JPCERT/CC Board Chairman Hiroaki Kikuchi
JPCERT/CC Director of Incident Response Group Takayoshi Shiigi
JPCERT/CC Executive Director Kazumasa Utashiro
Copyright © 1996-2021 JPCERT/CC All Rights Reserved.
Although drive-by download attacks are considered less popular these days, such attacks still exist, and there are new threats as well. Bottle Exploit Kit was first confirmed in December 2019, and it is very unique in that it only targets users in Japan. It remains active in 2020 and is one of the most commonly observed exploit kits in Japan. On the other hand, this exploit kit is little known on a global scale due to its limited target. Therefore, only the analysis results published around the time when the exploit kit first appeared are available, and its variants are still unknown despite the fact that they are ever-evolving. Bottle Exploit Kit also executes Cinobi banking trojan, which also targets users in Japan, but neither have its latest analysis results been published.
This presentation shows the detailed analysis results of each version of Bottle Exploit Kit, from its first appearance to the present version, revealing the updates that remained unknown until recently. The analysis results of each version of Cinobi is also presented, describing how this trojan attacks users in Japan. In addition, IoC and signatures to detect these types of malware, a decryption tool for the encrypted data, and other information are shared. Lastly, the speakers present the result of their attribution assessment, which is based on the information gained from their analysis and investigation. This result has already been shared with relevant external organizations to support efforts to suspend activities of Bottle Exploit Kit, and its details and result are also presented. Researchers, CSIRTs, and SOC staffs who investigate and study Bottle Exploit Kit and Cinobi will find this presentation helpful in understanding and handling the said attacks.
Before 2020 many companies may not have considered a mostly remote workforce when designing networks and network defenses. Similarly, most workers may not have considered the possibility of a “work from home” situation. The vulnerability of home network devices has probably never been more of a threat to information security.
Attackers continue to compromise vulnerable SOHO routers by taking advantage of default or weak user-defined passwords, as well as the use of publicly available exploits.
GhostDNS is a platform developed to help attackers find vulnerable routers and change the DNS settings of those that are exploitable. Most notably, attackers have used GhostDNS to target Brazilian financial institutions and their customers, with 100,000+ routers compromised to date.
In this presentation, we will explain our methodology for hunting for the various elements of GhostDNS infrastructure, share what we have discovered to date and also speak about our efforts to collaborate with a national CSIRT to mitigate this threat.
The most observed emails targeted at infecting companies with malware in 2020 are probably those targeted at infecting Emotet. In Japan, the attack has been confirmed since September 2019, and the number of compromised companies is ever-increasing.
The speakers’ organizations have been observing emails related to Emotet for a long period of time, and they have been publicly sharing information to call attention. The information includes the latest trend of contents of emails and attached files, password-locked zip files, C&C server information, and malware targeting secondary infection.
In this session, the speakers will discuss the features of Emotet campaign and its influences in Japan based on the observation since the latter half of 2019, when Emotet started to be leveraged in Japan. The presentation will begin with an overview of Emotet, the flow of infection and its functions. The next topic will focus on attacks leveraging Emotet against Japanese organizations, elaborating the trends in emails and attached files and how the infection status has changed. It will also touch upon the efforts such as a collaboration with Cryptolaemus, a researcher group outside Japan, and an outreach activity to victims to mitigate further infection. Finally, the similarities and the aim of attackers will be revealed from the comparative analysis of Emotet and other campaigns. This session will help security operation staffs gain deeper understandings of Emotet and plan countermeasures against the said attacks.
This presentation discusses activities of attack groups which deploy the malware distribution network called Shathak. These attack groups spread emails for the purpose of banking malware infection, and their main targets include the United States, Canada, Italy, Germany, and Japan. Such attacks have been reported on SNS and other media on a weekly basis, particularly from the United States, Canada, and Italy. Multiple attack cases were confirmed in Japan in 2020, and thus Japan is now not an exception of this trend. The fact that malicious document files used in these domestic attack cases contained Japanese language indicates that Japan was targeted for sure.
The modus operandi of attacks which use Shathak begins with sending a spoofed email to a target organization. The email is created based on an email stolen from the organization beforehand, and it is disguised as a reply to the stolen email. The spoofed email contains a password-protected ZIP file attached, and the password is written on the email body. If a user unarchives the ZIP file and enables the content of the malicious document file inside, the user gets infected with Ursnif, IcedID, or other malware. Infection cases of Valak, which functions as an information collection tool and downloader, have also been confirmed, and the infection flow has a tendency to become more complicated.
