The Anatomy of China's Hacker Ecosystem: Espionage, Black Markets, and Financially Motivated Attacks
Abstract
This presentation examines actors who conduct sophisticated cyber operations against high-value targets, while also engaging in commercial crimes like data theft operation. An interesting link reveals their potential business connection with service provider I-SOON.
Case studies reveal their rapid malware development, like the GRAYRABBIT backdoor, exploiting vulnerabilities in popular software (Apache, Microsoft, etc.) and distributed via cloud services like GitHub. Actors use readily available tools, combined with obfuscation and encryption, to evade detection. Recent operations targeted high-value entities with political interests, tied to India and US elections, by utilizing tools like the WHITEDAISY downloader and CROSSWALK backdoor, showing a calculated focus.
Furthermore, the abuse of backdoored VPN utilities, delivered via manipulated search results, highlights a method for widespread global distribution and data theft. Another operation is presumed targeting government or military agencies in the South China Sea area, utilizing multiple layer servers to distribute sophisticated backdoor BLACKSTUDIO.
Analysis of discovered chat logs reveals connections between Chinese-speaking hacking groups and actors collaborating with overseas hackers, including Russian speakers. These collaborations indicate cross-border dealings and the purchase of commercial malware tools (e.g., Remcos RAT), potentially linked to supply chain intrusions in Korean gaming companies.
Overall, the research underscores the dual nature of these actors, acting both as state-sponsored agents and financially motivated criminals. It unveils sophisticated technical abilities and operational strategies within the complex Chinese hacking ecosystem.
Speaker
Steve Su
Aragorn Tseng
Chi-Yu You
Slides
English
Stealth in the Shadows: Dissecting Earth Freybug's Recent Campaign and Operational Techniques
Abstract
In the evolving landscape of cybersecurity threats, Earth Freybug has emerged as a sophisticated adversary targeting organizations across a range of sectors, including notable activity within the Transportation, Manufacturing, and Chemical industries in the Asia-Pacific (APAC) region. This presentation will provide an overview of the group’s recent activities, focusing on their exploitation of critical vulnerabilities. Attendees will gain insights into Earth Freybug's malware arsenal, featuring key strains such as DEATHLOTUS, WINDJAMMER (also known as WINNKIT or the Winnti rootkit), SHADOWGAZE (also known as HIGHNOON), and CUNNINGPIGEON. These malware families contribute to the group's operations by facilitating initial access, enabling data exfiltration, and supporting lateral movement within compromised networks.
The presentation will delve into their sophisticated post-exploitation tactics, which involve employing layered strategies designed to maintain persistence and evade detection. Additionally, attention will be given to Earth Freybug's use of passive backdoor communication techniques, which limit outbound traffic and help maintain a low profile, thereby complicating detection and response efforts. By sharing their operational insights, this session aims to equip security professionals with the knowledge necessary to better detect and defend against this evolving threat landscape, ultimately enhancing their ability to safeguard their organizations from future attacks.
Speaker
Theo Chen
Leon Chang
Slides
English
IoC LIGHT - Lifecycle of Indicators: Gathering, Handling, and Termination -
Abstract
NTTDATA-CERT uses Malware Information Sharing Platform (MISP) as the core of its real-time and efficient IoC collection, processing, and distribution. Since threat trends are constantly changing, it is necessary to review the operation of information sources and add new sources as needed. In adding new information sources, two major challenges arose:
1. Security devices have a limit on the number of IoCs that can be registered. Therefore, unless old IoCs are removed or low-risk IoCs are filtered and collected to save space for the new ones, new high-risk attacks cannot be handled.
2. Old information in the security devices causes false positives and exhausts the SOC.
We attempted to solve these issues using two approaches:
(a) Create IoC prioritization criteria divided into four levels. Classify each IoC accordingly and collect only those with high priority.
(b) Create IoC removal criteria (life cycle model) and remove low-risk IoCs from security devices accordingly.
In addition to NTTDATA-CERT’s real-time IoC collection, processing, and distribution operations, this presentation shares practical knowledge of advanced IoC operations (IoC prioritization criteria and life cycle models) with actual cases.
Speaker
Yusuke Nakajima
Slides
English
Evolution of Huapi Malware: Growing Focus on Edge Devices
Abstract
Huapi (aka BlackTech) is a China-nexus APT group that has been active for over a decade. In line with their ongoing threat landscape, this presentation offers an in-depth analysis of the evolution of Huapi’s malware, focusing on their increasing emphasis on targeting edge devices. We will examine three specific malware used by Huapi: SSHTD (aka ELF_PLEAD), Mabackdoor (aka Hipid), and Bifrost, detailing their evolution and technical characteristics. The analysis will cover incidents from 2022 to 2024 that targeted Taiwan and Japan. We will discuss the infection chains, such as the exploitation of the F5 vulnerability, as well as the execution flows of the malware. Our analysis will highlight recent updates to the malware, illustrating how these changes reflect Huapi’s evolving tactics, particularly their growing focus on edge devices. Additionally, we will outline Huapi’s C&C communication chain and provide an overview of their C&C infrastructure. Finally, we will conclude with recommended countermeasures and mitigation strategies.
