Title
Abstract
TBA
Speaker
TBA
Stealth in the Shadows: Dissecting Earth Freybug's Recent Campaign and Operational Techniques
Abstract
In the evolving landscape of cybersecurity threats, Earth Freybug has emerged as a sophisticated adversary targeting organizations across a range of sectors, including notable activity within the Transportation, Manufacturing, and Chemical industries in the Asia-Pacific (APAC) region. This presentation will provide an overview of the group’s recent activities, focusing on their exploitation of critical vulnerabilities. Attendees will gain insights into Earth Freybug's malware arsenal, featuring key strains such as DEATHLOTUS, WINDJAMMER (also known as WINNKIT or the Winnti rootkit), SHADOWGAZE (also known as HIGHNOON), and CUNNINGPIGEON. These malware families contribute to the group's operations by facilitating initial access, enabling data exfiltration, and supporting lateral movement within compromised networks.
The presentation will delve into their sophisticated post-exploitation tactics, which involve employing layered strategies designed to maintain persistence and evade detection. Additionally, attention will be given to Earth Freybug's use of passive backdoor communication techniques, which limit outbound traffic and help maintain a low profile, thereby complicating detection and response efforts. By sharing their operational insights, this session aims to equip security professionals with the knowledge necessary to better detect and defend against this evolving threat landscape, ultimately enhancing their ability to safeguard their organizations from future attacks.
Speaker
Theo Chen
Leon Chang
Title
Abstract
TBA
Speaker
TBA
Behind the scenes of recent DarkPlum operations
Abstract
DarkPlum (publicly referred as Kimsuky, APT43) is a highly active cyber-espionage group linked to the Democratic People's Republic of Korea. Primarily, DarkPlum engages in espionage for military and diplomatic purposes, but it also conducts financially motivated attacks to fund its operations. Its main targets are government agencies and think tanks in South Korea and the United States, though it occasionally targets Japan. Since approximately March 2024, there have been continuous attacks on Japan.
In this presentation, we will begin by introducing three specific cases of attacks against Japan observed since March 2024. Following that, we will introduce the research methods we employ regularly. This includes sharing queries for gathering information on DarkPlum's attack infrastructure and malware using tools such as VirusTotal and Censys. Additionally, we have analysed large-scale network data to investigate relationships within DarkPlum's attack infrastructure, with the aim of uncovering the reality behind its operations. We will also provide examples of how this analysis can be applied to practical threat research and defence.
Speaker
Amata Anantaprayoon
Rintaro Koike
Kimsuky Wanna Be Your Social Network Friend
Abstract
This presentation focuses on Kimsuky, a North Korean government-sponsored cyber threat group, and their cyber espionage activities targeting South Korean Navy personnel in June 2024. Kimsuky utilized LinkedIn to profile key individuals in Navy communications and strategic defense sectors. Their main tactic involved social engineering, where they created fake personas based on real individuals with military backgrounds to gain the trust of victims. Initially, Kimsuky delivered spear-phishing messages through LinkedIn, which included Google Drive links leading to EGG files containing malicious JavaScript. In some instances, spear-phishing emails were also used. These malicious scripts were disguised as legitimate forms or inquiry documents, and when downloaded, PE malware was executed. The malware was obfuscated using VMProtect and RC4 encryption to hinder detection and reverse engineering efforts. Kimsuky’s June 2024 campaign targeting Navy personnel parallels their tactics in the 2021 Ministry of Foreign Affairs hack and the 2024 European defense industry attack, suggesting the same threat group was responsible. Kimsuky’s strategic interest in collecting intelligence on South Korean naval defense capabilities aimed to provide North Korea with critical information on maritime strategy and communication systems. Additionally, this presentation sheds light on Kimsuky’s operational security practices, such as using cryptocurrency for infrastructure and registering domains without personal verification, to enhance anonymity and evade detection. By analyzing their June 2024 campaign, this presentation offers valuable insights into Kimsuky’s evolving tactics, which are crucial for strengthening defenses against similar future cyber espionage activities.
