从BYOVD到0-day揭露网络招聘骗局中的高级漏洞利用

#BHASIA @BlackHatEventsFrom BYOVD to a 0-day:Unveiling Advanced Exploits inCyber Recruiting ScamsSpeakers: Luigino Camastra, Igor MorgensternContributor: Jan Vojtesek# BHASIA @BlackHatEventsAgenda•Introduction to prior research•Attack chain analysis•Initial ISO image•Loaders•RAT•0-day and vulnerability analysis•Rootkit analysis# BHASIA @BlackHatEventsPrior research# BHASIA @BlackHatEventsAttack chain analysis•The attack is initiated by presenting a fabricated job offer•Contacting via LinkedIn, WhatsApp, email or other platforms# BHASIA @BlackHatEventsAttack chain analysisRollFling Loader•Shellcode executed in memory•Discovered a new loader we called RollFling and NLS file•Malicious DLL established as a service•Kickstart execution chain•Loading next stage•obtaining XOR key by calling GetSystemFirmwareTable API•XOR decryption of file with .nls extension•RollSling loader is encrypted in NLS file•Loading decrypted RollSling into memory# BHASIA @BlackHatEventsAttack chain analysis•Rol