Speaker
Yi-Chin Chuang
Yu-Tung Chang
Slides
English
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
Abstract
Since 2023, Earth Estries (aka Salt Typhoon, FamousSparrow, GhostEmperor, and UNC2286) has emerged as one of the most aggressive Chinese APT groups, primarily targeting critical industries such as telecommunications and government entities in the United States, the Asia-Pacific region, the Middle East, and South Africa. We will highlight their evolving attack techniques and analyze the motivations behind their operations, providing insights into their long-term targeted attacks. A key finding from our recent investigation is the discovery of a new backdoor, GHOSTSPIDER, identified during attacks on Southeast Asian telecom companies. We will explore the technical details of GHOSTSPIDER, its impact across multiple countries, and interesting findings from tracking its C&C infrastructure. We have also uncovered the group’s use of SNAPPYBEE (aka Deed RAT), another tool shared among Chinese APT groups. Additionally, we believe the threat actor used SoftEther VPN to establish their operational networks, complicating efforts to track their activities. Our analysis suggests that Earth Estries is a well-organized group with a clear division of labor. Based on observations from multiple campaigns, we speculate that attacks targeting different regions and industries are launched by different actors, further highlighting the complexity of the group's operations.
Speaker
Leon Chang
Theo Chen
Slides
English
Follow the Clues: Everyday is lazarus.day
Abstract
The global cyber threat landscape is increasingly complex, with state-sponsored actors, cybercriminals, and hacktivists actively targeting various sectors. Cyber Threat Intelligence (CTI) firms play a vital role in tracking these actors and providing intelligence that security teams rely on to monitor threats. However, simply consuming CTI reports isn’t enough; security professionals must leverage CTI platforms, including open-source intelligence (OSINT), to proactively track and analyze threat actors. This presentation advocates for a proactive approach to threat intelligence, introducing key CTI platforms and strategies for building a comprehensive view of threat activities. A case study on Democratic People's Republic of Korea (DPRK) threat actors will illustrate this approach. Through the lazarus.day website, I’ve aggregated, analyzed, and tagged intelligence on DPRK actors, integrating OSINT for a full-spectrum analysis. This case underscores the value of combining multiple intelligence sources for effective threat tracking. Attendees will gain insights on optimizing CTI use for improved threat detection and response, enabling a strategic and proactive defense against evolving cyber threats.
Speaker
Jeonggak Lyu
Slides
English
Analysis of Attack Strategies Targeting Centralized Management Solutions
Abstract
This presentation explores the TTPs (Tactics, Techniques, and Procedures) employed by the Andariel group. Known as a sub-organization of the Lazarus group, Andariel operates for various purposes, including national security threats, technology theft, and financial gains. The group is particularly skilled at identifying and exploiting vulnerabilities in solutions widely used in South Korea. Recently, they have been targeting centralized management solutions deployed in Korean enterprises. One of Andariel's defining strategies is their ability to rapidly discover and leverage zero-day vulnerabilities in various software, ranging from asset management solutions with file distribution features to information security solutions.
In this presentation, we will analyze Andariel’s activities by categorizing their TTPs into those observed on rented servers they purchased and those identified within victimized organizations. By examining the TTPs used on rented servers, defenders can gain insights into the attackers’ efforts to infiltrate defensive environments and focus their countermeasures accordingly. Meanwhile, understanding the TTPs observed during enterprise breaches will enable defenders to develop step-by-step response strategies for attacks carried out within the internal networks of victim organizations.
Speaker
Dongwook Kim
Seulgi Lee
Slides
English
Kimsuky Wanna Be Your Social Network Friend
Abstract
This presentation focuses on Kimsuky, a North Korean government-sponsored cyber threat group, and their cyber espionage activities targeting South Korean Navy personnel in June 2024. Kimsuky utilized LinkedIn to profile key individuals in Navy communications and strategic defense sectors. Their main tactic involved social engineering, where they created fake personas based on real individuals with military backgrounds to gain the trust of victims. Initially, Kimsuky delivered spear-phishing messages through LinkedIn, which included Google Drive links leading to EGG files containing malicious JavaScript. In some instances, spear-phishing emails were also used. These malicious scripts were disguised as legitimate forms or inquiry documents, and when downloaded, PE malware was executed. The malware was obfuscated using VMProtect and RC4 encryption to hinder detection and reverse engineering efforts. Kimsuky’s June 2024 campaign targeting Navy personnel parallels their tactics in the 2021 Ministry of Foreign Affairs hack and the 2024 European defense industry attack, suggesting the same threat group was responsible. Kimsuky’s strategic interest in collecting intelligence on South Korean naval defense capabilities aimed to provide North Korea with critical information on maritime strategy and communication systems. Additionally, this presentation sheds light on Kimsuky’s operational security practices, such as using cryptocurrency for infrastructure and registering domains without personal verification, to enhance anonymity and evade detection. By analyzing their June 2024 campaign, this presentation offers valuable insights into Kimsuky’s evolving tactics, which are crucial for strengthening defenses against similar future cyber espionage activities.
Speaker
Hankuk Jo
Sangyoon Yoo
Jeonghee Ha
Slides
English
Behind the scenes of recent DarkPlum operations
Abstract
DarkPlum (publicly referred as Kimsuky, APT43) is a highly active cyber-espionage group linked to the Democratic People's Republic of Korea. Primarily, DarkPlum engages in espionage for military and diplomatic purposes, but it also conducts financially motivated attacks to fund its operations. Its main targets are government agencies and think tanks in South Korea and the United States, though it occasionally targets Japan. Since approximately March 2024, there have been continuous attacks on Japan.
