<— Back

Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints

13:05 – 13:35(SGT) Thursday 3 December, 2020

0-Days that are exploited in the wild always gain a lot of attention, and rightly so. But while the malware authors usually get all the credit, the exploit writers, those who work hard to find a vulnerability and develop their top-notch exploit, often remain out of the spotlight.

In the past months, our Vulnerability and Malware research teams joined efforts to focus on the exploits inside the malware and specifically, on the exploit writers themselves. Starting from a single Incident Response case, we built a profile of one of the most active exploit developers for Windows. Up until now, we managed to track down more than 10(!) of their Windows Kernel (LPE) Exploits, many of which were zero-days at the time of development.

 Just like programmers leave their fingerprints in their code, so do exploit developers. This allowed us to apply the same techniques we use to track and attribute malware authors and APT groups to draw a digital composite sketch of the exploit writer.

Join us as we follow our developers’ footsteps and watch their learning curve – starting from selling their 1-Day exploits to criminal groups to eventually selling 0-Days to nation-state APTs. We will also explain our process of converting exploit artifacts into more samples, identifying the author’s template, and shortly go over the distribution and business model of the attacker. The talk will demonstrate how exploits can be used to track their authors and give a technical peek into the world of in-the-wild exploits.

Key Points

• A prominent example of attribution through exploits
• Exploit writer attribution
• Detection of the clients – the malware that paid for these exploits
• The exploit developer we followed is dominant in the market
• Their customers including APT groups as well as popular crimeware (mainly across Asia)
• Exploits are more common than thought or heard of before