead. Their talk dives into the difficulties when scaling code comparison from a few thousand binaries to a millions of binaries.
Next, Fabian Marquardt gave a TLP:AMBER rated talk (with listed co-speaker Andreas Petker) about No Endgame in sight – Pivoting from previous dropper malwares to current Latrodectus campaigns. This talk dove into the pivot points they used to pivot from old(er) malware indicators to new(er) indicators. Their persistent work on this subject shows that with technical skills and creativity, you can follow tracks even when they seem to turn cold.
Bea and Suw presented the TLP:AMBER rated Unpacking WIZARD SPIDER’s Crypters: Attribution Challenges in a Tangled Web of Adversaries talk. Their excellent in-depth analysis and pivots on the analysed crypters provided a deep dive into multiple threat actors. It also showed how their attribution process works, and how the groups are tracked over time.
Aside from giving a workshop, Kyle also gave a talk titled Elephant in the Sandbox: An Analysis of DBatLoader’s Unique Evasion Techniques. Throughout the talk, he gave examples of the evasive techniques the DBatLoader uses, together with excellent memes.
The last mentioned talk, as I cannot go into every single talk, is by Souhail Hammou who talked about Infiltrating Proxy Botnets to Uncover Spam Campaigns. Given its TLP:AMBER rating, I will not disclose the details, but this talk provided insight into the tracking of spam campaigns, and how to act based on the obtained results.
The great presentations by all the presenters, and the many wonderful attendees who visited, would not be possible without the excellent Botconf organisation team. With approximately 15 people they once again organised a great conference for nearly 400 people!
Hopefully until next year in Reims!
To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], or DM me on BlueSky @maxkersten.nl.