JSAC2025 -Day 1-
On January 21 and 22, 2025, JPCERT/CC held its annual technical conference JSAC, aiming at enhancing the skills and knowledge of security analysts. The conference brought experts in the field of cyber security together to share technical insights related to incident analysis and response. The event marked its 8th year, and it was held as an offline-only event like the previous year. Over the two-day event, there were 18 presentations, 3 workshops, and 2 lightning talks. Presentation slides are available on the JSAC website, with some content remaining private. JPCERT/CC Eyes will provide a detailed overview of the conference in three parts, and this post covers an overview of Day 1, Main Track presentations.
The Anatomy of China’s Hacker Ecosystem: Espionage, Black Markets, and Financially Motivated Attacks
Speaker: Steve Su, Aragorn Tseng, Chi-Yu You (Google Mandiant)
Steve, Aragorn, and Chi-Yu presented the findings of their analysis on a campaign conducted by a Chinese APT group that engages in both sophisticated espionage and financially motivated activities. First, the speakers provided an overview of the entire timeline and then explained the details of three campaigns along with the used malware including GRAYRABBIT, BLACKSTUDIO, and CROSSWALK :
- A campaign where GRAYRABBIT malware was used
- A campaign triggered by regional tensions and the U.S. presidential election
- A campaign where BLACKSTUDIO malware was used to target Southeast Asia
The analysis also covered a campaign where backdoors were distributed through SEO poisoning and that involving commercial malware spread through phishing sites. The primary focus of the former campaign was Chinese-speaking users, whose VPN software and chat apps were mainly targeted. Regarding the latter campaign, the speakers discussed that commercial malware such as Zxshell, REMCOS, and Rhadamanthys were spread via phishing sites. These campaigns employed highly sophisticated techniques, including the use of DNS Fast-Fluxing services, proxy services, and even LLMs.
In conclusion, the speakers highlighted that this APT group is efficient, adept at leveraging recent technologies such as LLM, and skilled in employing a variety of tactics, including the use of custom advanced backdoors and commercial malware.
Stealth in the Shadows: Dissecting Earth Freybug’s Recent Campaign and Operational Techniques
Speaker: Theo Chen, Leon Chang (TrendMicro)
Theo and Leon presented on their analysis of a campaign conducted by the Chinese APT group Earth Freybug.
According to the speakers, Earth Freybug is an APT group that has been active since at least 2012. In recent years, the group has primarily targeted chemicals, manufacturing, and transportation industries in the Asia Pacific region, especially in Taiwan and Japan. The group is also considered to have ties to other APT groups such as APT41 and Winnti Group.
The presenters focused on two specific campaigns conducted by Earth Freybug. In the first campaign, the attackers are considered to have exploited misconfigurations in IBM Lotus Domino for initial penetration. They then deployed a CGI backdoor known as DEATHLOTUS and collected information in the network for lateral movement. After that, the attackers used CUNNINGPIGEON backdoor, and the speakers explained its deployment methods and proxy settings in detail. Regarding another campaign conducted in June 2024, the speakers investigated organizations already compromised by malware such as CUNNINGPIGEON and WINDJAMMER. After the investigation, they observed the attackers deploying SHADOWGAZE backdoor through vulnerable Exchange servers. The speakers provided details on the distinct deployment methods and functionalities of the malware used in the campaign, WINDJAMMER, SHADOWGAZE, and NETSHATTER.
Finally, the speakers shared the post-compromise behavior of the attackers observed during the campaign. They stressed the importance of network segmentation and the principle of least privilege to minimize damage from lateral movement when protecting against highly sophisticated attackers like Earth Freybug.
IoC LIGHT - Lifecycle of Indicators: Gathering, Handling, and Termination -
Speaker: Yusuke Nakajima (NTT Data Group)
Yusuke presented the challenges that NTTDATA-CERT faced in managing IoCs as well as the solutions to them.
He identified key challenges in IoC management: the registration limit for IoCs on security devices and the increase in false positives due to retaining outdated IoCs. In his team, the limited IoC registration capacity caused a shortage of resources when responding to emerging threats, and the retained old IoCs increased the burden on the SOC team with false positives.To address these issues, his team established its prioritization criterion to reduce the quantity of IoCs to register, while developing another criterion for deleting outdated IoCs based on the IoC lifecycle model.
The former criterion was developed based on multiple factors such as port numbers, the Pyramid of Pain, and a risk score indicating the sophistication of attackers, focusing on collecting IoCs most relevant to the organization’s environment. By applying this criterion, the team significantly reduced the number of IoCs collected from one of the threat intelligence services. Furthermore, another criterion for deleting old IoCs based on the lifecycle model was created through hypothesis and testing with empirical data. He noted that these criteria are scheduled to be implemented by the end of fiscal year 2024.
