COMMSEC: The Trails of WINDSHIFT APT

PRESENTATION SLIDES (PDF)

WINDSHIFT APT is an obscure cyber espionage actor, discovered recently targeting individuals working at a government. This actor has a dedicated and advanced spear phishing infrastructure, able to serve spear phishing emails and SMS to track individuals continuously during the reconnaissance phase, and deceiving targets during the credentials harvesting phases through the impersonation of global and local platform providers.

What makes WINDSHIFT APT different from the rest of APT actors is their sole focus on specific individuals for espionage and surveillance purposes and their very hard to attribute Modus Operandi (MO) that we will present during this talk. WINDSHIFT APT rarely engage targets with malware, Dark Matter LLC uncovered very few targeted attacks from this actor and was able to uncover and analyze macOS malwares used. Finally, WINDSHIFT APT have unique macOS infection tricks abusing macOS native functionalities to automatically spread malware to targets.

This presentation will go through the reconnaissance, credentials harvesting, malware spreading, disappearing and escape phases this advanced actor is following and will give all details about the new macOS malware uncovered dubbed WINDTAIL and WINDTAPE.

COMMSEC
Location: BALLROOM 2 Date: August 30, 2018 Time: 3:00 pm - 4:00 pm Taha Karim