JSAC2024 -Day 2-

This second blog post features the Main Track talks on the Day 2 of JSAC.

XFiles: Large-Scale Analysis of Malicious MSIX/APPX

Speakers: Kazuya Nomura, Teruki Yoshikawa, Masaya Motoda (NTT Security Japan)

Slides (Japanese)

The speakers discussed Microsoft’s new packaged files, MSIX and APPX, which have been exploited in recent years in attack campaigns. They explained the points to focus on when analyzing the structure, operation mechanisms, and characteristics of the malicious files.

MSIX and APPX are distributable Windows package file formats used for distribution and installation of applications. In recent years, there have been attacks in which MSIX and APPX were exploited, including the Emotet case in 2022, SteelClover, ClearFake, GhostPulse, and other campaigns.

First, they described the file structure of MSIX and APPX, the role and function of each file, how they are created, and the patterns of exploitation. After clarifying the file structure of MSIX and APPX, they explained the results of their analysis of approximately 10,000 samples. They revealed the fact that digital signatures are reused and the characteristics common to malicious MSIX and APPX.

They also demonstrated their own tool for extracting and analyzing characteristics common to malicious MSIX and APPX, which were identified from the analysis results.

Ghost in Your Supply Chain

Speakers: Alian Wang, Chung-Kuan ‘CK’ Chen (CyCraft)

The speakers presented their analysis and discussion of case studies on supply chain attacks targeting the financial industry in Taiwan.

First, they explained that it has become more efficient for attackers to target the supply chain in recent years, and therefore the concept of boundary defenses is becoming outdated. After that, they described the following supply chain attack cases that they have actually responded to:

  • Abusing JIRA Script Runner
  • Malwareless Island Hopping
  • Typing Ghost

In the Abusing JIRA Script Runner case study, they explained that a feature called Jira Script Runner was used in lateral movement, and they discussed the need for measures such as multi-factor authentication to prevent easy exploitation by third parties. In the Malwareless Island Hopping case, they described an attack campaign that used a lot of non-malicious software and shared the importance of network segment management and general user privilege management, noting that many subsidiaries were affected. In the Typing Ghost case, the speakers described how the software update feature was exploited by attackers to execute malware.

Finally, they shared insights and countermeasures gained through supply chain attacks, such as the fact that most supply chain attacks are conducted through the compromise of credentials or exploitation of vulnerabilities, and that privileged security systems and accounts are targeted by attackers.

Dark Side of VSCode ~ How Attacker Abuse VSCode as RAT ~

Speakers: Shuhei Sasada, Hayate Hazuru (ITOCHU Cyber & Intelligence)

Slides (English)

The speakers focused on the Dev tunnels feature of Visual Studio Code and explained how to analyze incidents and hunting methods based on exploited cases.

Visual Studio Code is a code editor provided by Microsoft. Its Dev tunnels connects Visual Studio Code to a remote host via Microsoft’s tunnel server, allowing the local host to edit source code and run applications on the remote host. This feature is primarily used by developers to standardize and streamline their development environment. However, in September 2023, there was a case in which the Dev tunnels was leverated to gain remote access to a compromised device. The speakers shared what they have learned from this case, including how to analyze artifacts when the Dev tunnels is exploited and how to conduct network-based and process-based hunting.

Finally, countermeasures against such exploitation were shared, including how to use the SSH tunnels without using the Dev tunnels and how to use the Dev container, a feature that connects to local containers.

Analysis of Activities and Tools of Phishing Actors Targeting Japan

Speakers: Masaomi Masumoto, Yuichi Tsuboi (NTT Communications)

Slides (English)

Noting the trend of the increasing number of phishing site victims and the current specialized division of labor among phishing actors, the speakers discussed the phishing community targeting Japan and how to analyze and detect the phishing kits being sold.

The speakers explained that the activities of phishing communities are primarily conducted through chat tools such as Telegram, marketplaces for selling phishing content, and phishing forums for sharing information. They also mentioned that phishing actors also divide their activities from tool development to service operation to information sales. Then, based on the analysis of phishing kits obtained from the phishing community, they described in detail the implementation of a function to collect information on the source of access using user agents and request headers, a cloaking function using information at the time of request, and a crawler detection function. In addition, they shared how to utilize “Indicator Of Kit,” an open source detection rule, as a phishing kit detection method.

They concluded by stressing the importance of promoting information sharing, saying that the division of labor among phishing actors has resulted in an increase in the number of phishing reports.

Deception-Based Approach to Phishing Sites

Speakers: Yuji Ino, Masaki Yoshikawa (Recruit)

The speakers discussed the findings and results obtained through the implementation of the “Deception” approach, a type of defensive approach against phishing sites.

