JSAC2023 -Day 2-
This article reports on JSAC Day 2, following the previous article about Day1.
How Do We Fight against Evolving Go Language Malware? Practical Techniques to Increase Analytical Skills
Speakers: Tsubasa Kuwabara (FFRI Security Inc.)
Tsubasa presented the current situation and problems of Go language malware, which has been increasing in recent years, and explained basic and advanced analysis techniques.
He explained that Go malware was easy to write in terms of cross-compilation and could attack multiple platforms. The problems with analysis were the sheer volume of functions, unique data structures and calling conventions, and the fact that the analysis tools were sometimes not effective due to Go language version upgrades.
Next, the presenter elaborated on the analysis flow, mainly the information stealing process, the automatic start-up configuration and the main process of communicating with C2, and then explained how to improve the efficiency of the analysis by comparing it with existing samples. The file name and line number of the source code can be acquired in the Go language binaries, so it is possible to grasp the details by comparing the differences.
Finally, he described advanced analysis methods when tools could not work well due to version upgrades. The following points were addressed: How to modify metadata in Go language binaries and tools using the data, how to deal with Go language version upgrades, and how to analyse with obfuscated samples.
The tools and scripts introduced in this talk are available at the following URL.
First Step to Active Cyber Defence: The Significance of Profiling Attackers
Speakers: Hayato Sasaki (JPCERT/CC)
Hayato gave a presentation on active cyber defence in cyber security, focusing on some specific operations.
First, he summarised the terminology and concepts of active cyber defence and explained the importance of profiling such as attribution and analysis of attack trends of APT groups and other attack groups.
He continued to discuss active cyber defence, while its definition has not yet been determined, by showing some local and foreign case studies and previous research to explain the matters that analysts tracking attack activities may be involved in.
- Summarising the point of argument about terms and concept
- Approach to impose cost on attackers
- Effectiveness and challenges of public attribution
- Effectiveness and challenges of blocking communication
- Effectiveness and challenges of “aggressive” operation
- Method of choosing effective countermeasures for each threat
- Re-recognition and redefinition of the significance of information sharing
Finally, he stressed the importance of analysts' activities in profiling in terms of assessment, retaliation and interference from attackers based on proactive operations.
Localization of Ransomware, New Change or Temporary Phenomenon?
Speakers: CHA Minseok (AhnLab, Inc.)
Minseok spoke about the findings from an analysis of localised ransomware aimed at specific regions.
First, he described recent ransomware trends, noting that there was localised ransomware not being active in certain regions or bypassing anti-malware solutions commonly used in the regions.
Next, the features of targeted ransomware used in South Korea were described. At first, emails were sent in English or machine-translated Korean, which caused little damage, but later emails written in perfect Korean and attacks targeting specific companies were reported.
Finally, he emphasised that sharing detailed information on attack vectors and ransomware is important, as the introduced ransomware could spread the damage to other countries.
Track Down Stealth Fileless Injection-based Nginx Backdoor in the Attack
Speakers: Peter Syu (Team T5, Inc.)
Peter addressed new Nginx backdoor attacks using fileless injection.
Nginx backdoor features include exploiting memory corruption vulnerabilities, deleting logs and cron injection. He explained that the target Nginx was an HTTP server that could be used for various purposes, such as reverse proxy and load balancer.
Then, some Nginx backdoor functions were demonstrated. It filters specific connections, evades logging (NginxStealth) and communicates with backdoor (NginxSpy) as fileless injection technique, and performs reflective code injection, allowing an attacker to inject a library into a victim from memory. In addition to these features, it modifies configurations to plant malicious modules, etc. in contrast with existing Nginx backdoors.
As for ways of detecting backdoor functions, he suggested using a memory map to detect injection and a tool, which is available at the following URL.
Invitation to Secret Event Uncovering campaigns targeting East Asia by Earth Yako
Speakers: Hiroaki Hara, Masaoki Shoji (Trend Micro, Inc.)
Hiroaki and Masaoki discussed the details and attribution of attack campaigns such as Operation RestyLink targeting Japan by an attacker group called Earth Yako.
First, they explained that its attack activities have targeted academic institutions, think tanks and related organisations in Japan and Taiwan since January 2022. Spear-phishing emails were used as an initial penetration method.
They elaborated on the details of their attack activities, including MIRRORKEY, a loader that executed DLLs without files, PULINK, which functions as a dropper, malware such as TRANSBOX and SHELLBOX, which exploits the Dropbox API.
Finally, speakers indicated that Earth Yako could be attributed to APT10 or APT29, as it used the code developed by the attack group APT10 and similar initial penetration techniques of APT29. They also highlighted the importance of information sharing since the malware, attack methods and targets are changed daily.
On the Eve of Code Signing Transformation
Speakers: Hitomi Kimura (Trend Micro, Inc.)
Hitomi spoke about the problems with code signing and future initiatives, given that the high number of valid code-signed drivers were exploited in 2022.
First, she introduced scenarios of code-signing exploits, such as BYOVD (Bring Your Own Vulnerable Driver), impersonation by attackers and legitimate certificate issuance.
She mentioned problems with the certificate issuing process itself, such as the difficulty of revoking certificates because the private key was not compromised if a legitimate module was misused, and the fact that an attacker could issue certificates directly from the CA.
