Tradecraft Tuesday - HDRoot Bootkit
[content_block bg_image="" max_bg_width="yes" bg_fixed="no" bg_position="center top" bg_repeat="no-repeat" bg_size="auto" parallax_scroll="yes" bg_color="#fff" content_padding="0px 0px 0px 0px" font_color="#333" class="hps1"][two_third]This Week's EpisodeOn this week’s episode, we’re reviewing how hackers covertly loaded a malicious payload into Windows using a Master Boot Record based bootkit commonly called "HDRoot". We'll expose how their dropper installs the bootkit to the hard drive and how it transfers execution from pre-operating system boot code to backdoored service executables running in Windows. Additionally, we'll discuss the role of stolen certificates in the attack, how the dropper masqueraded as a legitimate Microsoft executable, the use of a packer to complicate reverse engineering, and some techniques which made digital forensic analysis easier. Finally, we'll share some techniques which could be used to detect and remediate this threat.[/two_third][one_third_last][/one_third_last]
Check out your profile to see your new badge :)
Chris BisnettChris Bisnett is a veteran information security researcher with more than a decade of experience in offensive and defensive cyber operations. While serving with the NSA RedTeam, he attacked government networks and systems to identify and remedy vulnerabilities. He is also a recognized Black Hat conference trainer and has taught his “Fuzzing For Vulnerabilities” course at several events around the world. Prior to founding Huntress Labs, Mr. Bisnett co-founded LegalConfirm, LLC where he led product design and development until the company was acquired in 2014.Kyle HanslovanFor the past 10 years, Kyle Hanslovan has supported defensive and offensive cyber operations in the U.S. Intelligence Community and currently is the CEO of Huntress Labs. He previously co-founded the defense consulting firm StrategicIO and actively participates in the ethical hacking community as a Black Hat conference trainer, STEM mentor, and Def Con CTF champion. Additionally, he serves in the Maryland Air National Guard as a Cyber Warfare Operator. With his strong background in technical leadership, software development, and malware analysis, Mr. Hanslovan seeks to significantly raise the bar for malicious actors to successfully conduct cyber attacks.