List of “朝長 秀誠 (Shusei Tomonaga)”

  • Malware “WellMess” Targeting Linux and Windows Malware
    Malware “WellMess” Targeting Linux and Windows
    Some malware is designed to run on multiple platforms, and most commonly they are written in Java. For example, Adwind malware (introduced in a past article) is written in Java, and it runs on Windows and other OS. Golang is another programming language, and it is used for Mirai controller, which infects Linux systems. This article introduces the behaviour of WellMess malware based on our observation. It is a type...

    Read more

  • PLEAD Downloader Used by BlackTech Malware
    PLEAD Downloader Used by BlackTech
    In a past article, we introduced TSCookie, malware which seems to be used by BlackTech[1]. It has been revealed that this actor also uses another type of malware “PLEAD”. (“PLEAD” is referred to both as a name of malware including TSCookie and its attack campaign [2]. In this article, we refer to “PLEAD” as a type malware apart from TSCookie.) PLEAD has two kinds – RAT (Remote Access Tool) and...

    Read more

  • Malware “TSCookie” Malware
    Malware “TSCookie”
    Around 17 January 2018, there were some reports on the social media about malicious emails purporting to be from Ministry of Education, Culture, Sports, Science and Technology of Japan [1]. This email contains a URL leading to a malware called “TSCookie”. (Trend Micro calls it “PLEAD” malware [2]. Since PLEAD is also referred to as an attack campaign, we call this malware TSCookie in this article.) TSCookie has been observed...

    Read more

  • Investigate Unauthorised Logon Attempts using LogonTracer Forensic
    Investigate Unauthorised Logon Attempts using LogonTracer
    In the recent article, we introduced the concept and the use of "LogonTracer", a tool to support Windows event log analysis. This article presents how unauthorised logon attempts can be identified using this tool. Please refer to the Wiki for LogonTracer installation. Points for Investigation LogonTracer serves as a tool to support the log analysis rather than to detect unauthorised logon itself. For an effective investigation using this tool, we...

    Read more

  • Research Report Released: Detecting Lateral Movement through Tracking Event Logs (Version 2) Forensic
    Research Report Released: Detecting Lateral Movement through Tracking Event Logs (Version 2)
    In June 2017, JPCERT/CC released a report “Detecting Lateral Movement through Tracking Event Logs” on tools and commands that are likely used by attackers in lateral movement, and traces that are left on Windows OS as a result of such tool/command execution. After the release, we received a lot of feedback on the report, and until now we had been working on the revision based on the comments. Today, we...

    Read more

  • Visualise Event Logs to Identify Compromised Accounts - LogonTracer - Forensic
    Visualise Event Logs to Identify Compromised Accounts - LogonTracer -
    Hello again, this is Shusei Tomonaga from the Analysis Center. Event log analysis is a key element in security incident investigation. If a network is managed by Active Directory (hereafter, AD), can be identified by analysing AD event logs. For such investigation, it is quite difficult to conduct detailed analysis in AD event viewer; it is rather common to export the logs to text format or import them into SIEM/log...

    Read more

  • Clustering Malware Variants Using “impfuzzy for Neo4j” Malware
    Clustering Malware Variants Using “impfuzzy for Neo4j”
    In a past article, we introduced “impfuzzy for Neo4j”, a tool to visualise results of malware clustering (developed by JPCERT/CC). In this article, we will show the result of clustering Emdivi using the tool. Emdivi had been seen until around 2015 in targeted attacks against Japanese organisations. For more information about Emdivi, please refer to JPCERT/CC’s report. Clustering Emdivi with impfuzzy for Neo4j Emdivi has two major variants - t17...

    Read more

  • Research Report Released: Detecting Lateral Movement through Tracking Event Logs Forensic
    Research Report Released: Detecting Lateral Movement through Tracking Event Logs
    JPCERT/CC has been seeing a number of APT intrusions where attackers compromise a host with malware then moving laterally inside network in order to steal confidential information. For lateral movement, attackers use tools downloaded on infected hosts and Windows commands. In incident investigation, traces of tool and command executions are examined through logs. For an effective incident investigation, a reference about logs recorded upon tool and command executions would be...

    Read more

  • Volatility Plugin for Detecting RedLeaves Malware Malware
    Volatility Plugin for Detecting RedLeaves Malware
    Our previous blog entry introduced details of RedLeaves, a type of malware used for targeted attacks. Since then, we’ve seen reports including those from US-CERT that Management Service Providers (MSPs) have been targeted [1] [2]. In the US-CERT report, some instances have been identified where RedLeaves malware has only been found within memory with no on-disk evidence because of the behavior of self-elimination after the infection. To verify the infection...

    Read more

  • RedLeaves - Malware Based on Open Source RAT Malware
    RedLeaves - Malware Based on Open Source RAT
    Hi again, this is Shusei Tomonaga from the Analysis Center. Since around October 2016, JPCERT/CC has been confirming information leakage and other damages caused by malware ‘RedLeaves’. It is a new type of malware which has been observed since 2016 in attachments to targeted emails. This entry introduces details of RedLeaves and results of our analysis including its relation to PlugX, and a tool which is used as the base...

    Read more