JSAC2023 -Day 1-

JPCERT/CC held JSAC2023 on January 25 and 26, 2023. The purpose of this conference is to raise the knowledge and technical level of security analysts in Japan, and we aimed to bring them together in one place where they can share technical knowledge related to incident analysis and response. This year was the sixth time the conference was held, and 12 presentations, 2 workshops, and 7 lightning talks were presented in the 2-day program. Most of the presentation slides are available on JSAC Website. JPCERT/CC Eyes introduces the conference in three parts.

This article reports on Day 1, and a couple more articles will cover the rest of the event.

 Analysis on legit tools abused in human operated ransomware

Speaker: Toru Yamashige, Yoshihiro Nakatani, Keisuke Tanaka (TrendMicro)

Slides (English)

Toru, Yoshihiro, and Keisuke focused on “commercially developed and distributed tools for general operation” (remote management tools, cloud file sharing tools, etc.), which are used in general IT operations and were exploited by recent human-operated ransomware. The presentation introduced actual abuse cases, explained the traces left behind when such tools are abused, and shared effective countermeasures against attacks leveraging such tools.

As examples of actual exploitation, they shared examples of remote management tools such as Atera, Remote Utilities, Ngrok, and AnyDesk, as well as cloud-based file sharing tools such as RCLONE and MEGA TOOLS.

Next, they explained the traces that are left behind when such tools are leveraged in attacks. Each tool has artifacts that can be used to investigate the affected devices, and the source of the connection and other information can be confirmed. The slides also include information on traces left behind by tools other than those described in the presentation.

Finally, they discussed countermeasures against the misuse of "tools that are commercially developed and distributed for general operational purposes.” They said controlling the communication destination is the most effective countermeasure and that controlling and visualizing the execution and installation of applications is also effective.

Catching the Big Phish: Earth Preta Targets Government, Educational, and Research Institutes Around the World

Speaker: Nick Dai, Sunny W Lu, Vickie Su (TrendMicro)

Slides (English)

Nick, Sunny, and Vickie analyzed spear phishing email attacks targeting government, educational and research institutions around the world including Japan, and presented on the infection flow and some TTPs.

The first step of this attack is to infect the target with malware by using spear phishing emails to have them download archived files. Analysis results on the features of the following three types of malware used in this step, as well as the protocols and encryption methods used to communicate with C2, were shared.

  • Trojan.Win32.PUBLOAD
  • Trojan.Win32.TONEINS
  • Backdoor.Win32.TONESHELL

In the information stealing step, the Windows user account control is bypassed for privilege escalation. The methods for it and information about C2 were also shared. Multiple methods have been identified to steal information externally, including the use of legitimate tools and customized malware. In this presentation, information on the following two types of malware were shared.

  • HackTool.Win32.NUPAKAGE
  • HackTool.Win32.ZPAKAGE

The presenters’ analysis revealed that passcodes are required to execute these types of malware, as well as the file format of the compressed files.

Demystifying China’s Supply Chain Attack Targeting Financial Sector

Speaker: Shih-Min 'Minsky' Chan, Chung-Kuan 'Bletchley' Chen (CyCraft Technology)

Slides (English)

Shih-Min and Chung-Kuan presented on the findings of the following two supply chain attacks among the cyber attacks observed targeting financial institutions in Taiwan.

  • Island Hopping Attack
  • Vulnerability in Supplier’s Software

Island Hopping Attack was an incident in which a service provider’s suppliers, subsidiaries, and overseas offices were compromised. The presenters shared a case in which a vendor’s VPN was leveraged to execute malicious files and a case in which a vulnerability in the website service of a software system management interface used by most financial companies in Taiwan was exploited.

Regarding the attacks in which vulnerabilities in supplier software used by many companies were exploited, the presenters shared the following two cases:
In the first case, a credit card management system developed by a supplier was compromised, and credit card information leaked. It was caused by a flaw in the configuration of the testing server, which had been made accessible from the outside. In the second case, a vulnerability in a stock exchange platform developed by a large Taiwanese supplier was exploited in the first breach.

Finally, presenters discussed security issues at financial institutions. They said that there are cases in which EDR is not included in critical endpoints for performance reasons, or suppliers refuse to make changes to their systems even though they are for security improvements. In addition, some financial institutions have their unique supply chains in Taiwan, and the presenters revealed that there have been cases in theywere compromised by different group companies.

JITHook - from .NET JIT Compilation Hooking to Its Packer / Unpacker

Speaker: Shu-Ming Chang (National Yang Ming Chiao Tung University & CyCraft Technology)

Slides (English)

Shu-Ming implemented JITPacker and JITUnpacker using the JITHook. He presented the results of the comparison with the existing unpackers using two samples. JITHook is a technique used in .NET Packer that hooks the JIT compiler’s compile method.

He explained that his implementation of JITPacker saves the CIL of all resources and changes it to 0x87byte. He added a module initializer, hooked the compile method using JITHook, rewrote the address of the Packer compile method, and restored the CIL in the Packer compile method.

JITUnpacker, the solution to JITPacker, uses CLRHosting to hook the compile method into the Unpacker compile method and then launches the packed assembly. The unpacked IL is saved as Unpackinfo by the Unpacker CM and will be rebuilt as an unpacked assembly after the process ends.

