Title: An Overhead View of the Royal Road
Several targeted attack groups share the tools used in the attack and are reported to be doing similar attacks. Attack tools are also shared in attacks targeting Japanese organizations, for example, Tick. Tick may use a tool called Royal Road RTF Weaponizer. And Royal Road is used by targeted attack groups such as Goblin Panda and Temp.Trident that is suspected of being involved in China.
In this presentation, we will focus on the Royal Road, and introduce the features of the tool, such as the outline of the tool, its behavior, and the exploited vulnerability. Next, the targeted attack groups that use the Royal Road are listed, and each attack case is shown in detail. We have collected over 100 malicious documents from 2018 and investigated malware that is deployed and downloaded from there. Even in groups using the same Royal Road, we attributed them based on the target country/organization, the technique used for the attack, the malware executed, etc.
There are a wide variety of countries/organizations targeted for attack, mainly in Asia. Such information has been published by researchers all over the world, but it’s not widely known that Royal Road is used in Tick attacks targeting Japanese organizations. Attacks using Royal Road are still active in 2019. Share analysis results of malicious documents and malware based on the cases we observed. Other targeted attack groups may be related to Royal Road. We introduce the attack cases of these attack groups and show their relevance.
Finally, we show the hunting technique using the characteristics of RTF files using Royal Road and the techniques that are preferred by targeted attack groups that use them. This talk will help researchers who are researching and analyzing targeted attacks and CSIRT/SOC members to understand the attacks and take countermeasures.
Rintaro Koike is a security analyst at NTT Security (Japan) KK. In addition, he is the founder of “nao_sec” and malicious traffic/script/document analyst. And, he is the speaker of JSAC 2018/19, HITCON Community 2019, VB 2019, AVAR 2019 and Black Hat USA 2018 Arsenal.
Shota Nakajima is a Security Analyst at Cyber Defense Institute, Inc. in Japan. He has been engaged in malware analysis and incident response. In addition, he belongs to the non-profit cyber security research team (@nao_sec) and analyzing malware in the wild. He is the speaker of Japan Security Analyst Conference 2018/2019 hosted by JPCERT/CC and HITCON Community 2019, AVAR2019, Black Hat Arsenal and BlueBox Presenter.
Title: The Implementation and Usage of Artifact Collection Tool and Simple Malware Analysis Sandbox for macOS
There are fewer security-related tools and analysts for macOS than for Windows in the actual situation. The reason for this is thought to be a large factor in the market share and demand of the OS. However, the reasons is also that there are less tools for macOS. Therefore, I will publish two tools at this conference.
The first tool is an artifact collecting tool. There are a variety of artifact analysis tools, so you may be wondering if you need a collecting-only tool. In fact, existing analysis tools analyze files without preserving them. Therefore, if the tools crash due to a bug in the parser, you must think about a countermeasure at that time. As a result, it is also a problem that the work of the post processes will be delayed.
If you analyze them after executing the artifact collecting tool that I created this time, even if an error occurs during an analysis, you can handle it with a margin, such as correcting the analysis tool. Also, if new artifacts are discovered, they can be collected simply by adding the file path to the configuration file. Since the analysis itself is performed using existing tools, artifacts are collected in a form that facilitates linkage with analysis tools.
The second tool is a simple malware analysis sandbox for macOS. There are a few Cuckoo-based ones, but they are not maintained these days and may be difficult to use with the latest macOS.
Therefore, considering maintainability, I created a sandbox for macOS with reference to Noriben, which is a relatively simple sandbox for Windows. This tool works together with a program that records OS activities and a program that filters unnecessary activities and creates reports.
In this presentation, I will introduce the implementation and usage of the tools that I created with demonstrations.
He works for Internet Initiative Japan Inc. as a forensic investigator and a CSIRT member of the company. His primary research themes are related to digital forensics and strives to improve incident response capabilities and in-house technical capabilities. And he has made presentations and trained at some international/local security conferences such as Security Camp 2017-2019, Black Hat USA 2018, JSAC 2018, and FIRST TC.
Title: Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Incidents caused by targeted ransomware is one of the cyber security threats causing massive damage in Japan these days. Responding to this type of ransomware attack is more difficult than conventional ones because attackers apply targeted attack techniques to intrude into the target’s network, conduct lateral movement, and spread ransomware infection. Many companies are not prepared against the latest targeted ransomware attack, and when they have such attacks, they cannot properly respond. There were some cases in which a targeted company was even forced to stop their operations temporarily as well as paid the ransom.
The purpose of this presentation is to provide beneficial information to security vendors and employees who are engaged in incident response. The speakers describe the whole picture of targeted ransomware attacks based on the research and analysis results of incidents to which Secureworks responded.
The presentation first describes some targeted ransomware attack cases that involved domestic companies, providing information on the damage, the extent of impact, the initial response by the companies affected, and such. After that, TTPs (Tactics, Techniques, and Procedures) of these attacks unraveled through forensics of affected devices and analysis of malware samples are presented. Targeted ransomware attacks are called so because they use the techniques of targeted attacks in general. However, it was confirmed that this new type of attacks has a unique TTP such as the use of tools that had not been used in other targeted attacks before.