Meanwhile individual attack cases and appearance of new malware like Valak gain attention repeatedly, there has not been any study report on a big picture of this Shathak attack trend. In addition, even though Japan is one of the targets of such attacks, there has been no report from Japan to this point. In the past, certain malware became active in Japan a while after it had become prominent overseas, and thus it is important to be aware of attack groups known worldwide to prepare countermeasures earlier. For this reason, this presentation shows a big picture of attack campaigns which use Shathak and introduces the malware infection flow that is becoming increasingly complicated, along with examples of malicious emails and document files used.
Business Email Compromise (BEC) is one of the cyber crimes which can potentially result in loss of large amount of resources. FBI reported that the amount of damage in the United States is increasing year by year, reaching 1.7 billion USD last year. Even though the full extent of the damage is not investigated in Japanese companies and their overseas offices, it is estimated that the whole damage would be a considerable amount. In many cases, sophisticated BEC cases arise from a breach of a business partner's email account. In other words, no matter how robust your company’s security measures are, attackers can launch advanced social engineering based on emails leaked from your business partner. In this session, actual BEC cases triggered by security breach of a business partner that the presenters handled will be addressed, followed by the tactics of attackers and some tips for incident response.
NanoCore is one of the Remote Access Trojans (RAT), which first appeared in 2013 and is still commonly used until now. This RAT has been distributed via fake emails regarding shipping, invoices and even Covid-19 related announcements. Currently, NanoCore version 18.104.22.168 is widely spread, and its cracked version is available on Hack Forums and other leak sites. The presenter found that this cracked software contains some misconfiguration and thus developed a system to detect the C&C servers running on the network by leveraging the loophole. This presentation will introduce the method for detecting NanoCore C&C servers and some long-term observation results gained from the analysis. As of October 2020, 1,787 C&C servers (3,160 ports) have been detected, and most of them were located in the United States and Europe. From the uptime of the C&C servers, it is assumed that the infrastructure is being used for attacks targeting countries within UTC +1 time zone. In addition, based on the information gained through the detection system, the presenter also conducted an experiment to attract NanoCore operators in order to further verify the activities performed after intrusion. Up to the present, the presenter has confirmed 88 cases of successful intrusion to the test environment by the operator, and malicious activities such as stealing emails, files, account credentials have also been confirmed. This also includes attempts to infect the victim with other RATs for even further attack activities. This presentation will provide further details on the operator’s behaviour as well as tools and malware used.
While offensive security professionals enjoy the luxuries of having entire Linux distributions like Kali and endless code repositories dedicated to their craft, incident responders often find themselves building and rebuilding entire lab and malware analysis environments by hand in order to analyze attack techniques. This process is time consuming and repetitive. DetectionLab is an open source project that automates the process of building an Active Directory based lab environment on many different platforms and configures the lab hosts for maximum telemetry collection using tools like Sysmon and osquery. This talk will provide an overview of DetectionLab, show how it can be used to analyze modern attack techniques such as Zerologon, and discuss how it can be used to build detections for new and existing offensive security techniques.
Cobalt Strike is a commercial software for simulating APT attacks, and it is intended for red team operations. However, the software is increasingly leveraged by attackers recently. While the address of malware’s C2 server, which is important as a part of IoC, can be obtained through general sample analysis, it is difficult to obtain a sample of Cobalt Strike (Beacon) because it is often executed only on memory, without creating a file on storage. Furthermore, samples are usually obtained and analyzed after the target is compromised, and thus attackers leave the analysts one step behind.
This presentation introduces the method to find an operating Cobalt Strike team server directly on the Internet. This method emulates multiple protocols which Cobalt Strike uses such as HTTP, HTTPS, DNS, and ExternalC2. In addition to finding team servers, this method obtains Beacon and parses the configuration file. In this way, analysts can cover more protocols, not only HTTP and HTTPS, avoid false positives, and obtain more detailed threat information than just IP addresses. The method does not avoid any security feature such as authentication.
