JPCERT/CC Eyes

Following the JSAC2019 Part 1, this article will provide overview of the latter half of the conference. We also uploaded the photos from the conference on Flickr.

“Sextortion Spam Demanding Cryptocurrency”

by Chiaki Onuma (Kaspersky)

Presentation material (Japanese)

Sextortion spam is a campaign distributing spam emails in which adversaries aim to extort money (e.g. bitcoin) by threatening recipients by means of sexual contents. Ms. Onuma shared the outcome of her analysis of the spam emails, which are increasingly seen in Japan since 2018.

She demonstrated that adversaries are taking advantage of this attack method since they do not need to prepare highly sophisticated malware to gain profit from victims. Sextortion spam emails have been widely observed since July 2018, and its technique is becoming even more sophisticated. For example, in addition to the English versions, the emails are now being sent in Japanese, and some emails contain credentials that are stolen from existing web services. In other examples, the email sender address is spoofed to be identical with the recipient, so that it appears as if the recipient’s email account were compromised.

She investigated the bitcoin addresses specified in the spam emails, and surprisingly, revealed that about 265K USD had been already deposited to the account (with the exchange rate at the time of the analysis).

As a means to detect sextortion spam emails, she suggested using the adversary’s bitcoin address as a signature. According to her experiment, about 70% of the malicious email were detected out of the samples she had.

“Analysis of Attack Technique Using ANEL by APT10”

by Kiyotaka Tamada (SecureWorks Japan)

Presentation material (Japanese)

Mr. Tamada shared the analysis outcome of malware “ANEL”, which seems to be used by an attacker group APT10.

He explained that ANEL is only seen in targeted attacks against Japanese entities, delivered as an email attachment. These emails are sent from a specific free email service with the message body about international affairs, and the attachment password are sent in a separate email.

According to his analysis, ANEL has been updated constantly. In older versions, ANEL was downloaded and executed via “Koadic”, a JavaScript-based open source RAT. However, there were some changes in the newer versions as in code obfuscation and data encryption algorithm. He added further details on its other features such as anti-analysis function, unpacking and communication decryption. He also provided a demonstration on how to unpack ANEL using the Python script he wrote.

At the end of the session, a participant asked how to analyse obfuscated code, and Mr. Tamada answered that he usually compares the code with that of older version since the de-obfuscation plugin of IDA Pro (an analysis tool) may not work well with some malware. Also, when he was asked about tips for identifying ANEL-infected hosts during the investigation, he suggested that paying close attention to network communication would be a key since ANEL generates HTTP communication.

“Attack against Publicly Accessible Servers Forcing Cryptocurrency Mining”

by Naoaki Nishibe (LAC)

Presentation material (Japanese)

He began his presentation by explaining about attacks leveraging a third party’s resource for cryptocurrency mining. While many cases are reported where the client resource is leveraged using JavaScript miner and malicious/fake applications, server resources are also targeted. For example, publicly accessible servers with unpatched Apache Struts 2 vulnerability were leveraged, which resulted in arbitrary code being executed by an attacker to assist cryptocurrency mining. His presentation focused on such attack cases involving public servers.

As an example of previous financially-motivated cyber attacks, adversaries had to compromise a database server to steal personal information, and then sell them to a third party in order to gain profit. Cryptocurrency mining, on the other hand, can directly generate profit as long as there are computing resources available. It is also convenient for adversaries since the personally identifiable information associated to each wallet address is almost untraceable, hence it offers high anonymity. Attacks leveraging vulnerabilities in publicly accessible servers to conduct cryptocurrency mining has been increasing since April 2017, and the number of adversaries, variety of leveraged vulnerabilities and attack methods are expanding since then.

Mr. Nishibe described that there are two types of attacks targeting servers, “mining proxy” and “direct participation” type, and each of them has advantages and disadvantages. In the “mining proxy”, mining results from the affected servers are sent to a mining pool via proxy. In this manner, although attackers themselves need to prepare a proxy server, it ensures anonymity. Whereas, in the “direct participation”, affected servers send the mining results directly to a mining pool. This would save the attackers’ troubles preparing the infrastructure, however, their accounts could be banned by the mining pool since the wallet address is traceable.

He has monitored the income of an attacker’s wallet address, and there was an increase following a disclosure of PoC code to leverage a vulnerability which affects public servers. He suggests that monitoring the income of an attacker’s account could be one of the ways to measure the impact of a certain vulnerability.

Understanding Command and Control - An Anatomy of xxmm Communication -

by You Nakatsuru (SecureWorks Japan)

Presentation material (Japanese)
Presentation material (English)

Mr. Nakatsuru described the Command & Control structure of “xxmm”, the remote access tool used in attacks against Japanese entities. xxmm is reportedly used by attack groups, namely “Tick” and “Bronze Butler”.

He introduced the C&C server behaviour observed in the latest attacks with the hope to help incident responders and “Red Team” conducting APT-themed exercises.

First, an xxmm client and a C&C server exchange its RSA public key. Communication between the two is conducted via HTTP protocol. The client executes functions based on the commands sent from the server, and the results are returned to the server. The client encrypts the payload with a onetime RC4 key, and the key itself is also encrypted with the server’s public key and inserted into the payload. The C&C server first decrypts the RC4 key using its secret key, and this will then be used to decrypt the payload. Mr. Nakatsuru provided detailed technical explanation about the encryption algorithm, HTTP parameter, payload structure and remote control commands.

Based on his analysis on xxmm’s behaviour, he implemented a simple program which imitates the C&C server’s function, and successfully demonstrated that this program could control the xxmm client.

In closing

Among the presentation proposals submitted for JSAC2019 CFP, there were 11 from local analysts and 7 from overseas. Although it is a local event, we were amazed by the passion of the foreign researchers’ which accounted for more than one third of the entire submissions. For the next turns, we look forward to even more active participation from both local and overseas communities.

In the closing remarks, Mr. Kazumasa Utashiro, Executive Board of JPCERT/CC, encouraged security analysts by saying that they are, in a way, “creative hackers” who can make efforts to prevent cyber attacks. We also hope to develop JSAC as a community to share the outcomes of the ‘creativity’ of the analysts.

Thank you for reading and see you at JSAC 2020.

(Translated by Yukako Uchida)