While takedowns and user notification are important approaches to phishing sites, their effectiveness depends on the ISP and the user. Therefore, they adopted the “Deception” approach, which sends fake user data to phishing sites, as an approach that does not rely on third parties. They explained the steps of the “Deception” approach, as well as the libraries they used to create the dummy data and how they were improved. They presented the results of the “Deception” approach on specific phishing actors and shared its achievements, including various reactions from attackers and spontaneous site closures.

Finally, they shared the key points of the “Deception” approach learned through their experience, such as the points to keep in mind when sending dummy data and avoiding duplication with the legitimate ID on proxy-type phishing sites.

The Only Reason Why We Should Identify The Thread Actor of Ransomware Incidents

Speaker: Hayato Sasaki (JPCERT/CC)

Slides (English)

Hayato discussed the importance of identifying actors in responding to ransomware incidents.

He shared perspectives on identifying actors based on the commonality of TTPs in a series of campaigns, citing “Robinhood Leaks,” which created ransomware using the “Thanos” builder, and “DEV-0401,” which used the “HUI Loader,” as examples of actual incidents in which actors were identified. He then presented a case study in which the initial response and preventive measures were inadequate due to insufficient actor identification at the time of the incident, resulting in servers left with malware and vulnerabilities. Based on such cases, he explained that actor identification in ransomware damage is important from the following points:

  • To ensure that the initial response is appropriate, prompt, and at low cost
  • To ensure that APT actors are not overlooked
  • To select effective countermeasures for each actor to contain the ransomware threat

Finally, he explained that damages can be reduced by identifying actors and taking appropriate actions against ransomware attacks. In addition, he mentioned that when identifying actors is difficult after a ransomware attack, by consulting with JPCERT/CC, they can work together to share the analysis work and provide knowledge on how to identify the actors.

Spot the Difference: An Analysis of the New LODEINFO Campaign by Earth Kasha

Speaker: Hiroaki Hara, Masaoki Shoji, Yuka Higashi, Vickie Su, Nick Dai (TrendMicro)

Slides (English)

The speakers investigated Earth Kasha’s campaign in 2023 and discussed significantly changed TTPs and new types of malware.

Earth Kasha is an APT group recognized since 2019 as an actor using LODEINFO. The speakers said that Earth Kasha’s 2023 campaign has changed its initial compromise methods and targets from previous campaigns, and described the changed methods of initial compromise, communication to C2 servers, credential theft, and lateral movement. In addition, they revealed that the TTPs used in Earth Kasha’s campaign, as well as the geographic regions and industries targeted, are similar to the actors referred to as Earth Tengshe.

Next, they explained the changes and distinctive features of the loader and new version of LODEINFO, the new backdoor NOOPDOOR (aka HiddenFace), and the loader NOOPLDR (aka FakeXInjector), used by Earth Kasha in their new campaign. After that, based on the results of their diamond model comparison for attribution of the APT group using LODEINFO, they noted the similarity between Earth Tengshe and Earth Kasha’s TTPs, although there is no analysis or malware commonality that the new campaign was conducted by Earth Kasha. They also mentioned campaigns that Earth Tengshe and Earth Kasha are possibly related.

Finally, since Earth Kasha has changed its initial compromise method, the speakers recommended rechecking IT assets that can be attack surfaces as well as hunting using the IoCs discovered in Earth Kasha’s new campaign.

Unmasking HiddenFace: MirrorFace’s most complex backdoor yet

Speaker: Dominik Breitenbacher (ESET)

Slides (English)

The speaker described the function and features of HiddenFace (aka NOOPDOOR), a new backdoor by the APT group MirrorFace (aka Earth Kasha), which is related to APT10.

MirrorFace is a Chinese-affiliated attack group and has characteristics such as targeting Japan and using LODEINFO. He stated that MirrorFace has conducted a campaign using HiddenFace to target academic institutions in Japan since 2023.

The contents of HiddenFace were first described, including the execution flow of HiddenFace, what it executes when launched, and its features. Then, he mentioned the features of HiddenFace, such as its modular system and its capability for both active and passive communication, the specifications and execution method of external modules, the encryption method of communication, and the contents of commands. In addition, he described the data structure and contents of HiddenFace’s structured data.

Finally, he mentioned that HiddenFace uses a complex and distinctive technology among the backdoors attributed to MirrorFace, and pointed out that it is possible to add features tailored to the environment of attack targets and objectives of the campaign.

In closing

This blog post introduced the presentations on JSAC2024 Day 2. In the next post of JPCERT/CC Eyes, we will introduce the workshop held also on Day 2.

Tomoya Kamei(Translated by Takumi Nakano)