This presentation first gives the detailed explanation of each protocol which Cobalt Strike supports. Secondly, the presenter describes how he reached this approach and also shows the points to consider when implementing the said method. After that, the way to categorize obtained team server IP addresses based on configuration information is introduced. Finally, the presenter demonstrates this method by detecting non-public IoC information possibly used in a publicly disclosed attack case in the past, and the trend of server configuration gained through a-year-long observation is also presented.
It is difficult to share all the threat information obtained through this method because it cannot distinguish legitimate red teams from attackers. However, the insights gained through this research will be meaningful to analysts who fight against APT attacks and researchers who seek the possibility of external detection of ongoing and/or potential threats.
Many Japanese companies constantly improve their security measures, however, APT attackers are also keeping pace with them and come up with a variety of attack techniques. The presenters conducted overall analysis of this attack campaigns aiming at information theft that had targeted the several industries including manufacturing and spread to domestic as well as overseas sites of Japanese companies.
The presenters named this attacker group “A41APT” based on the host name “DESKTOP-A41UVJV” used in the first stage of the intrusion. The activity of this group had been observed for a long time from March 2019 to November 2020, and it is considered that their attack techniques are constant and persistent. It has been revealed that A41APT uses new types of malware, such as SodaMaster (as known as DelfsCake, dfls and HEAVYPOT), P8RAT (as known as GreetCake), DESLoader (as known as SigLoader), and FYAntiLoader and operates over 80 samples.
In spite of the situation, there is very little public information about this attack campaign, so the reality is almost unknown. It is deeply concerned that there are possibly many organizations that are unaware of the damage. Based on the results of the malware analysis and its behavioral history, the flow of the attack will be shown from its intrusion to penetration method. Furthermore, attribution of the attacker group will be also described.
Given the features of the malware and their vigilant activity, attacks by A41APT are highly stealthy, and the detection is therefore difficult. However, it is not impossible to spot. This session will provide user companies and security vendors with useful information including malware features and attack methods in order to help detect intrusion and develop countermeasures.
We will present our most recent research on a new Chinese APT group Luoyu, which has not yet been grouped by the public. Luoyu is originally a Chinese methodological creature which was a fish with wings. The creature can swim in the river and fly in the sky, similar to the group which can intrude multiple platforms.
We have first found attacks from Luoyu against China in 2014, and kept following the group. Later in 2017, we found this group starting to attack Japan, South Korea, and Taiwan. We believe the attacks were from China because the TTPs they used were popular among Chinese APT groups. However, instead of attacking government agencies, which are usually Chinese actors’ favorite target, the group aimed at messaging apps. We believe this indicates the group might try to censor the people who are using these messaging apps.
In this presentation, we seek to shed a light on Luoyu’s campaigns and provide an analysis on the tool they used. We will provide case studies of their attacks, showing different TTPs they deployed in various attacks. We will also introduce their self-developed malware, ReverseWindow, which can be found on multiple platforms. We hope our findings can help related industries to develop a better defense against the APT group.
The attack campaign targeting cryptocurrency service providers which will be covered by this session is similar to the one reported by JPCERT/CC in July 2019 (https://blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html).
As of 2020, the attackers still use Japanese language in a file name of malware and texts in a decoy file to target Japanese companies. Threat information related to this attack campaign including the malware and attacker’s servers is sometimes published in external reports or on social media, but not often. Even when such information is disclosed, some of the malware and the servers are no longer used at the time of the publication so that it may not be sufficient for the use in real-time detection.
It is therefore required to consider how to proactively acquire threat information that is likely to be valid at a point in time, rather than waiting for the information from external organisations. One of the ways is threat hunting using services on the Internet. For instance, the services that allow users to search files with Yara rules or monitor file uploads (such as VirusTotal and Hybrid Analysis) can be used for hunting malware. Moreover, the ones that search publicly-reachable devices on the Internet (such as Censys, Shodan, and BinaryEdge) can be used for hunting attacker’s servers.
In this session, the method of threat information hunting about abovementioned attack campaign using these services will be introduced. As a result of this threat hunting practice, 24 samples of malware (Ink file) and 12 servers (IP addresses) used by the attackers were identified from March to November 2020, which led to early detection of the changes in the malware and attacker’s servers.
Various kinds of malware are increasingly distributed in recent years. Analysts are required to conduct analysis of a large amount of malware and extract IoC including C&C server information immediately and accurately. Under the circumstances, not only reverse engineering but also automating analysis and scaring tasks are essential skill sets for analysts. In addition, the majority of recent malware leverages anti-analysis functions such as encrypting strings and obfuscating code to avoid detection or make analysis complicated. Automation should therefore be provided in practical malware analysis to counter those techniques.
