Antonio Villani
As Co-Founder of RETooling, Antonio Villani dedicates his full attention to developing red-team artifacts, including the adversary emulation library. His current work builds upon a career primarily spent on the blue-team side, where he specialized in reversing sophisticated implants and delivering crucial insights to cyber-defense and threat intelligence teams. Antonio now leverages this deep understanding to meticulously analyze complex implants, dissecting TTPs for high-quality reimplementation. He also actively contributes to the cybersecurity community by instructing on advanced malware development (MalOpSec classes) at top security conferences. His academic background includes a PhD focused on malware research and digital forensics.
Sessions
Go beyond static artifacts and canned simulations. This workshop introduces a next-level threat actor emulation, immersing you in a live fire dissection experience against implants inspired by Advanced Persistent Threat (APT) TTPs. You'll execute these multi-stage implants within your analysis VM and watch them interact live with our custom, controlled C2 infrastructure – a rarity in typical analysis. Decrypt actual network traffic, reverse dynamically delivered payloads, and unravel the entire kill chain as it happens. Prepare for a hands-on CTF challenge analyzing a uniquely realistic, sophisticated, and interactive threat.
One of the most challenging aspects of adversary emulation is replicating the custom implants used by threat actors. To accurately assess security measures, emulated implants must not only mimic functionalities and quirks but also reproduce the obfuscation techniques of the original malware. This talk presents our re-implementation of APT41’s Scatterbrain obfuscator, including instruction dispatchers that disrupt control flow and import protection mechanisms leveraging Linear Congruential Generator (LCG)-based encryption.
To validate our approach, we tested our sample against Mandiant’s deobfuscation tool for the original Scatterbrain. The results demonstrated that our re-implementation could be correctly deobfuscated, confirming its accuracy. However, we took this a step further—by slightly modifying the obfuscation, we successfully broke the deobfuscator’s heuristics, creating a variant that required new tools to analyze while still maintaining strong structural similarity to the original.
Go beyond static artifacts and canned simulations. This workshop introduces a next-level threat actor emulation, immersing you in a live fire dissection experience against implants inspired by Advanced Persistent Threat (APT) TTPs. You'll execute these multi-stage implants within your analysis VM and watch them interact live with our custom, controlled C2 infrastructure – a rarity in typical analysis. Decrypt actual network traffic, reverse dynamically delivered payloads, and unravel the entire kill chain as it happens. Prepare for a hands-on CTF challenge analyzing a uniquely realistic, sophisticated, and interactive threat.