Crafting the next-generation Man-in-the-Browser Trojan

Current Man-in-the-Browser (MITB) trojans like Trickbot or Dridex are pretty much similar to first generation bots like Zeus or Zbot. They all include a list of targets and corresponding webinjects and still offer essentially the same features such as keylogging, form-data harvesting and remote control (RAT) capabilities. Today, we are seeing a number of client-side defense proposals being rushed through the standardization process, such as CSP, Subresource Integrity and HPKP. In part, these standards are a response to the permissiveness of the browser against injection attacks. We argue that it is important to understand how effective these standards can be against MITB attacks specifically and anticipate how attackers will evolve the MITB trojans in an attempt to defeat those defenses. In this talk, based in our work, we fast-forward to a not so distant future of MITB attacks by demoing a home grown MITB trojan that: 1) is resistant to a number of current defenses by tampering with headers and by exploiting JavaScript code polymorphism; 2) holds capabilities that range from credential and data leakage to website hijacking. We'll also cover approaches to defeat these next-gen trojans by employing similar code attacking techniques and demoing how to detect and react to these trojans." ABOUT THE SPEAKER: Pedro Fortuna is CTO and Co-Founder of Jscrambler where he leads the technical vision for the product suite and contributes with his cybersecurity knowledge for R&D. Pedro holds a degree in Computing Engineering and a MSc in Computer Networks and Services, having more than a decade of experience researching and working in the application security area. He is a regular speaker at OWASP AppSec events and other cybersecurity conferences but also contributes on web development events. His research interests lie in the fields of Application Security, Reverse Engineering and Malware and Software Engineering. Author of several patents in application security. Paulo Silva is an IT security practitioner with +15 years of experience as Web Developer and a freedom enthusiast: Free Open Source Software (FOSS), World Wide Web (WWW) and Cross Country (XC). With a bachelor degree in Computer Sciences and a Master course in Innovation and Technological Entrepreneurship, over the last three years he has been focused researching DOM-based attacks such as M an-in-the-Browser (MitB) and how to bring Runtime Application Self-Protection (RASP) to the client-side. When not researching or breaking stuff, you'll probably find him riding his Mountain Bike all over the world.