Boris Larin & Alexey Kulaev

TyphoonCon 2020 Speaker

Boris Larin and Alexey Kulaev | Senior Researchers at Kaspersky
Location: Courtyard by Marriott Seoul Namdaemun, Seoul, Korea
Title: Technical analysis of “Operation WizardOpium” zero-day exploits
Date: June 18th, 2020


Boris Larin (@oct0xor) is a Senior Security Researcher in the Global Research and Analysis Team at Kaspersky.
In his current role, Boris is responsible for finding zero-days exploited in the wild. Boris is very passionate about reverse engineering and has been practicing it for the last decade, performing vulnerability research on different CPU architectures and systems. Recently he has become the first researcher to take part in the private Sony PlayStation bug bounty program. Boris also specializes in discovery of supply chain attacks and he is originally discovered ASUS “Operation ShadowHammer” and a few others. His latest write-ups about zero-day exploits and the inner workings of commonly exploited software can be found on Securelist.com.

Past speaking experience: Rootcon, Virus Bulletin, AVAR, CanSecWest, SAS, BlueHat, TyphoonCon, ISC by Qihoo 360, Code Blue, CCC, OffensiveCon

Alexey Kulaev (@flat_z) is a Senior Malware Analyst in Exploits and Network Threats Detection Team at Kaspersky. In his current role, Alexey is responsible for development of exploit detection technologies. In his free time he likes to examine attack surface of video games consoles (such as PS4 or Xbox One) by developing web browser exploits for them. Besides that, he is publicly known as one of the most active developers of PS4 console hacking scene.


At the end of 2019 we have caught a new unknown exploit that was distributed with waterhole-style injection on a Korean-language news portal. After removing a multiple layers of obfuscation it appeared that we have found a zero-day that was exploiting unpatched vulnerability in one of the recent versions of Google Chrome. The final payload of this attack had no definitive links with any known threat actors and we have called it “Operation WizardOpium”. In this presentation, we would like to focus on analysis of exploits and vulnerabilities used in “Operation WizardOpium” as our further research revealed the use of multiple unpatched vulnerabilities.

In this presentation, we will share the following:
1. Technical details on how exploits were delivered to victims
2. An in-depth analysis of obfuscations used to protect exploits and how we bypassed them
3. An in-depth analysis of vulnerabilities used by attackers and their exploitation