Speaker
Hankuk Jo
Sangyoon Yoo
Jeonghee Ha
Follow the Clues: Everyday is lazarus.day
Abstract
The global cyber threat landscape is increasingly complex, with state-sponsored actors, cybercriminals, and hacktivists actively targeting various sectors. Cyber Threat Intelligence (CTI) firms play a vital role in tracking these actors and providing intelligence that security teams rely on to monitor threats. However, simply consuming CTI reports isn’t enough; security professionals must leverage CTI platforms, including open-source intelligence (OSINT), to proactively track and analyze threat actors. This presentation advocates for a proactive approach to threat intelligence, introducing key CTI platforms and strategies for building a comprehensive view of threat activities. A case study on Democratic People's Republic of Korea (DPRK) threat actors will illustrate this approach. Through the lazarus.day website, I’ve aggregated, analyzed, and tagged intelligence on DPRK actors, integrating OSINT for a full-spectrum analysis. This case underscores the value of combining multiple intelligence sources for effective threat tracking. Attendees will gain insights on optimizing CTI use for improved threat detection and response, enabling a strategic and proactive defense against evolving cyber threats.
Speaker
Jeonggak Lyu
APT-C-60: Enhanced targeting capabilities by exploiting region-specific software
Abstract
In early 2024, one of our tracking rules triggered on a malicious Windows library dropped by a spreadsheet file. Our analysis revealed a powerful, single-click, arbitrary, remote code execution exploit for WPS Office being used in the wild to target East-Asian countries.
threat actor behind this campaign, APT-C-60, also known as APT-Q-12, is a South Korea-aligned cyberespionage group active since at least 2018. It mainly focuses on high-profile targets such as governments, trade industries, and think tanks in Asian countries such as China and South Korea. So far, APT-C-60 has been known for using decoy documents as its initial access method but our discovery sheds light on the group’s motives and capabilities towards shifting to exploiting zero-days vulnerabilities.
This presentation describes the full compromise chain starting from our analysis of the weaponized zero-day vulnerability. Then, we go over the different TTPs used by the group to download components and achieve persistence: COM object hijacking, task scheduling, and the use of living-off-the-land techniques. We describe their stealthy fingerprinting technique made possible by abusing web analytics and a cloud-based code repository service to assess the delivery of their custom backdoor to targets they deem the most interesting. Finally, the talk provides information regarding the victimology based on collected information.
Speaker
Romain Dumont
Evolution of Huapi Malware: Growing Focus on Edge Devices
Abstract
Huapi (aka BlackTech) is a China-nexus APT group that has been active for over a decade. In line with their ongoing threat landscape, this presentation offers an in-depth analysis of the evolution of Huapi’s malware, focusing on their increasing emphasis on targeting edge devices. We will examine three specific malware used by Huapi: SSHTD (aka ELF_PLEAD), Mabackdoor (aka Hipid), and Bifrost, detailing their evolution and technical characteristics. The analysis will cover incidents from 2022 to 2024 that targeted Taiwan and Japan. We will discuss the infection chains, such as the exploitation of the F5 vulnerability, as well as the execution flows of the malware. Our analysis will highlight recent updates to the malware, illustrating how these changes reflect Huapi’s evolving tactics, particularly their growing focus on edge devices. Additionally, we will outline Huapi’s C&C communication chain and provide an overview of their C&C infrastructure. Finally, we will conclude with recommended countermeasures and mitigation strategies.
Speaker
Yi-Chin Chuang
Yu-Tung Chang
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
Abstract
Since 2023, Earth Estries (aka Salt Typhoon, FamousSparrow, GhostEmperor, and UNC2286) has emerged as one of the most aggressive Chinese APT groups, primarily targeting critical industries such as telecommunications and government entities in the United States, the Asia-Pacific region, the Middle East, and South Africa. We will highlight their evolving attack techniques and analyze the motivations behind their operations, providing insights into their long-term targeted attacks. A key finding from our recent investigation is the discovery of a new backdoor, GHOSTSPIDER, identified during attacks on Southeast Asian telecom companies. We will explore the technical details of GHOSTSPIDER, its impact across multiple countries, and interesting findings from tracking its C&C infrastructure. We have also uncovered the group’s use of SNAPPYBEE (aka Deed RAT), another tool shared among Chinese APT groups. Additionally, we believe the threat actor used SoftEther VPN to establish their operational networks, complicating efforts to track their activities. Our analysis suggests that Earth Estries is a well-organized group with a clear division of labor. Based on observations from multiple campaigns, we speculate that attacks targeting different regions and industries are launched by different actors, further highlighting the complexity of the group's operations.
