Paul Rascagneres

InkySquid: The Missing Arsenal

InkySquid (aka Group123, APT37) is an infamous threat actor linked to North Korea that has been active for at least 10 years. This actor is known to use social engineering in order to breach targets and exploit n-day vulnerabilities in Hangul Word Processor (HWP), as well as browser-based technologies. One of the most documented intrusion sets used by this actor is RoKRAT, a Windows RAT using cloud providers as C2 servers. In this presentation, attendees will learn about an undocumented macOS port of RoKRAT. Paul will describe the internal mechanisms and different espionage features of the malware, as well as built-in attempts to bypass macOS security features and embedded exploit code based on n-day exploits.

Paul Rascagneres is a principal threat researcher at Volexity. He performs investigations to identify new threats, and he has presented his findings in several publications and at international security conferences. He has been involved in security research for 10 years, mainly focusing on malware analysis, malware hunting, and more specifically on advanced persistent threat (APT) campaigns and rootkit capabilities. He previously worked for several incident response teams within the private and public sectors.