This presentation introduces an underestimated threat of application level rootkit attacks on managed code environments, enabling an attacker to change the language runtime implementation, and to hide malicious code inside its core. It covers generic methods of malware development (rootkits, backdoors, logic manipulation etc.) for application VM such as Java, .NET, Dalvik and other managed code platforms by changing their internal behavior.
The presentation includes attack scenarios and demos of information logging, reverse shells, backdoors, encryption keys fixation and other nasty things. This presentation introduces the new version of "ReFrameworker" (previously known as .NET-Sploit) - a generic language modification tool, that can be used to implement the application level rootkit concept.
More information on Managed Code Rootkits (MCR) can be found here: https://appsec-labs.com/Managed_Code_Rootkits