Finally, he concluded that the development of the IoC prioritization and deletion criteria has been gradually alleviating his team’s IoC management issues.
Evolution of Huapi Malware: Growing Focus on Edge Devices
Speaker: Yi-Chin Chuang, Yu-Tung Chan (TeamT5)
Yi-Chin and Yu-Tung presented on their analysis of a campaign conducted by the Chinese APT group Huapi, which is also known as BlackTech and PLEAD. This group has been active since 2007 and primarily targeted governments as well as technology and telecommunications sectors in East Asia including Japan and Taiwan. In its most recent campaign, Huapi intensified attacks targeting edge devices such as routers and security solution products.
The speakers discussed that the common features of recent Huapi campaigns are the refinement of Unix-based malware and the incorporation of compromised edge devices into their C2 infrastructure, and then they explained the malware and infrastructure used in these campaigns. SSHTD, malware observed since 2019, targets both Windows and Linux. A notable change in recent SSHTD includes the modification to perform name resolution using DNS servers closer to the target, Taiwan. In addition, there have been changes in the header order, and encryption methods for the payload, and the data sent to the C2 server now include information about the compromised device. All of these updates were made through changes to the custom communication protocol. Next, the speakers explained about Mabackdoor and Bifrost, the malware used in the campaigns. Regarding Huapi’s C2 infrastructure, they provided the details of the case where Huapi configured the compromised edge devices. To avoid passive DNS services from saving logs, the domains were configured to allow domain resolution for only a brief period of time.
Finally, the speakers concluded based on their analysis that Huapi is consistently improving their backdoors and hacking tools, while also establishing a sophisticated and multi-layered C2 infrastructure, which also incorporates compromised edge devices, to avoid detection.
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
Speaker: Leon Chang, Theo Chen (TrendMicro)
Leon and Theo presented on their analysis of a campaign conducted by the Chinese APT group Earth Estries.
According to the speakers, Earth Estries has been active in espionage since at least 2019, targeting various sectors including government agencies and the telecommunications industry, across more than 10 countries including Taiwan and Thailand. It was also confirmed that some activities of Earth Estries overlap with those of other APT groups, such as GhostEmperor and FamousSparrow.
The speakers then explained the two campaigns attributed to Earth Estries: Campaign Alpha and Campaign Beta. In Campaign Alpha, the attackers targeted government agencies as well as chemicals, transportation, and other industries in the Asia Pacific region. They exploited vulnerabilities in publicly accessible servers to gain access and deployed tools like DEMODEX and SNAPPYBEE. After explaining the infection chain of DEMODEX, the speakers discussed further on the use of SNAPPYBEE, as well as the behavior after compromise and information theft methods. In Campaign Beta, the attackers focused on telecommunications companies in the Asia Pacific region and the United States. They compromised the targets through vulnerabilities in publicly available servers and supply chains and then deployed malware such as DEMODEX and GHOSTSPIDER. The speakers then compared GHOSTSPIDER, DEMODEX, and CobaltStrike, highlighting similarities in their infection flows and communication protocols. Regarding attribution, the speakers argued based on the TTPs that Earth Estries most likely conducted the above two campaigns, while they also noted that the overlap in WHOIS registrar information and toolsets suggest that Earth Estries and UNC4841 might share the same C2 infrastructure.
In conclusion, the speakers reviewed the key characteristics of Earth Estries: they often start penetration from edge devices and build networks using a variety of techniques to hide their espionage activities.
Follow the Clues: Everyday is lazarus.day
Speaker: Jeonggak Lyu (FSI)
Jeonggak presented on his insights into threat intelligence he gained through lazarus.day, a platform that consolidates intelligence related to North Korea.
He first discussed the classification of threat actors based on their motivations and then explained the CTI lifecycle model and the concept of the Pyramid of Pain. He pointed out that detecting and generating simple IoCs is relatively easy but can also be easily evaded, while detecting and generating based on TTPs is harder yet more challenging for adversaries to bypass. He also covered the structure of CTI reports, as well as CTI enrichment and pivoting, and then introduced various useful CTI platforms for each stage of the CTI lifecycle. He emphasized that automation, such as using APIs provided by tools and threat intelligence services, is crucial to improve the efficiency of CTI report formatting and enrichment.
Furthermore, he discussed how lazarus.day has been using threat intelligence. He mentioned that one of the upcoming features enables lazarus.day to visualize the relations between IoCs in graph form. Based on his experience, he emphasized the importance of setting clear objectives, rather than trying to respond to every single cyber attack, to ensure the effective use of threat intelligence in an organization. He also highlighted the significance of automation and adopting the latest technologies like AI to efficiently perform the CTI lifecycle.