Finally, solutions to the problems of code signing were presented, such as the introduction of CTs into the process of issuing code signing certificates and making hardware tokens mandatory in issuance.
Memory Forensics with VolWeb
Speakers: Félix Guyard (ForensicXlab)
Félix presented a tool called VolWeb, which facilitates memory forensics in digital forensics.
The advantage of memory forensics was that it allowed profiling attackers and user activity, while the disadvantage was that volatile RAM may lose artifacts.
He then demonstrated how VolWeb, based on Volatility3, could be used as a tool to streamline memory forensics. VolWeb analyses artifacts automatically from Windows memory dumps and displays the results. It enables collaborative work by having an account for each analyst. The results can also be copied and downloaded to help reporting.
Finally, he stated that he would continue to develop VolWeb. If you would like to know more about the tools introduced in this presentation and how to use them, they are available at the following URL.
New Threat Detection and Analysis Method Using Honeypots in Multiple Locations
Speakers: Ryosuke Yoshimura (LAC, Inc.)
Ryosuke presented the findings from analysing log data from over 700 honeypots and how this differs from traditional honeypot analysis.
First, he stated that the advantage of log analysis from numerous honeypots is the ability to observe diverse attacks and post-intrusion behaviour and to respond quickly to new threats.
He showed a case study of monitoring new IPs and traffic, and an attack of RapperBot, a Mirai variant, was detected based on traffic anomalies.
He stated that he would continue to use many honeypots, as in this case, to quickly detect new threats and disseminate information about them.
The information observed by the honeypots on a daily basis is available at the following URL.
Brief History of MustangPanda and its PlugX Evolution
Speakers: Still Hsu (Team T5, Inc.)
Still presented the attacker group known as Polaris (aka MustangPanda) continuing to evolve its tactics, techniques and procedures.
First, the characteristics of Polaris were mentioned. It has been active since 2011, targeting Asian countries such as Myanmar, Mongolia, Japan, the Philippines and Singapore. PlugX is likely to be used, and its variants are developed depending on the targets.
During his research, he felt that between 2019 and 2021, there were more samples in Asia, while in 2022 there were more samples in Europe. He also noticed that new payload encoding schemes and obfuscation methods were used.
Finally, he said that there were activities targeting multiple countries and industries with various malware, such as MiniPlug for Europe, PlugDisk and PlugX Fast for Asia, or the development of a malware called NoFive.
Latest Trends and Consideration in APT41-Related InfoOps
Speakers: Misaki Yoshida (Tokyo Kasei University)
Misaki presented the latest trends and her reflections on them, based on research of some 500+ posts on social media, mainly Twitter, in response to recent campaigns claiming that APT41 is a US-sponsored actor rather than China.
She examined posts on various social media since October 2022 on APT 41, because a group called Dragonbridge was impersonating Intrusion Truth, a group investigating China-related APTs.
Many of the posts were defamatory of the US and defensive of China. Their usernames and accounts were random alphanumeric characters, and Chinese and English were spoken. These facts were consistent with the article published by Mandiant. Apart from Intrusion Truth or users in US, it was a new finding for her to see APT41-related posts on Korean users and accounts using Cyrillic characters. APT41-related posts were found not only on Twitter but also other social media platforms such as Facebook, Instagram and Livejournal.
Finally, she mentioned the possibility that there may be an intention to have the AI learn about APT41 or a bot may have been used to produce many APT41-related posts.
Observation of Unauthorised Sign-in to Azure AD and Its Real-time Blocking
Speakers: Shoichi Ando (SB Technology Corp.)
Shoichi discussed source IP addresses that were exploited by unauthorised users and harm caused by a short-time account breach as seen in Azure AD sign-in logs on the Microsoft 365 cloud service, which is currently used in the infrastructure of many organisations.
First, he stated that users needed to protect their accounts and data themselves and be prepared for threats when using Microsoft 365, while threats to the application from the infrastructure are protected by Microsoft.
According to an analysis of IP addresses accessing from decoy accounts, it was revealed that although a block list based on IP addresses would not provide significant protection, blocking the IP addresses of VPN services could prevent 60% of domestic fraudulent accesses (30% in case of including access from foreign countries).
Finally, he explained an example of damage caused by a short-time account breach. If a large number of spam emails are sent, the email sending process cannot be stopped even after account suspension, password changes, session resets or email protocol restrictions.
Digging for Coper: Unseen findings of infamous Android malware
Speaker: Fernando Diaz (Google Inc.)
Fernando presented his analysis on Coper, a banking trojan for Android that targets both banks and cryptocurrency exchanges.
He introduced Coper's features. It can be controlled by a remote C&C server, allows attackers to monitor and control the victim's device using VNC to switch on and off remotely, and to extract key information in combination with exploiting keylogger.
The analysis results also showed that Coper hid push notifications from the target banking application to prevent victims from warning messages about fraudulent transactions. Communication with C2 carried out via HTTPS and the transmitted data was compressed using gzip. The actual payload was hidden in an embedded resource and was decrypted using RC4 when the application was launched.
In this article, we introduced the presentations given on the second day of JSAC2023. The next article will cover the workshops held on the same day.
Kyosuke Nakamura (Translated by Masa Toyama)