Finally, the presentation introduces recommended response methods against the latest targeted ransomware incidents, shares useful IoC, and shows the potential change in the attack techniques in the future, which was predicted based on Secureworks’ incident response experience.
Kiyotaka experienced device investigation, malware analysis, and forensic analysis while working at a security vendor that provided incident response services to private companies and government offices. Since July 2018, he has been engaged in information collection and analysis of cyber attacks in Japan as well as malware and forensic analyses.
Keita’s primary responsibility is to support customers’ incident response, using his technical knowledge and skills in digital forensics as well as his experience in cyber security incident response. He is engaged in providing various services such as analysis of information system intruded by a third party, APT incident response, and security trainings. He is also a developer and instructor of forensics and incident response trainings for government offices, IT vendors, and CSIRTs in private companies. To date, he has trained hundreds of people.
You is a member of the Counter Threat Unit in Secureworks. He investigates and studies the latest cyber attacks while providing incident response and analyzing related malware and other artifacts.
Title: Battle Against Ursnif Malspam Campaign targeting Japan
Malspam campaign in Japanese to infect with malware has been observed on a day to day basis Since 2016. The most commonly observed malware is Ursnif. It has reported that the number of infection with Ursnif is over 45,000 in 2019. We presume that this campaign may cause a major impact in Japan.
The presenters belong to a group of volunteers, the "ばらまきメール回収の会". In this association, participants who belong to different organizations share the observation of malspam campaign, analyze the samples, and send out threat information for countermeasures.
In this presentation, we will share the analysis results of the malspam campaign aimed at infection with Ursnif based on the analysis of over 500 specimens including attached malicious file in malspam and downloaded malware from 2016. Eventually we could learned that this campaign is behind two threat actors from a long-term perspective of distribution infrastructure, attachments, malware, C2 domain, victims, and adversary. We also describe the transition of the attack method.
In addition, we mention the active defense against this campaign and the threat actor's reactions. For example, the two groups mainly use the spam bot Cutwail for spam mail distribution, it is possible to catch spam mail distribution information at an early stage by our mechanism to monitor the spam distribution instructions received by Cutwail, so that we can inform publicly as a early warning.
Moreover, we succeeded in changing the attacker's technique by taking the initiative and could bring a series of campaigns targeting Japan to pause at the moment.
The latest trends of these threat actors are also described in detail. Finally, we'll share countermeasures such as information utilization methods and detection methods that companies can take against continuous malspam campaign.
He is currently working as cyber security analyst at JPCERT/CC in Japan since 2019. He focuses incident response and threat intelligence of APT. He previously worked on security monitoring and cyber security planning as private SOC analyst at financial sector. And he personally notificates and analyzes malspam targeting Japan.
He is a security analyst in Mizuho-CIRT since 2017. He is a member of the technical team for forensics and tool development in CIRT. He previously worked on software development as a system integrator. And he creates an monitoring system for malspam and observes it.
He is a cyber security researcher in ITOCHU Corporation. He is also responsible for protecting our business and researching cyber threat intelligence as a ITCCERT member. He previously worked on monitoring and incident handling as a SOC analyst.
Title: 100 more behind cockroaches? or how to hunt IoCs with OSINT
People often say that if you find a cockroach at home, the house has 100 in total. This popular theory is actually true in the field of cyber security. It is commonly known that malware has its variants, but it is less known that other threats such as phishing sites and infrastructures used as C2 servers also have similar or identical siblings. These variants can be the evidence of another attack made by the same attacker, a part of a larger attack campaign, or different multiple attacks conducted with the tools provided by the same developer. In such cases, it is possible to discover indication of potential attacks and prepare for them earlier by finding such variants proactively.
OSINT (open-source intelligence) is a technique useful for this type of investigation. OSINT is based on various sources such as passive DNS/SSL, Reverse WHOIS, HTTP fingerprint, SSH key fingerprint, Certificate Transparency logs, and Yara. This presentation shows how to find the variants of tools or infrastructures for attacks starting from a phishing site, malware IoC, or a vendor’s report.
Hiroaki is Principle Consultant at McAfee. He presented at FOCUS/MPOWER 2014/2016/2018 and HITCON Community 2019.
Manabu presented at FIRST TC Bali 2018, Internet Week 2018, REVULN’19, and HITCON Community 2019. He is also a TRANSITS trainer at Nippon CSIRT Association. A rock climber.
Title: Developing an Efficient Mac Forensic Tool
Many forensic analysts are not familiar with investigation techniques of Macintosh, and it is supposed that they are still seeking and trying out different ways. This is partly because they usually deal with less forensic cases of Mac than those of Windows and Linux. However, there has been a certain number of Mac investigation cases in the field of fraud investigation for many years, and the techniques acquired in the field can also be helpful in the field of cyber security. Another reason why many analysts are not familiar with Mac forensics is that not all organizations can afford to purchase investigation tools even though many parts of current forensic methods are dependent on commercial software. Many organizations seem to be short of human and financial resources. To improve such situation, the speakers developed a free tool based on their experience in the field of fraud investigation. The speakers developed this tool, aiming at simplifying the forensic process and introducing it to other analysts.