In this presentation, we will begin by introducing three specific cases of attacks against Japan observed since March 2024. Following that, we will introduce the research methods we employ regularly. This includes sharing queries for gathering information on DarkPlum's attack infrastructure and malware using tools such as VirusTotal and Censys. Additionally, we have analysed large-scale network data to investigate relationships within DarkPlum's attack infrastructure, with the aim of uncovering the reality behind its operations. We will also provide examples of how this analysis can be applied to practical threat research and defence.
Speaker
Amata Anantaprayoon
Rintaro Koike
Slides
English
Observation of phishing criminal groups related to illegal money transfers and Mizuho Bank's countermeasures -Fighting against phishing site malware 'KeepSpy'-
Abstract
In 2023, the National Police Agency announced that there were 5,578 cases of unauthorized money transfers related to Internet banking, with a total loss of approximately 8.7 billion yen, the highest number ever recorded. The situation remained the same in 2024, and financial institutions were still under threat from unauthorized money transfers. Mizuho Bank has been observing phishing sites and malware on a daily basis and is implementing measures to prevent unauthorized money transfers. There are several criminal groups targeting Mizuho, each with their own unique features in terms of phishing site design and methods of luring victims (e.g. email, SMS, etc.). The group using SMS is particularly tricky, having succeeded in making large amounts of fraudulent transfers, and urgent countermeasures are required. The SMS messages sent by the criminal group impersonating banks and other organizations use an Android malware called KeepSpy, which is designed to send SMS messages to third parties when it receives a command from the C2 server. To reduce the damage caused by fraudulent transfers, it is necessary to detect the sending of SMS messages to third parties as soon as possible and take down the phishing sites.
Mizuho investigated and analyzed KeepSpy and phishing sites used by the criminal group that abuses SMS. Based on the results, Mizuho developed a tool to capture SMS transmission commands from C2 servers and a phishing domain monitoring tool using Certstream. Using these tools, it is now possible to detect phishing sites when they are set up and to detect SMS transmission to third parties at an early stage.
This presentation introduces the threats and characteristics of criminal groups that performed unauthorized money transfers, the process of taking down phishing sites at Mizuho, and the mechanisms to detect the launch of criminal groups’ phishing sites and SMS transmissions using SMS.
In addition, practical knowledge that participants can apply to their own companies will be presented, with a discussion on the issues that financial institutions should address in the future.
Speaker
Hiroyuki Yako
Tsukasa Takeuchi
Takuya Endo
Slides
English
Japanese
Rapidly Changing Trends in Phishing -Sharing real-time phishing site detection systems-
Abstract
The number of phishing sites reported to the Council of Anti-Phishing Japan has been increasing since 2018. In 2023, approximately 1.19 million cases have been reported. Unauthorized money transfers through Internet banking amounted to approximately 8.07 billion yen, which is likely to include losses caused by phishing attacks. Damage from stolen credit card numbers reached approximately 50.4 billion yen. LAC is working to remove social threats through its research, and as a part of this effort, the company has been studying and analyzing phishing activities. The study found that trends in phishing sites are rapidly changing and that criminals are performing a variety of countermeasures against companies. In addition, since takedown requests and phishing site identification are manually performed by analysts, labor costs are increasing. To address these issues, LAC created a real-time detection system triggered by the SSL certificate issuance. The system can detect newly published phishing sites with short TTL in real time, allowing analysts to quickly take down the sites. This presentation first introduces recent trends in phishing activities and its rapidly shifting nature, and then the real-time phishing site detection system that LAC has created to counter these trends are presented and shared, together with the allowlist used for the system. This information sharing will raise awareness of the dangers of phishing sites and their social threats to businesses. In addition, by sharing the real-time detection system, the efficiency and accuracy of monitoring activities will be increased, and the analysts’ labor costs will be reduced.
Speaker
Ryosuke Yoshimura
Tomoya Sano
Slides
English
Japanese
Analysis of Two Phishers : Like a doppelganger
Abstract
In the field of cybercrime, the division of labor is progressing, developing various services to support cybercrime. Phishing as a Service, which provides the infrastructure and tools for performing phishing scams, is becoming more popular. As a result, the technical barriers have been lowered, causing an increase in the number of phishing scam reports. Phishing campaigns with distinctive characteristics of Phishing as a Service have become more noticeable in Japan as well. NTT Communications has been investigating various Phishing as a Service and analyzing what features they have as well as what kind of tools they use. Among the cases analyzed, the speaker discovered two Phishing as a Service that behaved in the same way, like doppelgangers. They have successfully observed both Phishing as a Service communities were established at the same time. They post the same content at the same time and use the same tools to conduct phishing campaigns.
In this presentation, the analysis results of two Phishing as a Service communities established around the same time in 2024, both of which have been conducting phishing campaigns mainly in Japan, will be shared. In addition, the analysis of the scripts used to build phishing sites, the relationship between the two Phishing as a Service, and the detection and hunting rules for phishing sites will also be shared. By sharing this information, the speaker contributes to the uncovering of the actual phishing scams situation and hopes that the presentation will become an opportunity for sharing information about the attackers.
