Marc Rivero Lopez
Marc is a distinguished intelligence expert and an accomplished professional in reverse engineering, a combination that gives him an exceptionally versatile and valuable profile. His career is characterized by deep academic training and extensive practical experience in the field of intelligence, which has enabled him to capture and maintain the interest of audiences at numerous conferences both nationally and internationally.
In his crucial role within CERT/CSIRT teams at leading financial institutions, Marc has distinguished himself as the Head of Research. His solid background in intelligence has been a key asset in this context, proving to be an invaluable resource in identifying, analyzing, and solving complex security challenges.
His reputation as an expert in the field has made him a sought-after reference for his extensive knowledge, particularly in critical areas such as fraud, cybercrime, and targeted attacks. His leadership has been fundamental in the development of numerous research initiatives, which have significantly contributed to the advancement of knowledge in these areas.
In addition to his professional success, Marc stands out as a passionate and committed educator. He currently serves as the coordinator of the Master's program in Computer Security at La Salle Barcelona, where his innovative approach and exceptional skills continue to have a positive impact on the training of the next generation of professionals in the fields of intelligence and security.
Sessions
In the proposed talk, speakers will comprehensively analyze the relevant operations of the APT group MuddyWater, which emerged on the cybersecurity scene in 2017. This group, with an initial focus on government targets in Iraq and Saudi Arabia, has extended its operations to other countries in the Middle East, as well as Europe and the United States. Throughout 2018, a significant increase in spear phishing documents targeting government, military, telecommunications, and educational entities has been identified in Jordan, Turkey, Azerbaijan, and Pakistan. Victims have also been detected in Mali, Austria, Russia, Iran, and Bahrain, highlighting the attack on the National Cyber Security Center of Saudi Arabia in 2017 to steal credentials and data.
The authorship of MuddyWater's operations remains unknown, although its attacks appear to be geopolitically motivated, targeting high-profile personnel and organizations. The code used in their latest attacks includes features that appear designed to distract and disorient researchers, such as the use of Chinese characters and names such as Leo, PooPak, Vendetta, and Turk in the malware.
MuddyWater is responsible for many attacks and constantly develops new methods and techniques to improve them. This includes active developers improving their toolset to minimize exposure to security products and services. The recent attacks indicate a growing interest in Africa, although its main targets remain Iraq and Saudi Arabia.
In the presentation, the operations carried out by MuddyWater in 2022 and 2023 will be analyzed from the perspective of two different disciplines, offensive security and intelligence analysis, highlighting and analyzing the private tools used as the group like NIHAY, a C#-based tool to download and run; LISFONSERVICE, a C#-based RAT; POWERSTATS, a first stage backdoor based on Powershell among others. In addition to private tools, the group uses tooling also used by network teaming teams such as Koadic C3 COM Command & Control, Meterpreter, Mimikatz, scripts based on Powershell, LAZAGNE, Slaver.py, Cr.exe and Mmap.py (called "MapTools " by MuddyWaters).
Through this talk, speakers will provide a comprehensive view of MuddyWater's techniques, strategies and objectives, highlighting the perspective of offensive security and intelligence. The goal is to provide a deep understanding of how these APT groups operate and how a combined approach can be used to understand the TTPs of this group.