Monnappa K.A

Paper Title

Hunting and Decrypting Ghost communications using Memory Forensics

Abstract

The number of advanced attacks(APT)is undoubtedly on the rise targeting government, military, corporate, educational, and civil society networks today.These advanced and sophisticated attacks focus on individual organizations in an effort to extract valuable information. Sometimes, these advanced attacks are allegedly linked to state-sponsored activities but may also be carried out by individual groups with their own goals. The APT actors (attackers) use advanced malwares to infect the target systems. This presentation talks about one such malware used by the APT actors called Ghost RAT. The presentation showcases the sandbox analysis, encrypted traffic pattern and decrypting the communications of Ghost RAT from packet capture. Presentation also demonstrates both manual and automated method of detecting and decrypting the communications of Ghost RAT using memory forensics.

Speaker Bio

Monnappa K.A is based out of Bangalore, India. He works with Cisco Systems as Information Security Investigator focusing on threat intelligence and investigation of advanced cyber attacks. He is core member of security research community "SecurityXploded".His fields of interest include malware analysis,reverse engineering, memory forensics and threat intelligence.He is an active speaker in the Bangalore security community and Null meetings and has presented on various topics which include "Memory Forensics", "Advanced Malware Analysis", "Rootkit Analysis", and "Sandbox Analysis". He has authored various articles related to "Malware Analysis" and "Memory Forensics" in the Hakin9 and eForensics magazines.