This workshop will focus on malware EMOTET, which is running rampant in recent years, and demonstrate analysis and automation using Ghidra. In particular, it includes decoding obfuscated strings, analyzing hashed APIs, acquiring a list of C&C servers and describing how to automate these tasks.
※This workshop is designed for those who have experience in malware analysis and programming in Python.
Shuffle is an automation platform for and by security professionals, built to make it easy for anyone to automate their daily tasks. Our primary goal is to elevate the security community as a whole by getting everyone up to the level of the best. This workshop will explore all areas of Shuffle from getting started, to collaboration, architecture, app creation, python migration, how it's built for service providers, and the future of Shuffle.
Stuck doing the same thing day in, day out? Don't know where to focus your attention next? Jumping between 12 different windows during an investigation? Can't enrich your dataset with your new shiny threat intel provider? Are you "collaborating" using Outlook and Excel? Got a customer that doesn't know why they need the shiny new EDR? Did the SOC manager buy a new tool without thinking about integration?
Shuffle fixes all of these issues. You'll be able to automate anything within minutes, rather than days, weeks or months. Our community of automation enthusiasts is a growing, collaborative and helpful bunch. The silent heroes that make everything run smoothly behind the scenes. Join us by taking this four hour crash course in everything security automation!
NTT Security Japan
Rintaro Koike collects and analyses threat information and conducts malware analysis at NTT Security Japan. He is also a researcher at Team @nao_sec on Twitter. He has presented at JSAC, VB, and other conferences before, and this is his fourth time speaking at JSAC.
NTT Security Japan
Changing his career from software developer to security professional, Hajime Takai monitors alerts of security devices and analyses malware as a SOC analyst. He has presented at JSAC, VB, and other conferences before.
Josh has been a member of Team Cymru’s threat intelligence team for the past 3.5 years, seeking to further the company’s mission of making the Internet a more secure and safe space. Prior to Team Cymru, he spent time working with BAE Systems, as well as 8 years in UK law enforcement.
Manabu works as an engineer in a company in Japan and also he researches some cyber threats topics, mainly focusing on OSINT, in his free time. He made presentations in several security conferences such as HITCON, JSAC, OBTS and Botconf.
Fredrik is a software engineer and entrepreneur with industry experience in DFIR, Automation, Pentesting and Open Source tool creation and collaboration. He started out in an MSSP environment, learning the secrets of the blue team, before quickly moving to a FinTech company to secure their assets from within. With this knowledge he set out on a mission to put all his knowledge to good use by building Shuffle. He's currently residing in Japan, integrating into the culture through language, travel and startups. Get in touch @frikkylikeme
JPCERT Coordination Center
Ken Sajo previously worked at a SOC in a financial company. Currently at JPCERT/CC, he is working on incident response, malware analysis and threat information analysis. He shares information and conducts analysis as @bomccss (Twitter) at a special interest group to collect and analyze email samples distributed in malspam campaigns. He also gave a talk at JSAC2020.
Cyber Defense Institute Inc.,
Shuhei Sasada is an analyst at Cyber Defense Institute Inc., engaging in forensics and incident response as well as gathering and analyzing threat information. He experienced security products installation and malware research at his previous job in a security company in Japan. He has been developing technical environment to observe malspam campaigns, analyzing and sharing information based on the data he collected.
LAC Co., Ltd.
Since 2015, Takuma Matsumoto has experienced network forensics, development of SIEM log monitoring service, log analysis, creating alerts, development of an integrated analysis system, and other projects at LAC. He is currently engaged with collection and analysis of threat information and malware analysis.
NEC Solution Innovators, Ltd.
Since 2014, Shotaro Hamamoto has experienced malware and log analysis at NEC Solution Innovators and its partner firm. He currently collects and analyses threat information and supports CSIRT operations.
Yusuke Niwa became a cyber security analyst at ITCCERT after experiencing security monitoring and analysis at a financial enterprise and a security vendor. He ensures cyber security of Itochu Corporation and its subsidiaries and affiliates. He was a speaker at JSAC 2020.
Secure Brain Corporation
Ryo Tamura experienced infrastructure engineering and CSIRT operation in his early career, and since 2018, he has been a SOC analyst at Secure Brain.
