<— Back

Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints

13:05 – 13:35(SGT) Thursday 3 December, 2020

0-Days that are exploited in the wild always gain a lot of attention, and rightly so. But while the malware authors usually get all the credit, the exploit writers, those who work hard to find a vulnerability and develop their top-notch exploit, often remain out of the spotlight.

In the past months, our Vulnerability and Malware research teams joined efforts to focus on the exploits inside the malware and specifically, on the exploit writers themselves. Starting from a single Incident Response case, we built a profile of one of the most active exploit developers for Windows. Up until now, we managed to track down more than 10(!) of their Windows Kernel (LPE) Exploits, many of which were zero-days at the time of development.

 Just like programmers leave their fingerprints in their code, so do exploit developers. This allowed us to apply the same techniques we use to track and attribute malware authors and APT groups to draw a digital composite sketch of the exploit writer.

Join us as we follow our developers’ footsteps and watch their learning curve – starting from selling their 1-Day exploits to criminal groups to eventually selling 0-Days to nation-state APTs. We will also explain our process of converting exploit artifacts into more samples, identifying the author’s template, and shortly go over the distribution and business model of the attacker. The talk will demonstrate how exploits can be used to track their authors and give a technical peek into the world of in-the-wild exploits.

Key Points

  • A prominent example of attribution through exploits
  • Exploit writer attribution
  • Detection of the clients – the malware that paid for these exploits
  • The exploit developer we followed is dominant in the market
  • Their customers including APT groups as well as popular crimeware (mainly across Asia)
  • Exploits are more common than thought or heard of before

Itay Cohen

Check Point

Itay Cohen (aka Megabeets) is a Security Researcher and a Reverse Engineer in the Malware and Vulnerability Research Group at Check Point Research. Itay has vast experience in malware reverse engineering and other security-related topics. He is the author of https://megabeets.net, a security blog focused on making advanced security topics accessible for free.

Itay is a core developer of the open-source reverse engineering framework radare2 and the maintainer of Cutter, radare2’s official GUI. In his free time, he loves to participate in CTF competitions and to contribute to open-source projects.

Eyal Itkin

Check Point

Eyal Itkin is a vulnerability researcher in the Malware and Vulnerability Research Group at Check Point Research. Eyal has an extensive background in security research, that includes years of experience in embedded network devices and protocols, bug bounties from all popular interpreter languages, and an award by Microsoft for his CFG enhancement white paper. When not breaking RDP or FAX, he loves bouldering, swimming, and thinking about the next target for his research.

Sponsors and Supporting Organizations

Diamond Sponsors

Platinum Sponsor

Networking Lounge Sponsor

Supporting Organization

Associate Sponsors