List of “Malware”

  • PLEAD Downloader Used by BlackTech Malware
    PLEAD Downloader Used by BlackTech
    In a past article, we introduced TSCookie, malware which seems to be used by BlackTech[1]. It has been revealed that this actor also uses another type of malware “PLEAD”. (“PLEAD” is referred to both as a name of malware including TSCookie and its attack campaign [2]. In this article, we refer to “PLEAD” as a type malware apart from TSCookie.) PLEAD has two kinds – RAT (Remote Access Tool) and...

    Read more

  • Malware “TSCookie” Malware
    Malware “TSCookie”
    Around 17 January 2018, there were some reports on the social media about malicious emails purporting to be from Ministry of Education, Culture, Sports, Science and Technology of Japan [1]. This email contains a URL leading to a malware called “TSCookie”. (Trend Micro calls it “PLEAD” malware [2]. Since PLEAD is also referred to as an attack campaign, we call this malware TSCookie in this article.) TSCookie has been observed...

    Read more

  • Detecting Datper Malware from Proxy Logs Malware
    Detecting Datper Malware from Proxy Logs
    This is Yu Nakamura from Analysis Center. This entry is to explain features of Datper, malware used for targeted attacks against Japanese organisations and how to detect it from the logs. JPCERT/CC has been observing attacks using Datper since around June 2016. Research reports on the adversary are published from LAC [1], SecureWorks [2] and Palo Alto Networks [3]. The adversary had also conducted attacks using Daserf malware in the...

    Read more

  • What the Avalanche Botnet Takedown Revealed: Banking Trojan Infection in Japan Malware
    What the Avalanche Botnet Takedown Revealed: Banking Trojan Infection in Japan
    Internet banking services across the globe have been exposed to the threat by unauthorized money transfers and suffering large-scale losses. In this landscape, an operation led by international law enforcement agencies has been in effect since November 2016 to capture criminal groups conducting unauthorised online banking transfers and dismantle the attack infrastructure (the Avalanche botnet). JPCERT/CC is one of the many supporters of this operation. For more information about the...

    Read more

  • Clustering Malware Variants Using “impfuzzy for Neo4j” Malware
    Clustering Malware Variants Using “impfuzzy for Neo4j”
    In a past article, we introduced “impfuzzy for Neo4j”, a tool to visualise results of malware clustering (developed by JPCERT/CC). In this article, we will show the result of clustering Emdivi using the tool. Emdivi had been seen until around 2015 in targeted attacks against Japanese organisations. For more information about Emdivi, please refer to JPCERT/CC’s report. Clustering Emdivi with impfuzzy for Neo4j Emdivi has two major variants - t17...

    Read more

  • Volatility Plugin for Detecting RedLeaves Malware Malware
    Volatility Plugin for Detecting RedLeaves Malware
    Our previous blog entry introduced details of RedLeaves, a type of malware used for targeted attacks. Since then, we’ve seen reports including those from US-CERT that Management Service Providers (MSPs) have been targeted [1] [2]. In the US-CERT report, some instances have been identified where RedLeaves malware has only been found within memory with no on-disk evidence because of the behavior of self-elimination after the infection. To verify the infection...

    Read more

  • RedLeaves - Malware Based on Open Source RAT Malware
    RedLeaves - Malware Based on Open Source RAT
    Hi again, this is Shusei Tomonaga from the Analysis Center. Since around October 2016, JPCERT/CC has been confirming information leakage and other damages caused by malware ‘RedLeaves’. It is a new type of malware which has been observed since 2016 in attachments to targeted emails. This entry introduces details of RedLeaves and results of our analysis including its relation to PlugX, and a tool which is used as the base...

    Read more

  • Malware Clustering using impfuzzy and Network Analysis - impfuzzy for Neo4j - Malware
    Malware Clustering using impfuzzy and Network Analysis - impfuzzy for Neo4j -
    Hi again, this is Shusei Tomonaga from the Analysis Center. This entry introduces a malware clustering tool “impfuzzy for Neo4j” developed by JPCERT/CC. Overview of impfuzzy for Neo4j impfuzzy for Neo4j is a tool to visualise results of malware clustering using a graph database, Neo4j. A graph database is a database for handling data structure comprised of records (nodes) and relations among the records. Neo4j provides functions to visualise registered...

    Read more

  • Malware Leveraging PowerSploit Malware
    Malware Leveraging PowerSploit
    Hi again, this is Shusei Tomonaga from the Analysis Center. In this article, I’d like to share some of our findings about ChChes (which we introduced in a previous article) that it leverages PowerSploit [1] – an open source tool – for infection. Flow of ChChes Infection The samples that JPCERT/CC confirmed this time infect machines by leveraging shortcut files. The flow of events from a victim opening the shortcut...

    Read more

  • PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code - Malware
    PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code -
    Hi again, this is Shusei Tomonaga from the Analysis Center. PlugX is a type of malware used for targeted attacks. We have introduced its new features in the blog article “Analysis of a Recent PlugX Variant - ‘P2P PlugX‘”. This article will discuss the following two structural changes observed in PlugX since April 2016: the way API is called the format of main module changed from PE to raw binary...

    Read more