Macnica Networks Corp.
Takeshi Teshigawara has worked in sales and customer support for network products and security products for network and endpoint since he entered Macnica Networks Corp. in 2008. Since 2019, he has been conducting research on security threats including BEC and the latest security solutions at security service division , as well as providing supports and giving lectures and speeches regarding all aspects of customer security.
Macnica Networks Corp.
Kenzo Masamoto has experience with various network products, cryptographic products, WAF, IDS/IPS, etc. and is currently involved in the investigation and analysis of security incidents. He has been engaging in incident investigation and response for APT and BEC, research on trends in security technologies in foreign countries, and incident response in Macnica Networks Corp. He also works as a cyber security advisor for government agencies and a researcher at The Sasakawa Peace Foundation.
National Institute of Information and Communications Technology
Takashi Matsumoto is a member of the Analysis Team at NICT Cybersecurity Laboratory, mainly engaged in collecting and analysing malware samples as well as log analysis and forensics.
Chris Long is a Senior Security Engineer at Netflix who has been specializing in Detection Engineering for the last decade and is the creator of DetectionLab. Although he's primarily focused on detection, he is an OSCP and OSCE certification holder and does his best to stay up to date with offensive security tooling and techniques. He is passionate about enabling defensive security practitioners to build more effective and robust countermeasures to protect against well known attack vectors.
Cyber Defense Institute Inc.
Shota Nakajima conducts malware analysis, incident response as well as collecting and analyzing threat information at Cyber Defense Institute Inc. He has presented at JSAC, HITCON CMT, AVAR, CPRCon, Black Hat EUROPE Arsenal and CodeBlue BlueBox before. He is a producer of Allsafe, a technical community.
Trend Micro Inc.
Hiroaki Hara is engaged in malware analysis, incident response, threat research, and red teaming at Trend Micro Inc. He is also responsible for art direction at Allsafe.
Takahiro Haruyama is a Sr. Threat Researcher on the VMware Carbon Black Threat Analysis Unit (TAU), with over ten years of extensive experience and knowledge in malware analysis and digital forensics. He previously worked on reverse-engineering cyber espionage malware with Symantec's threat intelligence team. He has spoken at several famous conferences including Virus Bulletin, REcon, HITB, SANS DFIR Summit, BlackHat Briefings USA/Europe/Asia.
Macnica Networks Corp
Hajime Yanagishita started his career in software development and then supported incident response for customers by using EDR tools. Now he is in Security Research Center at Macnica Networks and engaged in malware analysis, threat information analysis and research of intrusion.
Charles is the chief analyst of TeamT5. He leads the analyst team in TeamT5 for threat intelligence research. He has been studying cyber-attacks and campaign tracking for more than 10 years. His research interests include vulnerability research, reverse engineering and APT attacks. He often published researches and gives training courses in security conferences.
Suguru Ishimaru has had experience in collecting and analyzing threat information and samples including malware, spam and phishing in cyberspace since he entered Kaspersky Lab Japan as a researcher in 2008. After that, he joined Global Research and Analysis Team at Kaspersky Lab as Malware Researcher and now conducts research of the latest threat trends including APT at a global level.
Motohiko Sato is ITCCERT Senior Cyber Security Researcher at ITOCHU Corporation, Associate Professor at National University Corporation Chiba University, Cybersecurity Advisor at Ministry of Education, Culture, Sports, Science and Technology (MEXT), Expert Advisor at JPCERT/CC, and Special Researcher at JASA. He is engaged in all cyber security domains of CSIRT and its practices in ITOCHU Corporation. He enjoys DNS sinkholing specifically for APT analysis.
Shui is a cyber threat Analyst working for TeamT5. Holding a master’s degree from Johns Hopkins SAIS, she has a keen eye for international affairs. She mainly works on Cyber Espionage campaign tracking and involves in the underground market research.
Leon Chang is a cyber threat analyst in the Cyber Threat Intelligence team at TeamT5, His major areas of research include APT campaign tracking, malware analysis. he has participated in information security diagnosis services for government and financial institutions and research on vulnerabilities in IoT devices in the past.
Internet Initiative Japan Inc
Takeki Kodera is engaged in creating rules for incident detection as well as collecting and analyzing threat information as a member of IIJ SOC. He is also writing periodical monitoring reports on a blog “wizSafe Security Signal.”