From EK to DEK: An Analysis of Modern Document Exploit Kits

BSidesLV 2019

Presented by: Joshua Reynolds
Date: Wednesday August 07, 2019
Time: 11:00 - 11:55
Location: Breaking Ground

Exploit Kits haven’t disappeared, they’ve simply moved to Microsoft Office. Traditional Exploit Kits (EKs) have the ability to fingerprint and compromise web browser environments, but with the advent of sandboxing and advanced security measures, there has been a shift toward using the Microsoft Office environment as a primary attack surface. Document Exploit Kits (DEKs) leverage DCOM, ActiveX controls, and logic bugs to compromise machines by packing multiple exploits into a single file.

This talk will provide an in-depth overview of the vulnerabilities and exploitation techniques used by the ThreadKit and VenomKit documents to spread well known malware families, and how they are being used in targeted attacks.

Joshua Reynolds

Joshua Reynolds is a Senior Security Researcher with CrowdStrike, where he performs malware reverse engineering and intelligence analysis. Joshua has presented at BSides Calgary, BSides Edmonton and RSAC focusing on Ransomware, malicious document analysis and cryptojacking malware. He is also the co-author of the SAIT Polytechnic Information Systems Security diploma malware analysis course.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats