April was a busy month, in which I gave three talks on three topics. The first two talks were at Botconf, regarding the RTM Locker and about A student’s guide to free and open-source enterprise level malware analysis tooling. My talk at the final edition of Hack In The Box Amsterdam dove into Golang malware analysis with Ghidra, titled Feeding Gophers to Ghidra.

Table of contents

• Botconf
• Hack In The Box: Amsterdam

Botconf

This year’s edition was in Strasbourg, known for for hosting the European Parliament, and for hosting Botconf 2023! My submitted talk about the Read The Manual Locker gang, for which I also wrote a blog for Trellix, covered the group’s rules, as well as an in-depth analysis of the locker’s technical details. The blog got picked up by numerous news outlets, such as The Hacker News, InfoSecurity Magazine, and the French LeMagIT. The recording of the talk is available on YouTube. It was a pleasure meeting Valéry Rieß-Marchive in-person, as we had contact for a while, but never got around to physically meet.

My second talk was based on an invite from the organisation, where I shed light on resources that are available to researchers who are on a budget, for any reason. I recommend those who are looking to set-up their home lab, be it for their own learning experience or for a start-up, to watch the talk in full. Aside from ideas on how to get started, several caveats are discussed as well.

Aside from giving my talks, I met up with the fine folks from Threatray, where I learned about Tió de Nadal, a Catalan Christmas tradition where a log is hit with sticks, after which those participating (usually kids) get presents and/or candy. Additionally, I met Marc Elias, who is an old colleague of mine. Even though we collaborated before on a Trellix blog about PlugX, we had never met in real life before.

Dominika gave a talk about writing efficient Yara rules, which is surely worth a watch for those who work with Yara, even if only occasionally. It was a year since I last met Dominika, and we had a lot to catch-up on, even though we had contact throughout the year. She’s also written about her experience of this edition of Botconf.

A colleague of Dominika, David Álvarez Pérez, gave a talk dubbed Syslogk Linux Kernel Rootkit – Executing Bots via “Magic Packets”. This deep technical dive showed how the Linux malware ecosystem is evolving, and what kind of behaviour one can expect from current rootkits on said operating system. David is also the author of Ghidra Software Reverse Engineering for Beginners. Note that I am not affiliated with Amazon nor David, but I would like to share this resource since both David and myself are Ghidra enjoyers.

The talk of Suweera covered Bumblebee’s changes over time. While I hadn’t looked into Bumblebee myself, the talk clarified major development points, and allowed anyone who followed along to understand what the malware did, and how it evolved.

To help the Botconf organisation, I offered to take pictures of all speakers when they were on-stage. In my opinion, such pictures always come in handy. Be it as a profile picture, within a future “About me” slide, or to share with friends and family. The organisation was happy with my proposal, and approval per speaker was obtained prior to taking any picture. The images were shared with the photographed speakers afterwards. I’d like to thank those who sent me feedback afterwards, it was a fun thing to do!

The conference was, once again, organised exceptionally well. The speaker dinner on the evening of the workshop day had superb food, matching the local cuisine. The event itself, the quality of the talks, and the record processing speed of the recordings, were just a few of the positive things I’d like to mention.

Hope to see you next year in Nice!

Hack In The Box: Amsterdam

The 2023 edition of Hack In The Box (HITB) Amsterdam was the final edition in this location, or as the organisation named it: “the last gracht hack”. Gracht is Dutch for a canal within a city, referencing Amsterdam’s iconic city canals. The change of scenery for future editions is a bummer for me, given that the location within The Netherlands makes it easily reachable without traveling much.

My talk about analysing Golang binaries with Ghidra, titled Feeding Gophers to Ghidra, covered some Golang internals, as well as fundamental information with regards to Ghidra scripting.

The event was well organised, having three tracks (two paid ones and one community track) all of which were filled with talks during the event’s two day duration. During the event, I met Bramwell again, who spoke about syscalls in shellcode. I had met him originally at BlackHat MEA 2022, after which we met again at BlackHat Europe 2022.

Casey, whom I had met at atHack 2021 and BlackHat MEA 2022, Bramwell, and I, went to a Thai place within Amsterdam for dinner one evening. Exchanging ideas and brainstorming on a variety of topics, I can safely say we all had a great time.

Given the conference’s location, the chance of meeting up with friends from university was high. I met a friend and the wife of a friend, both of whom I hadn’t seen in a long time. Lastly, I met Khaled, who I also met at atHack and BlackHat MEA 2022. We had a great time catching up and exchanging idea for new research topics.

All in all, I’m happy to have been part of the final edition of HITB AMS, and will look back at it with fond memories.

To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], send me a PM on Reddit, or DM me on Twitter @Libranalysis.