The tool consists of three components: data acquisition tool, mounting tool, and analysis tool. These components are created assuming the following steps: first, files are acquired in the triage phase, or E01 image is acquired through other methods. After that, these files or images are mounted, and then finally they are analyzed. Each component had GUI and can support the users’ investigation easily. The triage tool can keep the file directory structure, and thus the acquired files can be parsed with existing free tools such as mac_apt. Run together with such tools, the analysis component can improve the efficiency of analysis.
Takaya had been engaged in fraud and forensic investigation using computer forensic technology at a security vendor since 2012. After moving to Recruit Technologies Co.,Ltd., he became a member of its CSIRT and started incident response and security monitoring. Takaya also teaches computer forensic courses at a technical college and other organizations.
Title: Threat Information on the APT Group Conducting "Operation Bitter Biscuit"
This presentation is about the APT group which carried out the attack campaign called "Operation Bitter Biscuit." Several security vendors have released information on this attack group and reported that the group was targeting South Korea, Russia, and Japan. However, there are still little amount of information available, particularly about attacks against Japan. Most reports are about emails and malware related to this campaign, and there are few reports about the attackers’ behaviors after they compromise a victim’s network.
In September 2019, the presenter confirmed attacks against Japanese companies and concluded that it is a part of Operation Bitter Biscuit because the malware and C2 servers used in the attacks are identical to those confirmed in their past attacks. In addition, the presenter succeeded in analyzing their penetration activity against the file servers and AD, by preparing an environment of a pseudo-company and letting malware infect it.
The presenter’s analysis result showed that the above attacks used multiple types of malware and attack methods that the group of Operation Bitter Biscuit had never used before. For example, the attachment on the targeted email leveraged CVE-2018-20250 as well as the add-in folder of Microsoft Word for malware infection. In addition, the presenter confirmed that a malicious tool that leverages the vulnerability of MS17-010 was used when the malware was installed on AD. Analysis results of other types of malware and attack methods are also to be described in the presentation.
This presentation also focuses on the malware Bisonal. It is a kind of malware which the attack group of Operation Bitter Biscuit have been using in their attacks, and it was confirmed in the present case as well. This presentation shows the analysis result of Bisonal and its comparison with similar samples. A sample of Bisonal contains an identifiable string which is made of C2 server information encoded with a distinctive algorithm, and similar samples were searched through the encoded string. The analysis result showed that Bisonal of the present case uses a customized RC4 algorithm to encode its communication. Further analysis results are to be described in this presentation.
Hajime switched from being a software developer to a security engineer three years ago. As a SOC analyst, he monitors alerts of security devices and conducts malware analysis.
Title: Evil Hidden in Shellcode: The Evolution of Malware DBGPRINT
Chinese cyber espionage group HUAPI (aka. BlackTech), originally is in charge of intelligence gathering in Taiwan, and has expanded their targeting scope to Japan since 2017. There has been a lot of public discussion regarding their notorious RAT TSCookie, including some great technical blogs published by JPCERT/CC. However, there are few spotlights surrounding DBGPRINGT (aka. WaterBear), their 2nd stage malware.
In this talk, we will share our experience on long-term tracking against this cyber threat group, and present one of malware DBGPRINT (aka. Waterbear) being heavily involved in their attacks since 2015. DBGPRINT is a stealthy malware, which is a tiny snippet of shellcode, and its backdoor implant resides in memory only when the actor is operating. The HUAPI actors have continuously improved their malware DBGPRINT to be more covert, and even targeted on some threat detection toolkit, which is effective of detecting DBGPRINT before.
Besides the evolution of DBGPRINT, our research includes a case study on how DBGPRINT targeted on some threat detection toolkit. We will reveal the implementation of the threat detection toolkit, and in-depth technical details on how the DBGPRINT attacking this toolkit.
The evolution of DBGPRINT shows a design model of next-generation shellcode malware. We will provide our insights on detection and prediction of HUAPI's malware.
CiYi "YCY" Yu
CiYu "YCY" Yu is a senior cyber threat analyst in the Cyber Threat Intelligence team at TeamT5. She has expertise in reverse engineering, automated malware analysis, and campaign tracking. YCY's research focuses on monitoring, and tracking cyber threats in the Asia Pacific region. Her daily effort is to uncover cyber espionage attacks, and identify the actors behind the operations.
Aragorn Tseng is a senior cyber threat analyst at TeamT5 from Taiwan. He has worked on threat intelligence, tracking cybercrime campaigns in Taiwan's law enforcement agencies for two years. His research fields include malware analysis, APT campaign tracking and applying deep learning on cyber security issues, like malicious network traffic detection.
*This program is subject to change.