Unveiling shadows: key tactics for tracking cyber threat actors, attribution, and infrastructure analysis
Contents
Unveiling shadows: key tactics for
tracking cyber threat actors, attribution,
and infrastructure analysis
Hossein Jazi
Senior Threat Intelligence Specialist
Hossein Jazi
@h2jazi
THREAT INTELLIGENCE
SPECIALIST
• APT researcher
• Malware reverse engineer
• Threat Hunter
• Cyber crime investigator
© Fortinet Inc. All Rights Reserved.
2
APT Tracking
APT Tracking
High Level Detail
© Fortinet Inc. All Rights Reserved.
4
File-based Tracking
File-based Tracking
Static Indicators – Strings
DACLS RAT
• Static Indicators:
• Extracted from static analysis of a toolset or malware used by threat actors.
• Key use:
• Identifying and tracking malware variants associated with specific threat actors.
• Specific Strings: Unique strings within the malware can serve as indicators to detect and link new
variants to known threats.
• DACLS RAT:
• Certificate name and private key
• “c_2910.cls” and “k_3872.cls,”
© Fortinet Inc. All Rights Reserved.
6
File-based Tracking
Static Indicators – Imports/Exports
IMPORTS/EXPORTS
• Examining import/export names in malware to uncover new malware families linked to the same
threat actor.
• Imphashing for Malware Tracking:
• Generates a hash from the Import Address Table (IAT) of an executable file.
• …
tracking cyber threat actors, attribution,
and infrastructure analysis
Hossein Jazi
Senior Threat Intelligence Specialist
Hossein Jazi
@h2jazi
THREAT INTELLIGENCE
SPECIALIST
• APT researcher
• Malware reverse engineer
• Threat Hunter
• Cyber crime investigator
© Fortinet Inc. All Rights Reserved.
2
APT Tracking
APT Tracking
High Level Detail
© Fortinet Inc. All Rights Reserved.
4
File-based Tracking
File-based Tracking
Static Indicators – Strings
DACLS RAT
• Static Indicators:
• Extracted from static analysis of a toolset or malware used by threat actors.
• Key use:
• Identifying and tracking malware variants associated with specific threat actors.
• Specific Strings: Unique strings within the malware can serve as indicators to detect and link new
variants to known threats.
• DACLS RAT:
• Certificate name and private key
• “c_2910.cls” and “k_3872.cls,”
© Fortinet Inc. All Rights Reserved.
6
File-based Tracking
Static Indicators – Imports/Exports
IMPORTS/EXPORTS
• Examining import/export names in malware to uncover new malware families linked to the same
threat actor.
• Imphashing for Malware Tracking:
• Generates a hash from the Import Address Table (IAT) of an executable file.
• …