Level: Tehnical
Abstract:
Malware development is a process of continuous refinement. In this session, we analyze the evolution of VIPERTUNNEL, a Python-based backdoor used by the UNC2165 (EvilCorp) activity cluster for stealthy persistence and network pivoting.
The core of this talk focuses on the “evolutionary leap” in the malware’s code logic and defensive posture. We will walk through three distinct stages of its development:
- The Public Phase: Early variants that relied on well-documented, open-source obfuscators (like `pyobfuscate`), which are easily defeated by standard tools.
- The Prototype: The emergence of a custom-built loader that, while still exhibiting “noisy” cleartext strings and linear execution, signaled a shift toward a private, proprietary framework .
- The Production Variant: The current “gold standard” used in DragonForce engagements. This version is a multi-layered beast featuring ChaCha20 encryption, BLAKE3 integrity checks, and control-flow flattening to force analysts into a grueling, non-linear reversing process.
We will also explore the “Shared DNA” between VIPERTUNNEL and other tools like the ShadowCoil credential stealer. By analyzing a privately maintained, multi-stage packer common to both, we uncovered unexpected Linux-specific anti-debugging checks buried within Windows-targeted payloads—a clear indicator of modular, cross-platform ambitions by the developers.
Bio:
Evgen Blohm is an experienced DFIR expert who has been involved in responding to a large number of cyber incidents. He is based in Hamburg, Germany and is currently working for InfoGuard AG, where he is also supporting customers with compromise assessments and dark web monitoring.