Speaker
Leon Chang
Theo Chen
Observation of phishing criminal groups related to illegal money transfers and Mizuho Bank's countermeasures -Fighting against phishing site malware 'KeepSpy'-
Abstract
TBA
Speaker
Hiroyuki Yako
Tsukasa Takeuchi
Takuya Endo
Title
Abstract
TBA
Speaker
TBA
Active Monitoring and Response to User Credential Leaks
Abstract
TBA
Speaker
Yuji Ino
Masaki Yoshikawa
Title
Abstract
TBA
Speaker
TBA
Title
Abstract
TBA
Speaker
TBA
Title
Abstract
TBA
Speaker
TBA
Title
Abstract
TBA
Speaker
TBA
Operation AkaiRyū: MirrorFace invites Europe to EXPO 2025 and revives ANEL backdoor
Abstract
In August 2024, we detected cyberespionage activity carried out by the MirrorFace APT group against a Central European diplomacy institute in relation to EXPO 2025, which will be held in Japan. This is the first time that we have observed MirrorFace targeting an entity based in Europe. The attack followed the same pattern observed throughout 2024. We named the series of the attacks “Operation AkaiRyū”. In our presentation, we go through the whole compromise chain, thoroughly explaining all the stages. Starting with the spearphishing email messages, we describe how MirrorFace managed to trick one of its targets to open the linked malicious file. Next, we explain the process of the ANEL backdoor’s deployment, which MirrorFace has started using as the first-line backdoor. We continue the presentation with a description of the subsequent deployment of HiddenFace and related loaders, alongside other auxiliary tools necessary to fulfill MirrorFace’s objectives. This includes establishing Visual Studio Code remote tunnels to maintain stealthy remote access. Further, we discuss MirrorFace’s operational security improvements introduced in 2024. Finally, we discuss the relationship between the groups APT10 and MirrorFace.
Speaker
Dominik Breitenbacher
Hack The Sandbox: Unveiling the Truth Behind Disappearing Artifacts
Abstract
From 2023 to 2024, the attack campaign by the notorious APT group "APT10" (also known as MirrorFace, Earth Kasha) has been observed, in which "LilimRAT" and "NOOPDOOR" were used as payloads in second-stage. These malwares are specifically intended and designed to execute within Windows Sandbox environment.
Windows Sandbox is available in Windows 10 Pro or later versions. It is designed and implemented as an ephemeral virtual environment to test applications. When the sandbox is closed, all data within it is deleted, which typically does not affect the host system. However, using a configuration file, the sandbox can be configured to access the host system or other networks and to execute arbitrary commands at sandbox startup.
In this campaign, Windows Sandbox was abused in an attempt to evade detections by security products and to obstruct forensic investigations. Given the complexities of implementing countermeasures and investigations, there are significant risks that similar techniques might be adopted in targeted attacks and other cyberattacks.
In this presentation, we will provide in-depth investigation results of Windows Sandbox based on the analysis of the attacks observed in the wild and the forensic artifacts. Additionally, we will cover key insights for monitoring and investigation from a blue team perspective.
Speaker
Satoshi Kamekawa
Shuhei Sasada
Yusuke Niwa
Handling Threat Intelligence: Techniques of Consuming and Creating Threat Intelligence
Abstract
TBA
Speaker
Tomohisa Ishikawa
Tatsuya Daitoku
Hiroyuki Tomiyama
Requirements
-
TBA
Advance Preparation
-
TBA
Skills
-
TBA
Notes
This talk is not translated into English.
Introduction to Analyzing Malware Anti-Analysis Features Using IDA and Ghidra Plugin
Abstract
TBA
Speaker
Takahiro Takeda
Requirements
-
TBA
Advance Preparation
-
TBA
Skills
-
TBA
Notes
This talk is not translated into English.
