Once you POPTOP, you can’t stop. Putting the pieces together on a new and sophisticated APT malware


An obfuscation technique, used by the loader component of the REDSALT malware family, brought about the discovery of a new loader malware sample from a public malware resource last year. The loader malware, later named as POPTOP, has the ability to decrypt and load an encrypted payload, which was something not seen in the wild at that time.

A month later at an Asian telecom organization, the Mandiant Managed Defense team found a live sample of the POPTOP malware while investigating a threat hunting lead - a suspicious AppCompat cache entry on a host. The team obtained the encrypted payload that the malware loads and executes. The malware samples were immediately submitted to Mandiant’s malware analysis team for expedited analysis, since it is a suspected APT malware! The extensive malware analysis reports on the POPTOP malware sample then helped in guiding the Managed Defense team on thoroughly analyzing the collected compromise data, including decryption of the collected network traffic. The decrypted network traffic revealed an active attacker interaction with the POPTOP backdoor component on a compromised host, including running reconnaissance commands, staging of stolen data, and cleaning up of tracks. The team then created network signatures and requested EDR (endpoint detection and response) and IPS (intrusion prevention system) signatures for the POPTOP malware. A few months after, the attacker came back and targeted the same organization again. But this time, the attacker was more aggressive and compromised five hosts but no attacker interaction was observed since all POPTOP malware traffic were blocked by the organization’s IPS! All thanks to the signatures created from the previous compromise.

A few months after, an Asian government agency was hit by POPTOP. In this engagement, the team identified what looked like a Watering hole attack as the initial infection vector to compromise targets. This finding supplied the final piece of the POPTOP puzzle, since there were no traces of the initial infection vector in previous attacks.

In this talk, the audience will learn about the importance of a threat hunting goal - to make the undetectable detectable. It will also cover the importance of teamwork and collaboration between the incident response, malware analysis, and signature development teams in processing threat intelligence which lead to protection against advanced persistent threats.

Speakers Information

Billy James Velasco

Billy James (Beejay) Velasco is a seasoned cybersecurity practitioner with more than 14 years of experience in incident response, threat hunting, malware analysis, digital forensics, penetration testing, and security auditing. He is a Senior Principal Security Analyst for Mandiant Managed Defense - Advanced Analysis team where his expertise is focused on threat hunting, incident response, and development of new hunting techniques. He and his team has responded to the latest and greatest compromises perpetrated by advanced threat actors to hundreds of subscribed Managed Defense customers globally. Beejay has presented at security conferences and events, including GovernmentWare (GovWare), Cyber Defense Live in Singapore, Australia and the Philippines, Null Singapore (Open Security Community) Meetup, as well as the FireEye/Mandiant FLARECON conference. He currently holds the Certified Information Systems Security Professional (CISSP), GIAC Certified Forensic Analyst (GCFA), EC-Council Certified Hacking Forensics Investigator (C|HFI), Microsoft Certified Engineer (MCSE) and Microsoft Certified Administrator (MCSA) certifications. Prior to Mandiant, Beejay held various lead and senior security analyst roles at Emerson Electric, Tyche Consulting, and the Bank of the Philippine Islands.

View Full Schedule

Subscribe to Our Mailing List

Join our community mailing list for updated on conference annoucements, important dates and discussions.