NorthSec 2024

Alexandre Côté

Alexandre is a malware researcher at ESET since 2021. Working with the Montreal team, his research is focused on tracking APT groups and their toolsets.

He has previously presented about APTs and attribution at Botconf, Sleuthcon, Hackfest, and BSidesMTL. He is also involved in mentoring students getting started in infosec.
His interests include operating systems fundamentals, writing shell scripts to automate tasks that don't always need to be automated, and brewing beer.

The speaker's profile picture

Sessions

05-16
14:30
30min
Reverse-Engineering Nim Malware: Or a brief tale of analyzing the compiler for a language I had never used
Alexandre Côté

Nim has become the language of choice for a number of libraries and tools used by red-teamers and pentesters. Much like with Mimikatz and Cobalt Strike before, malicious actors have started putting some of the same tooling to their nefarious purposes . One such example is Mustang Panda, a China-aligned APT that started using Nim to create custom loaders for their Korplug backdoor. For attackers, using a less common language also has benefits when it comes to evading defenses and hindering analysts’ work; we have seen the same thing with the growth of malware written in Go and Rust.
In this presentation, we will go over some of the specific challenges associated with analyzing Nim malware. We will then present tips and tools to help mitigate these difficulties. This will include the presentation of Nimfilt, our analysis script for IDA Pro that we will release shortly before the conference.
Finally, we will demonstrate the use of Nimfilt and other publicly available tools on real malware samples .

Malware
Ville-Marie
05-16
15:15
30min
Malware Q&A
Alexandre Côté, Marc-Etienne M.Léveillé, Alexis Dorais-Joncas, Sergei Frankoff, Greg Lesnewich, Pierre-Marc Bureau

Q&A Discussion for the malware block.

Malware
Ville-Marie