Finally, he recommended using the CTI maturity model to assess how well an organization is using CTI.
Analysis of Attack Strategies Targeting Centralized Management Solutions
Speaker: Dongwook Kim, Seulgi Lee (KrCERT/CC)
Dongwook and Seulgi presented on the traces of activities identified on a rental server used by Andariel, a subgroup of the Lazarus, and the TTPs observed in a campaign targeting South Korean companies.
First, they mentioned an incident in which a hospital in the U.S. was compromised by Maui ransomware. It was later discovered that the email address listed in the ransom note was used to access a rental server in South Korea, which the speakers said triggered this investigation.
They then shared their analysis on the activities of Andariel on the identified rental server. Based on the search results and remained files, they noted an increasing use of Golang for development and found that the group was involved in developing remote access malware and vulnerability scan codes as well as conducting research on zero-day vulnerabilities. In addition, the speakers shared case studies on TTPs observed in targeted organizations. In one of the cases, the attackers exploited a vulnerability in a third-party solution in the initial penetration and then deployed malware.
Finally, the speakers emphasized the importance of the security reliability of third-party solutions on the implementation stage, as Andariel is skilled at zero-day attacks on centralized management solutions. Additionally, they said that audits should be conducted regularly even after implementation and that information sharing with relevant organizations is essential.
Kimsuky Wanna Be Your Social Network Friend
Speaker: Hankuk Jo, Sangyoon Yoo, Jeonghee Ha (NSHC Security)
Hankuk, Sangyoon, and Jeonghee delivered a presentation comparing the tactics used in a campaign conducted by the North Korean actor Kimsuky to the story of Little Red Riding Hood.
During the campaign, the attackers targeted individuals related to South Korean Navy who had graduated from the Korean Naval Academy and collected their information on LinkedIn. They then created fake personas based on real people with military backgrounds to build trust with their targets. In addition, the infrastructure used in the attack was set up through a VPS/VDS server provider that allows contracts without disclosing personal information, with payments made in cryptocurrency.
The speakers also explained how Kimsuky performed initial penetration, deployed malware, and conducted post-compromise activities. The initial penetration was conducted through spear-phishing emails, which included malicious JavaScript and PE files inside a ZIP or EGG file sent via Google Drive link. Once the JavaScript attached to the spear-phishing email was executed, the PE file embedded in the fake PDF header was decrypted, and the PE file was executed using PowerShell. After successfully compromising the target, the attackers leveraged legitimate tools to collect information and exfiltrated it disguised as PDF documents, using Living off the Land tactics.
Furthermore, the speakers pointed out that the malware, IP addresses of the C2 servers, and domains used in this campaign overlapped with those from previous Kimsuky campaigns, suggesting a high possibility that this campaign is also attributed to Kimsuky.
Finally, the speakers expressed their hope that the insights shared in this presentation regarding Kimsuky’s sophisticated spear-phishing tactics would help in developing strategies for future threat response.
Behind the scenes of recent DarkPlum operations
Speaker: Amata Anantaprayoon, Rintaro Koike (NTT Security Holdings)
Amata and Rintaro presented on their investigation and findings regarding campaigns and C2 infrastructure related to North Korean actor DarkPlum, also known as APT43 or Kimsuky. While DarkPlum primarily targets South Korea and the United States, the speakers noted that Japan can also be a target. They also mentioned that the actors can be divided into four subgroups, including Baby Shark, which mainly targets Japan.
They then discussed three campaigns observed since March 2024, in which DarkPlum targeted Japanese academic institutions and security-related think tanks. The first case was observed in March 2024. It involved a decoy document with a double extension, and opening it triggers the deployment and execution of the RandomQuery downloader and keylogger through VBScript and PowerShell. The second case is a campaign observed in April 2024, and the targets were researchers. In the campaign, malicious MSC files were sent via Facebook Messenger and email. The speakers discussed that it was possibly the first case of MSC file exploitation. Regarding the third case, observed in May 2024, they mentioned that the attackers possibly have distributed their malware, believed to be KimaLogger, through a phishing site in Japanese.
In addition, the speakers shared how they used OSINT to identify C2 infrastructure, uncovering cryptocurrency transactions targeting South Korea and phishing sites targeting academic institutions. They also suggested that email accounts obtained from the phishing sites might have been used for further attacks.
Finally, they shared their findings from analyzing large-scale network information, providing a detailed explanation of DarkPlum’s attack infrastructure and operations.
In closing
In this article, I introduced the presentations on the first day of JSAC 2025. The next entry will feature the presentations from Day 2.
Tomoya Kamei(Translated by Takumi Nakano)
