Japan Security Analyst Conference 2020 -Part 2-

Following the JSAC Part 1, we continue with the summary of the second half of the JSAC 2020 program.

Battle Against Ursnif Malspam Campaign targeting Japan

By Ken Sajo (JPCERT/CC), Yasuhiro Takeda (Mizuho Financial Group)

Slides

They both work in a special interest group to collect and analyse email samples distributed in malspam campaigns. Among many cases targeting Japan, their observation on Ursnif campaign was presented.

Ursnif is one of the banking trojans aiming to steal online banking account information. Mr. Takeda analysed Ursnif campaigns targeting Japan between 2016 and 2019 and concluded that there are two separate attack groups with different characteristics and targets. From evidence, he assumes that each group is also divided into smaller groups to take on different roles in the course of the attack (e.g. send emails, create attachment, develop/exploit malware and purchase domains).

Based on the analysis results, the special interest group made some active defence approach; they shared IoC on Twitter, analysed the domain generation algorithm implemented on the malware, and sinkhole the generated domains in advance in the hope of increasing the attacker's cost on conducting malicious activities. Mr. Sajo articulated the effectiveness of the approach by pointing out that these activities actually made one of the attack groups against Japan inactive .

At the end of the presentation, they suggested that the following measures are effective against malspam :

  • Apply IoC in email security products to monitor/block suspicious emails
  • Apply IoC in proxy for monitor/block suspicious communication
Ken Sajo (JPCERT/CC)
Yasuhiro Takeda (Mizuho Financial Group)

Developing an Efficient Mac Forensic Tool

By Takaya Kawasaki (Recruit Technologies)

Slides (Japanese only)

Mr. Kawasaki introduced 3 GUI tools (MACOSFILE TRIAGE TOOL, APFS IMAGE MOUNTER, MAC_RIPPER) that his team has developed for more simple and effective forensic investigation for macOS.

With some demonstration, he explained about the tools as follows:

MACOSFILE TRIAGE TOOL
Obtain artifact as a file with the same directory structure
APFS IMAGE MOUNTER
Mount E01 image on macOS including APFS container obtained by other products
MAC_RIPPER
Parse artifact and log information from evidence collected with MACOSFILE TRIAGE TOOL and others

He referred to the lack of entry tools for macOS forensic such as Kanireg for Windows OS.Therefore, his team developed these tools in a way that is easy to use and compatible with other existing tools. They are all developed as GUI tools and support the function of mac_apt, which is often used in forensics.

He also presented tips for macOS forensics in each phase of attack as in “Initial Access”, “Execution” and “Persistence” according to MITRE ATT&CK and demonstrated how these TTPs can be confirmed with the above three tools.

As for future plans, his team is considering to add more functions to the tools to help fraud and crime investigation and to create a timeline of the events.

The tools presented will be available on GitHub shortly.

GitHub Recruit-CSIRT
https://github.com/Recruit-CSIRT

Takaya Kawasaki (Recruit Technologies)

The Implementation and Usage of Artifact Collection Tool and Simple Malware Analysis Sandbox for macOS

By Minoru Kobayashi (Internet Initiative Japan)

Slides (Japanese only)

Mr. Kobayashi was a speaker at JSAC 2018 and came back to present his 3 CLI tools for macOS (macOS Artifact Collector, Norimaci, bgiparser).

The description of the tools are as follows:

macOS Artifact Collector
Collect artifact in file or DMG format
Norimaci
Perform simple sandbox analysis
bgiparser
List files that are launched upon user login

He first introduced macOS Artifact Collector. Most of the existing analysis and data collecting tools are provided as a comprehensive package of various artifact parsers. Although these tools are useful, he warned that the analysis can be interrupted due to bugs in parsers, which delays the whole analysis process. For this reason, he suggests that artifact collection and analysis part should be handled separately. He developed macOS Artifact Collector to focus on the artifact collection only. This tool is also capable of collecting extended attribute and artifact from backup, which is not covered by some existing tools. He showed a demonstration on how to sync macOS Artifact Collector with AutoMacTC, an existing artifact analysis tool.

He also pointed out an issue with macOS sandbox analysis tools which are often left without maintenance and incompatible with the latest macOS. By referring to Noriben, a malware analysis sandbox for Windows, he developed Norimaci in a structure which does not require much maintenance cost.

For bgiparser, he explained that it serves to parse information about the applications to be executed upon user login , which is stored in backgrounditems.btm in macOS after 10.13 HighSierra.

These tools are available on GitHub:

macOS Artifact Collector
https://github.com/mnrkbys/macosac

Norimaci
https://github.com/mnrkbys/norimaci

bgiparser
https://github.com/mnrkbys/bgiparser

Minoru Kobayashi (Internet Initiative Japan)

An Overhead View of the Royal Road

By Rintaro Koike (NTT Security (Japan) KK), Shota Nakajima (Cyber Defense Institute)

Slides (Japanese only)

They have been speaking at all of the 3 JSAC events since 2018. This time, they presented their findings about the targeted attack groups who use “Royal Road RTF Weaponizer” (hereafter “Royal Road”) and their respective attack case studies.

Once the RTF created by Royal Road is opened, a file named “8.t” is created. After executing shellcode by leveraging the vulnerability in Microsoft Office Formula editor, a series of activities follow such as decoding 8.t, executing malware and DLL sideloading. The activities following the shellcode execution vary in each attack group.

Based on multiple attribution elements, they listed the attack groups that use Royal Road and showed cases of attack conducted by each group.

  • Tick
  • Conimes
  • Periscope
  • Trident
  • TA428
  • Tonto
  • Rancor

They also categorised the attack groups into 3 groups depending on the attack details such as the encoding algorithm for 8.t and the name of the files dropped by the RTF.

Table 1: Attack group category
Group-A
Group-B
Group-C
Conimes Tick その他
Trident
Periscope
TA428
Rancor
Tonto

Besides these groups using Royal Road, other groups that use similar RTF files are also mentioned:

  • Mustang Panda
  • SideWinder
  • Winnti

Finally, they shared the RTF file analysis results (IoC) and tools that were used for the analysis.

IOC
https://nao-sec.org/jsac2020_ioc.html

rr_decoder
https://github.com/nao-sec/rr_decoder

Yara Rules
https://github.com/nao-sec/yara_rules

Shota Nakajima (Cyber Defense Institute) and Rintaro Koike (NTT Security (Japan) KK)

In closing

For JSAC2020, we received in total 22 presentation proposals for Call For Presentation (17 for initial round and 5 for second round). The breakdown of the presentation topics is shown in Table 2. The most popular theme was malware, while there are only 2 submissions for forensic talks. (Talks that cover multiple themes are counted in each section.)

Table 2: Breakdown of talk themes submitted
Theme
Number of Submissions
Malware 12
Forensics 2
Incident investigation, case studies, TTPs 5
Threat trends, intelligence 5

The selection process was not easy. Although we had to choose only 8 talks out of all the submissions, many other talks looked also attractive. We believe that JSAC has been gathering the attention as a venue for analysts to present technical findings. It is our hope that the conference continues to grow with the support of the analysts and cyber security communities.

We would like to take this opportunity to thank all the participants, speakers of the event and those who took the time to read the blog.

Shintaro Tanaka
(Translated by Yukako Uchida)

Back
Top
Next