Speaker
Masaomi Masumoto
Slides
English
Japanese
Active Monitoring and Response to User Credential Leaks
Abstract
In traditional phishing, attackers targeted a wide range of people and stole personal information, particularly credentials for major websites and credit card information. However, there was a change in the TTPs used by attackers in a certain industry recently. In the initial breach, the attacker sent InfoStealer-type malware to the company’s employees, used the credentials obtained by the Stealer to penetrate the web service, and then set up phishing via the web service to steal credit card information from users.
InfoStealer collects various useful information, such as credentials and autocomplete data stored in the browser of an infected device, which means that the attack does not only affect specific sites or services, but can be used to compromise any web service once the data set has been created. Some actors create this data set themselves, while others use publicly available data sets to compromise web services.
Unlike conventional list-type attacks, it is extremely difficult for web service providers to detect unauthorized access because the credentials used to access the site are highly accurate. Even if it is detected, password reset is not a reliable countermeasure because malware may still be on the device.
In addition, it is thought that these threats and TTPs are not limited to specific industries. The presenters have been actively monitoring data sets leaked by InfoStealer on the dark web and Telegram, and they have also been trying to prevent attacks using the Stealer data sets on industries with the same business structure. In this talk, they will share their efforts to deal with InfoStealer infections, with specific examples and case studies.
Speaker
Yuji Ino
Masaki Yoshikawa
Ransomware's Secret Tunnel: How Ransomware Groups Hijack ESXi and NAS for Covert Operations
Abstract
In the last few years, ESXi hypervisors and Network Attached Storage (NAS) devices have been prime targets for ransomware groups for data exfiltration and encryption due to the data stored on them and their crucial role in business operations. Lately, Sygnia observed ransomware groups adopting novel methods leveraging ESXi hypervisors and NAS devices as network pivots to tunnel traffic and farther infiltrate corporate environments, evading detection and maintaining persistency within compromised environments by bypassing conventional security measures. These assets, are frequently overlooked in terms of security monitoring compared to other IT systems protected by EDR or Antivirus solutions, allowing the threat actor to achieve strong network foothold with minimal risk of detection.
In the talk, we will deepdive into the first seen in the wild techniques used by the ransomware groups, which leverages these unmonitored assets as network pivots for covert operations. Including a demonstration of traffic tunnelling on ESXi infrastructure and provide insights into enhancing visibility to detect and hunt for such threats.Speaker
Zhongyuan Hau
Ren Jie Yow
Slides
English
From Service Providers to Customers: Earth Ammit Tailored Cyber Assault on Target's Supply Chain
Abstract
In mid-2024, we disclosed a cyber campaign, TIDRONE, targeting Taiwanese drone manufacturers and attributed to a likely Chinese-speaking group, Earth Ammit. Further investigation uncovered a related campaign, VENOM, targeting service providers in Eastern Asia since 2022. VENOM highlighted Earth Ammit’s supply-chain attack strategy, starting with service providers and advancing to high-value targets.
The group used shared tools for initial breaches to obscure attribution, focusing on credential theft, particularly from Active Directory, to facilitate further attacks. For critical targets, Earth Ammit deployed customized malware, such as CXCLNT and CLNTEND, emphasizing long-term espionage and deep infiltration. This strategic variation in tactics underscores their adaptability, employing simple methods for supply-chain entry and advanced tools for military targets.
This presentation brings the analysis of TIDRONE and VENOM campaigns by Earth Ammit’s evolving strategies, and a focus on prolonged access and intelligence gathering.
Speaker
Pierre Lee
Philip Chen
Vickie Su
China-aligned PlushDaemon APT compromises supply chain of Korean VPN
Abstract
In 2024, we noticed that several users had downloaded a suspicious NSIS installer from the official website of a South Korean VPN software company. We discovered that the supply chain of that company had been compromised and attackers had replaced the original installer with a trojanized one that installed both the legitimate VPN software called IPany and the implant that we named SlowStepper.
We named the threat actor behind this supply-chain compromise PlushDaemon. It is a China-aligned group conducting cyberespionage operations since at least 2019. PlushDaemon has targeted individuals and entities in China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand. Interestingly, while investigating the activities of PlushDaemon, we discovered that the group’s capabilities are even more complex and wide-ranging. In addition to manipulating the software supply chain and exploiting vulnerable Apache HTTP servers, its primary initial access vector involves the hijacking of legitimate updates of Chinese software via Adversary-in-the-Middle (AitM) attacks.
Speaker
Facundo Munoz
Slides
English
Operation AkaiRyū: MirrorFace invites Europe to EXPO 2025 and revives ANEL backdoor
Abstract
In August 2024, we detected cyberespionage activity carried out by the MirrorFace APT group against a Central European diplomacy institute in relation to EXPO 2025, which will be held in Japan. This is the first time that we have observed MirrorFace targeting an entity based in Europe. The attack followed the same pattern observed throughout 2024. We named the series of the attacks “Operation AkaiRyū”. In our presentation, we go through the whole compromise chain, thoroughly explaining all the stages. Starting with the spearphishing email messages, we describe how MirrorFace managed to trick one of its targets to open the linked malicious file. Next, we explain the process of the ANEL backdoor’s deployment, which MirrorFace has started using as the first-line backdoor. We continue the presentation with a description of the subsequent deployment of HiddenFace and related loaders, alongside other auxiliary tools necessary to fulfill MirrorFace’s objectives. This includes establishing Visual Studio Code remote tunnels to maintain stealthy remote access. Further, we discuss MirrorFace’s operational security improvements introduced in 2024. Finally, we discuss the relationship between the groups APT10 and MirrorFace.
