Windows threats and COM interfaces
The Component Object Model (COM) is one of the fundamental technologies in the Windows operating system, facilitating interprocess communication and dynamic object creation across different programming languages.
While COM is widely used for legitimate software development, its capabilities have also been used by threat actors, from APTs to cybercrime actors, to carry out malicious activities.
This presentation is a result of research on resurgence of threat actors using COM interfaces for lateral movement, command and control (C2) communications, data exfiltration, persistence, code execution and other TTPs.
The attendees will learn about the fundamental concepts of the model as well as the tools available to understand and analyse COM classes and interfaces. We will explain the best approach to conduct research to find relevant COM interfaces which can be used for offensive operations and provide tips on reversing malicious binary COM based applications using IDAPro manually and with a help of COM analysis plugin.
We will document notable examples from cyber criminal malware but also from the code deployed by APTs.
Vanja Svajcer – Cisco
Vanja Svajcer works as a Threat Researcher at Cisco Talos. Vanja enjoys tinkering with automated analysis systems, reversing binaries and analysing mobile malware. He thinks time spent scraping telemetry data to find indicators of new attacks is well worth the effort. He presented his work at conferences such as AVAR, Virus Bulletin, RSA, CARO, FSec, Bsides, BalcCon and others.