REcon 2016 – A Quick Recap

Some of us had the pleasure to visit this year’s REcon in Montreal, Canada. Unfortunately, work caught us just when we arrived back in Germany, so I haven’t had time to sit down and write down a few words so far. However, we think that what we’ve experienced at REcon is worth writing about.

The overall quality of the speakers and talks were very nice. What really amazed me was the art work of REcon:


It was printed on stickers and t-shirts, both of which were really awesome. Compared to other conferences, these were really outstanding 🙂 I hope to see more such good work in future years. I would also love to have some of these printed on posters, so maybe the organizers could print some and give them to participants.

The two parties on the first and second day were also quite nice. First day with Atari Teenage Riot and the second day in a cool location. Both were very well organized and entertaining.

I’ve had the pleasure to participate in Saumil Shah’s The ARM Exploit Laboratory workshop, which was great fun. The workshop was well prepared and executed and I’ve learned a lot. We received tons of material and a nice exploit development environment based on two ARM VMs, which are quite handy for future development. I can recommend it to everyone, especially four days of training is a lot better than just one or two day training in my opinion.

Frank wrote some words about a talk which we all enjoyed:

“Visiting The Bear Den” was an interesting talk about a two years lasting investigation on an attacker group they called sednit group. The talk mainly walked through an attack lifecycle they investigated, which started as usual with a phishing mail. The group used a whole set of malware for their attacks, which did come into play one after the other. It involved, in the first stage, an exploit kit for targeted attacks, which is an VBscript framework and finally responsible for downloading the next stage via powershell. The second stage is a dropper which comes with anti analysis, pivilege escalation and persistence functionality. As soon as the payload is established, it tries to contact the C&C server for reporting and further commands. This stage is also responsible for downloading a backdoor (SEDRECO), which is capable of loading external plugins and to spy on the current computer. There was however, also another backdoor written in C++ they encountered, named XAGENT. The fun part about that one was: Access to the source code 😉 They found the source code for the linux version of XAGENT, which contained the windows commands as comments, some russian and english comments and struct ASCII arts. The communication to the C&C server worked via E-Mail with 2 different mail accounts: one for sending and one for receiving. The group also used a tool called XTUNNEL, which enabled them to access further machines within the victims’ network (pivoting). Last but not least, there was also a bootkit, which was planted by a Delphi binary (must have been fun to reverse ; ). There were many more details in this talk, so if you became interested have a look at this.

Have a nice week.



Comments are closed.