Speaker
Dominik Breitenbacher
Slides
English
Hack The Sandbox: Unveiling the Truth Behind Disappearing Artifacts
Abstract
From 2023 to 2024, the attack campaign by the notorious APT group "APT10" (also known as MirrorFace, Earth Kasha) has been observed, in which "LilimRAT" and "NOOPDOOR" were used as payloads in second-stage. These malwares are specifically intended and designed to execute within Windows Sandbox environment.
Windows Sandbox is available in Windows 10 Pro or later versions. It is designed and implemented as an ephemeral virtual environment to test applications. When the sandbox is closed, all data within it is deleted, which typically does not affect the host system. However, using a configuration file, the sandbox can be configured to access the host system or other networks and to execute arbitrary commands at sandbox startup.
In this campaign, Windows Sandbox was abused in an attempt to evade detections by security products and to obstruct forensic investigations. Given the complexities of implementing countermeasures and investigations, there are significant risks that similar techniques might be adopted in targeted attacks and other cyberattacks.
In this presentation, we will provide in-depth investigation results of Windows Sandbox based on the analysis of the attacks observed in the wild and the forensic artifacts. Additionally, we will cover key insights for monitoring and investigation from a blue team perspective.
Speaker
Satoshi Kamekawa
Shuhei Sasada
Yusuke Niwa
Slides
English
Japanese
Handling Threat Intelligence: Techniques of Consuming and Creating Threat Intelligence
Abstract
To prevent APT actors from conducting attacks and to avoid similar attacks, it is important to collect and analyze various information on attack groups and its methods, and to use this information to develop “threat intelligence” that can be used for prevention and detection. It is also possible to promote early warning by analyzing the attack methods and sharing created threat intelligence within and outside the organization.
You may think of malware analysis, vulnerability analysis, and forensic analysis when you talk about attack method analysis. However, how do you use the information gained from analysis to prevent and detect attacks? In this workshop, you will learn how to analyze and understand the attack methods used by actors, based on the information uncovered through malware analysis, forensic analysis, etc., using the MITRE ATT&CK framework and other methods. In addition, you will learn about techniques for creating IOCs useful for prevention and detection, how to apply them to threat hunting, penetration testing, and detection engineering, and consideration of countermeasures.
This workshop covers two aspects of threat intelligence for those new to the field. First, we will introduce the theoretical foundations of threat intelligence and explain key concepts such as definitions and types of intelligence, and the intelligence cycle. Second, we will focus on techniques for generating and utilizing threat intelligence. Specifically, you will learn about Tactical Intelligence, which generates and applies Indicators of Compromise (IOCs), and Operational Intelligence, which analyzes attackers’ tactics, techniques, and procedures (TTPs) based on MITRE ATT&CK framework. You will also learn about techniques that can be applied to enhance security operations, such as threat hunting, purple teaming, and detection engineering, based on the knowledge you acquire.
Speaker
Tomohisa Ishikawa
Tatsuya Daitoku
Hiroyuki Tomiyama
Requirements
- Laptop with Internet access
Advance Preparation
-
The following tools must be available on the laptop:
- Web browser with no viewing restrictions, etc.
- Spreadsheet application (e.g. Microsoft Excel)
- SSH and RDP connections
Skills
- Ideally, you should be able to use basic Linux commands (as you will be asked to execute some commands on the Linux instance).
Notes
This talk is not translated into English.
Slides
Japanese
Malware config extraction at scale - building malware analysis pipelines
Abstract
Over many years of malware analysis projects at CERT.PL, we have gradually improved our approach to automating the extraction of configuration from malware samples. The workshop will provide a practical hands-on introduction on how to setup a minimal malware repository with automatic config extractors. We'll take a look at malduck – the backbone of configuration extraction. It's a Python module that contains commonly used analysis helpers like:
* config extraction engine
* cryptographic functions, fixed integer types, compression algorithms
* operations on memory dumps and PE/ELF files
We'll use it to create a small config extraction module. The module will be then integrated into MWDB – an open-source malware repository, that allows us to ingest feeds, search and enrich samples, and share data with other users. The integrated extraction module will allow us to automatically extract configurations from uploaded malware samples which we will test out by uploading a batch of various samples.
Speaker
Michał Praszmo
Requirements
- A laptop (linux based operating systems are preferred)
Advance Preparation
- Docker Compose and Python virtual environment
Skills
- An intermediate grasp on reverse engineering and Python programming would be required.