To evaluate JITPacker, he also compared the abovementioned unpacker with the existing ones using two samples, and the result was shared in the presentation. He explained that only JITUnpacker among the following unpackers succeeded in unpacking both samples.

  • De4dot
  • .NETReactor
  • Mandiant/JITM
  • JITUnpacker

He said JITPakcer can process assemblies packed using the JITHook theoretically.

The source codes of JITPacker and JITUnpacker explained in this presentation are available at the following URL:

The Rule for Wild Mal-Gopher Families

Speaker: Kazuya Nomura, Sachito Hirao (NTT Security Japan)

Slides (Japanese)
Slides (English)

Kazuya and Sachito focused on the use of gimpfuzzy in real-world operations and analysis to streamline Golang malware analysis. They introduced the YARA modules which enable classification using gimpfuzzy and presented the results of accuracy evaluation using previously analyzed samples, as well as the results and discussion of applying gimpfuzzy to unanalyzed samples obtained from VirusTotal.

The YARA modules they implemented are intended to make it easier to classify samples using gimpfuzzy. The following two modules were implemented:

  • Go module: Analyze PE binaries written in Golang
  • Fuzzy module: Calculate Fuzzy Hash similarity

With the YARA module, samples can be searched based on a set threshold of gimpfuzzy similarity.

The speakers discussed the evaluation of clustering validity and accuracy using samples classified as malware. V-measure was used as the evaluation method, and they explained that classification accuracy was the best when the threshold was between 70 and 80.

Finally, they applied the module to unanalyzed samples obtained from VirusTotal and shared four cases of the results. In one case, they found that detecting and observing slight changes in gimpFuzzy values in a cluster of malicious samples can sometimes make it possible to detect additional malware features as well. They also explained that the samples submitted to VirusTotal are not always malicious files, and that clusters are formed even with samples that can be legitimate files.

Fighting to LODEINFO: Investigation for Continuous Cyberespionage Based on Open Source

Speaker: Ryo Minakawa, Daisuke Saika, Hiroki Kubokawa (N.F.Laboratories)

Slides (Japanese) 
Slides (English)

Ryo and Hiroki presented updates to each version of the LODEINFO malware targeting Japan and Taiwan observed since December 2019. They also presented the insights on TTPs and attackers from their analysis of LODEINFO observed since FY2022.

First, they described LODEINFO from v0.1.2 observed in December 2019 to v.0.5.6 observed in November 2021 regarding changes in data format of communications with C2, features, and execution flow.

They speculated that LODEINFO’s TTPs are rapidly changing and that using information from post-attack IoCs and signatures are not enough to capture the updated threats of the malware. Therefore, they introduced the technique of using open source information to capture the threats. The following services were mentioned as sources of threat information, and they explained how they collect information from each service.

  • Twitter
  • Hybrid Analysis
  • Virustotal

They first searched for TTPs with few changes and hunted from VirusTotal using the YARA rules. As a result, they succeeded in detecting LODEINFO samples up to v0.6.3.

Then, for LODEINFO v0.5.9 to v0.6.5 observed in 2022, they identified changes in C2 server information and features to check targets’ environment. The analysis results of multiple changes in execution flow in v0.6.3 and later were also shared.

In the discussion on the attack group, the speakers noted that the changes in the TTPs show similarities to the APT10 attack cases. By checking the surface information of the decoy files, they analyzed the connection with APT10. They also created a diamond model of LODEINFO and compared it to that of Operation RestyLink campaign, and the results showed similarities in TTPs, etc.

New Research Methods to Predict Attack Trends Using Public Information

Speaker: Yutaka Sejiyama (Macnica)

Slides (Japanese)
Slides (English)

Yutaka analyzed the recent incidents based on public information. He observed Japanese companies’ servers open to public using services such as Shodan, and he shared the results of the investigation into the management status as well as his investigation method. In addition, he discussed changes in attack trends.

His analysis of recent ransomware incidents shows that the number of incidents has increased dramatically since 2021 for both global and Japanese companies. He also found that the number of incidents for global and Japanese companies are linked to each other in each month. The analysis revealed that the days and times of attacks against Japanese companies also changed. Furthermore, he found that the percentage of incidents which started from publicly accessible servers is smaller.

Next, he shared the results of his research on the management status of publicly exposed servers. The number of open RDP ports (3389/tcp), the number and decrease rate of unsupported Windows OS and CentOS, and whether vulnerabilities of multiple network products were addressed were all presented by each region and country. The research revealed that the Asian region, including Japan, has been slow to deal with such situation.

The presenter noted that the use of publicly accessible servers by attackers as a method of initial penetration has increased in recent years and that there has been a change in the number of cases where damage has been publicly disclosed. He also said that continual investigation into the external servers of companies and organizations whose damage has been disclosed may make it possible to identify trends in the servers used as an attack vector for each ransomware.

In Closing

In this article, we introduced the presentations given on the first day of JSAC2023. The next article will cover the presentations and workshops held on the second day.

Kengo Teramoto
(Tanslated by Takumi Nakano)