Slides
English
Introduction to Analyzing Malware Anti-Analysis Features Using IDA and Ghidra Plugin
Abstract
Malware developers implement anti-analysis functions. When debuggers and other tools are detected, the malware may stop operating or behave in a way that confuses the analyst to make analysis difficult. There are various methods for implementing anti-analysis functions, and in large-scale email distribution campaigns and ransomware, VM detection, breakpoint detection, and time difference detection are often employed. In this workshop, “AntiDebugSeeker”, a plugin that automatically extracts anti-analysis functions, will be used. This plugin can be used with IDA and Ghidra, and is compatible with PE file malware. Through the GUI, it is easy to understand anti-analysis functions, and even for anti-analysis functions that you have never seen before, the explanation function will help you understand the overview and consider how to handle them. In addition, you can freely customize the detection rules, allowing you to customize not only the anti-analysis function but also the detection range according to your preference.
https://github.com/LAC-Japan/IDA_Plugin_AntiDebugSeekerhttps://github.com/LAC-Japan/Ghidra_AntiDebugSeeker
This workshop will introduce tools and provide exercises and explanations for each sample, aimed at those who have just started analyzing malware or learning about anti-analysis functions. The focus will be on solving anti-analysis functions, as well as the accompanying elements of malware analysis. Explanations will be given using two different methods, one for IDA users and the other for Ghidra users.
Speaker
Takahiro Takeda
Requirements
- Laptop with Internet access
Advance Preparation
-
Install the following on a Windows OS in a virtual environment:
- Ghidra 11.0.1 (to be used in the virtual environment described above) + Ghidra_AntiDebugSeeker (Please refer to the section on "Ghidra Extension How to Setup and Execute" on GitHub for information on how to add AntiDebugSeeker to Ghidra.)
- IDA Pro (if you normally use it) + IDA_AntiDebugSeeker
- x32dbg
- x64dbg
- ProcessHacker, or something else that can show you the running processes.
Skills
-
Minimum required skills:
- You can build a secure environment for malware analysis by yourself. Recommended skills:
- You have analyzed malware using Ghidra before.
- You have performed simple dynamic analysis before.
- You have performed dynamic analysis using a debugger before.
Notes
This talk is not translated into English.
Slides
Ghidra User
IDA User
LIGHTNING TALK SESSION
Slot #1
Title: Introduction to MITRE ATT&CK utilization tools by multiple LLM agents and RAG
Speaker: Atsushi Sada
Slides:
Slot #2
Title: A story of collaboration in cyber-security field between Japan and Spain
Speaker: Masato Ikegami, Josep Albors
Slides:
Title
Abstract
TBA
Speaker
TBA
Requirements
- TBA
Advance Preparation
- TBA
Skills
- TBA
Name
Details
Details
Rintaro Koike
NTT Security Holdings
Rintaro Koike is a security analyst at NTT Security Holdings. He is engaged in threat research and malware analysis. In addition, he is the founder of "nao_sec" and is in charge of threat research. He focuses on APT attacks targeting East Asia and web-based attacks. He has been a speaker at VB, SAS, Botconf, AVAR and others.
Amata Anantaprayoon
NTT Security Holdings
Amata Anantaprayoon is a security analyst at NTT Security Holdings and specializes in real-time threat detection, incident response, detection engineering, and cyber threat research. Amata regularly shares his insights at leading conferences such as Virus Bulletin as well as at closed events as a key member of NTT´s Threat Intelligence research community.
Hiroyuki Yako
Mizuho Financial Group, Inc.
Hiroyuki joined Mizuho Financial Group, Inc. in 2017 after working for a security company as a consultant. As a member of its CSIRT, he is engaged in a wide range of operations from incident handling, SOC management and planning to threat intelligence. He is also responsible for security measures against phishing and unauthorized Internet banking transactions.
Tsukasa Takeuchi
Mizuho Financial Group, Inc.
Tsukasa joined Mizuho Financial Group, Inc. in 2014. After working in its sales department in some local branches and engaged in planning/operation of customer products (mainly Internet banking), he moved to the current cyber security position. He first started with the overall security for the Internet banking system and currently oversees cyber security incident response including phishing.
Takuya Endo
Mizuho Financial Group, Inc.
Takuya joined Mizuho Financial Group, Inc. in 2020. In his previous position, he worked as a malware and forensic analyst as well as SOC operation lead. At present, he is in charge of log investigation and malware analysis, while operating and developing its threat intelligence collection system.
Hankuk Jo
NSHC
Hankuk Jo is a researcher at the Threat Research Lab of NSHC, specializing in cybersecurity and threat intelligence. He is passionate about sharing his insights and primarily focuses on analyzing the tactics, techniques, and procedures (TTPs) employed by cyber attackers, leveraging threat intelligence data.
Sangyoon Yoo
NSHC
Sangyoon Yoo is a seasoned professional in the field of cyber threat intelligence and research, currently working at the Threat Research Lab of NSHC. With a strong background in analyzing and researching various cybersecurity threats, Sangyoon has developed expertise in threat intelligence, game hacking tools, and malware analysis.
Jeonghee Ha
NSHC
Jeonghee Ha is a researcher at the Threat Research Lab of NSHC. Previously, JeongHee worked as an Incident Response Analyst and also has experience in CERT, analyzing threat events and providing first response. Jeonghee is primarily interested in threat data related to cybercrime groups and has a strong interest in digital forensic techniques.
Takahiro Takeda
LAC Co., Ltd
Takahiro is a malware analyst at Cyber Emergency Center in LAC Co., Ltd. He teaches at LAC Security Academy and authors some related publications. He has presented at international conferences such as PACSEC, AVAR, HITCON, Virus Bulletin and Black Hat USA Arsenal.
Theo Chen
Trend Micro
Theo Chen is a Senior Threat Researcher at Trend Micro, bringing over five years of comprehensive experience in the cybersecurity domain. His areas of expertise include penetration testing, malware analysis, and threat hunting, with a strong focus on understanding and mitigating advanced cyber threats. Throughout his career, Theo has been involved in multiple initiatives aimed at strengthening organizational security, focusing on detecting advanced threats and designing proactive defense strategies. Currently, He specializes in tracking APT groups, particularly those associated with Chinese-speaking actors. His work involves in-depth analysis of emerging cyber threats and TTPs employed by these sophisticated adversaries.
Leon Chang
Trend Micro
Leon Chang is a Senior Threat Researcher at Trend Micro. His major areas of research include APT campaign tracking, threat intelligence and malware analysis. He has also been a speaker at international conferences, including Black Hat Asia 2022, JSAC 2021/2022, CYBERSEC and AISA, etc.
Jeonggak Lyu
Financial Security Institute
He is the CSIRT Lead at the Financial Security Institute in South Korea, with over two decades of experience in cybersecurity focused on the financial sector. His expertise spans vulnerability assessments, penetration testing, security operations, and incident response, ensuring robust defenses against evolving cyber threats. Beyond his primary role, he actively tracks Democratic People's Republic of Korea (DPRK) state-sponsored threat actors as a personal side project, managing the website lazarus.day and the X (formerly Twitter) account lazarusholic, where he shares in-depth analysis and insights on these cyber adversaries.
Yi-Chin Chuang
TeamT5
Yi-Chin Chuang is a threat intelligence researcher at TeamT5. She is passionate about reverse engineering and malware analysis. Her current research focuses on APT threats within the APAC region. She has shared her research findings at Underground Economy, JSAC, CYBERSEC, and TAS.
Yu-Tung Chang
TeamT5
Yu-Tung Chang is a Threat Intelligence Researcher from TeamT5. He is interested in reverse engineering, vulnerability exploiting and malware analysis. He was engaged in network attacks research and rule writing. Currently, his research focuses on cyber threat intelligence in the East Asia region. He has spoken at Code Blue, TAS and JSAC.
Satoshi Kamekawa
ITOCHU Cyber & Intelligence Inc.
Satoshi engages in incident response and threat analysis at ITOCHU Cyber & Intelligence Inc.
Shuhei Sasada
ITOCHU Cyber & Intelligence Inc.
Shuhei engages in incident response and threat analysis at ITOCHU Cyber & Intelligence Inc.
Yusuke Niwa
ITOCHU Cyber & Intelligence Inc.
Yusuke engages in incident response and threat analysis at ITOCHU Cyber & Intelligence Inc.
Yuji Ino
Recruit Co.
Yuji joined Recruit Technologies Co.,Ltd in 2016. As a member of Recruit-CSIRT, he leads security incident response in Recruit. In April 2021, he launched the Cybercrime Countermeasures Group, specializing in analysis and investigation of fraudulent credit card use and spoofed logins for the purpose of cybercrime countermeasures. CISSP, GCIH, GCTI, GNFA.
Masaki Yoshikawa
Recruit Co.
Masaki is engaged in vulnerability assessment and penetration testing at Recruit Co. Currently, he focuses on security incident response, monitoring and threat hunting at Recruit-CSIRT.
Dominik Breitenbacher
ESET
Dominik is a malware researcher at ESET. Coming from academia, he joined ESET in 2019 to help track the activities of APT groups with a particular focus on the China-aligned group MirrorFace. He previously presented at AVAR and also at JSAC 2024. In his spare time, he plays video games and watches bad movies.
Tomohisa Ishikawa
Tokio Marine Holdings, Inc.
Tomohisa has experienced penetration testing, security audit and incident response at a security company since 2009. Currently, at Tokio Marine Holdings, Inc., he specializes in security strategy planning, security architecture, threat intelligence analysis and incident response. He is a committee member for the Information-Technology Engineers Examination and Registered Information Security Specialist Examination, as well as a Cyber Security Expert at the Ministry of Internal Affairs and Communications. He also authors and translates some technical publications.
Tatsuya Daitoku
Tokio Marine Holdings, Inc.
Tatsuya was a Technical Official at the National Police Agency for 16 years, specializing in cyber crime and cyber terrorism. While seconded to the Metropolitan Police Department, he dealt with international criminal organizations. After moving to a security company, he was involved in forensics, intelligence and training for government agencies. Since 2022, he oversees security operations, incident response and security measures for local and overseas group companies at Tokio Marine Holdings, Inc.
Hiroyuki Tomiyama
Tokio Marine Holdings, Inc.
Hiroyuki started his career at Tokio Marine Nichido Systems in 2009. He had been tasked with cyber security measures for its group companies in 2016. Being seconded to Tokio Marine Holdings, Inc. since 2023, he is now responsible for security measures for the CSIRT and both local and overseas group companies. OSCP, CISSP, CISA, RISS and ITILv3Expert.
Zhongyuan Hau (Aaron)
Sygnia
Aaron is a security researcher with more than four years of experience in various aspects of Cybersecurity including Incident Response, Red Teaming and Security Research. He is currently an Incident Response Expert with Sygnia, where he is part of the team that investigates security incidents ranging from advanced persistent threats (APTs) and ransomware attacks to data breaches.
Ren Jie Yow
Sygnia
Ren Jie is an Incident Response Expert from Singapore, with over four years of experience in managing and mitigating information security incidents. He has successfully navigated a wide range of challenges, including ransomware attacks, data breaches, advanced persistence threats (APTs), and financial fraud.
Pierre Lee
Trend Micro
Pierre Lee is a Senior Threat Researcher at Trend Micro, expertise in reverse engineering, threat hunting, APT campaign research across the APAC region. Prior to joining Trend Micro, Pierre worked as an Anti-Virus analyst, focusing on malware detection engineering using both signature-based and machine learning approaches.
Philip Chen
Trend Micro
Philip Chen is an APT threat researcher at TrendMicro, specializing in reverse-engineering and threat hunting. His work focuses on identifying and analyzing advanced persistent threats, malware, and security vulnerabilities. In his free time, he also explores fuzzing technologies. His background in cybersecurity gives him a well-rounded perspective on both offensive and defensive strategies.
Vickie Su
Trend Micro
Vickie Su is a threat researcher in Trend Micro. She is in charge of handling targeted attack cases around the Asia-Pacific region by malware analysis, performing correlating intelligence during the investigation, figuring out threat actors' Tactics, Techniques and Procedures (TTPs).
Dongwook Kim
KRCERT/CC
ongwook Kim have been working for KRCERT/CC since 2013 as Computer Incident Analyst. He has a lot of experiences related to internet security incident response(Supply Chain Attacks, cryptocurrency exchange hacking and so on). Recently, He is tracking and analyzing specific hacking group targeting Korea.
Seulgi Lee
KRCERT/CC
Seulgi Lee is currently a malware analyst at Korea Internet & Security Agency. He carried out research into cyber security such as cyber threat intelligence, SIEM for 7 years from 2012 in the R&D department. After moving to KrCERT/CC position, He has been analyzing threats targeting Korea and sharing insights based on the results to prevent the infringement cases and minimize the damage in Korea.
Masaomi Masumoto
NTT Communications Corporation
Masaomi engages in investigation and analysis of phishing and various cyber crime as part of “NA4Sec”, a cyber threat intelligence project at NTT Communications Corporation. He actively shares phishing site information on social media
Steve Su
Google Mandiant
Steve Su is a Senior Security Engineer & Researcher at Google Cloud’s Mandiant Intelligence. His proficiency focuses on malware hunting, reverse engineering, and tracking state-sponsored campaigns over the Asia Pacific region. He had public talks on conferences such as Kaspersky SAS, Virus Bulletin, HITCON and Mandiant CDS.
Aragorn Tseng
Google Mandiant
Aragorn Tseng serves as a Researcher and Analyst for Google Cloud’s Mandiant Intelligence, specializing in tracking state-sponsored actors across the Asia Pacific region. His expertise spans various domains, including malware analysis, incident response, APT campaign tracking, and the application of deep learning to cybersecurity challenges. Aragorn has presented his research at conferences such as Black Hat Asia, CodeBlue, HITCON, Virus Bulletin, and JSAC. Prior to joining Google Cloud, Aragorn worked as a consultant, contributing to incident response and APT campaign tracking initiatives within Taiwan's law enforcement agencies.
Chi-Yu You
Google Mandiant
Chi-Yu You (YCY) is a team lead on the Cyber Espionage Team at Google Cloud’s Mandiant Intelligence and also Blackhat Asia reviewboard. She leads a team that provides insights into nation-state threats in the Asia Pacific region. YCY has 8 years of experience in threat intelligence. Her expertise spans across threat hunting, reverse engineering, automated malware analysis, and campaign tracking. She has spoken at conferences including CodeBlue, HITCON, and JSAC.
Yusuke Nakajima
NTT DATA Group
Yusuke joined NTT DATA Group in 2019, offering solutions for image processing and natural language processing as a salesperson. He moved to NTTDATA-CERT in April 2023, where he is currently engaged in incident response, IoC collection and sharing as well as promoting the use of AI in CSIRT operations. He has a strong interest in offensive security, including C2 framework development, OSS vulnerability scanning and bug bounty programs.
Facundo Munoz
ESET
Facundo Munoz is a malware researcher, working for ESET since 2021. He focuses on hunting and analyzing advanced persistent threat malware from China-aligned threat actors, and writing reports for ESET’s threat intelligence services. Munoz has presented at conferences such as JSAC, BotConf, and NorthSec.
Ryosuke Yoshimura
LAC Co.,Ltd.
Ryosuke belongs to the Next Generation Security Technology Laboratory of Cyber Grid Japan at LAC Co.,Ltd. He specializes in collection and analysis of exploit code and indicators as well as research and development on cyber threat intelligence and AI technology. He has spoken at conferences including FIRSTCON24 Lightning Talk and CSS2024.
Tomoya Sano
LAC Co.,Ltd.
Tomoya is a member of the Financial Crime Control Center at LAC Co.,Ltd, where he works on consultation on measures against financial crime and cyber crime. He is also involved in developing and promoting AI-based anomaly detection solutions. He actively participates in coordination activities with other related partners such as Japan Cybercrime Control Center and the Council of Anti-Phishing Japan.
Michał Praszmo
CERT Polska
Jack of all trades, master of none at cert.pl. Busy doing everything that needs to be done at a national CERT - ranging from software engineering to reverse engineering and APT tracking.