LIGHTNING TALK SESSION
Slot #1
Title: TBA
Speaker: TBA
Slot #2
Title: TBA
Speaker: TBA
Slot #3
Title:
Speaker: TBA
Slot #4
Title:
Speaker: TBA
Slot #5
Title:
Speaker: TBA
Title
Abstract
TBA
Speaker
TBA
Requirements
- TBA
Advance Preparation
- TBA
Skills
- TBA
Name
Details
Details
Rintaro Koike
NTT Security Holdings
Rintaro Koike is a security analyst at NTT Security Holdings. He is engaged in threat research and malware analysis. In addition, he is the founder of "nao_sec" and is in charge of threat research. He focuses on APT attacks targeting East Asia and web-based attacks. He has been a speaker at VB, SAS, Botconf, AVAR and others.
Amata Anantaprayoon
NTT Security Holdings
Amata Anantaprayoon is a security analyst at NTT Security Holdings and specializes in real-time threat detection, incident response, detection engineering, and cyber threat research. Amata regularly shares his insights at leading conferences such as Virus Bulletin as well as at closed events as a key member of NTT´s Threat Intelligence research community.
Hiroyuki Yako
Mizuho Financial Group, Inc.
Hiroyuki joined Mizuho Financial Group, Inc. in 2017 after working for a security company as a consultant. As a member of its CSIRT, he is engaged in a wide range of operations from incident handling, SOC management and planning to threat intelligence. He is also responsible for security measures against phishing and unauthorized Internet banking transactions.
Tsukasa Takeuchi
Mizuho Financial Group, Inc.
Tsukasa joined Mizuho Financial Group, Inc. in 2014. After working in its sales department in some local branches and engaged in planning/operation of customer products (mainly Internet banking), he moved to the current cyber security position. He first started with the overall security for the Internet banking system and currently oversees cyber security incident response including phishing.
Takuya Endo
Mizuho Financial Group, Inc.
Takuya joined Mizuho Financial Group, Inc. in 2020. In his previous position, he worked as a malware and forensic analyst as well as SOC operation lead. At present, he is in charge of log investigation and malware analysis, while operating and developing its threat intelligence collection system.
Hankuk Jo
NSHC
Hankuk Jo is a researcher at the Threat Research Lab of NSHC, specializing in cybersecurity and threat intelligence. He is passionate about sharing his insights and primarily focuses on analyzing the tactics, techniques, and procedures (TTPs) employed by cyber attackers, leveraging threat intelligence data.
Sangyoon Yoo
NSHC
Sangyoon Yoo is a seasoned professional in the field of cyber threat intelligence and research, currently working at the Threat Research Lab of NSHC. With a strong background in analyzing and researching various cybersecurity threats, Sangyoon has developed expertise in threat intelligence, game hacking tools, and malware analysis.
Jeonghee Ha
NSHC
Jeonghee Ha is a researcher at the Threat Research Lab of NSHC. Previously, JeongHee worked as an Incident Response Analyst and also has experience in CERT, analyzing threat events and providing first response. Jeonghee is primarily interested in threat data related to cybercrime groups and has a strong interest in digital forensic techniques.
Takahiro Takeda
LAC Co., Ltd
Takahiro is a malware analyst at Cyber Emergency Center in LAC Co., Ltd. He teaches at LAC Security Academy and authors some related publications. He has presented at international conferences such as PACSEC, AVAR, HITCON, Virus Bulletin and Black Hat USA Arsenal.
Theo Chen
Trend Micro
Theo Chen is a Senior Threat Researcher at Trend Micro, bringing over five years of comprehensive experience in the cybersecurity domain. His areas of expertise include penetration testing, malware analysis, and threat hunting, with a strong focus on understanding and mitigating advanced cyber threats. Throughout his career, Theo has been involved in multiple initiatives aimed at strengthening organizational security, focusing on detecting advanced threats and designing proactive defense strategies. Currently, He specializes in tracking APT groups, particularly those associated with Chinese-speaking actors. His work involves in-depth analysis of emerging cyber threats and TTPs employed by these sophisticated adversaries.
Leon Chang
Trend Micro
Leon Chang is a Senior Threat Researcher at Trend Micro. His major areas of research include APT campaign tracking, threat intelligence and malware analysis. He has also been a speaker at international conferences, including Black Hat Asia 2022, JSAC 2021/2022, CYBERSEC and AISA, etc.
Jeonggak Lyu
Financial Security Institute
He is the CSIRT Lead at the Financial Security Institute in South Korea, with over two decades of experience in cybersecurity focused on the financial sector. His expertise spans vulnerability assessments, penetration testing, security operations, and incident response, ensuring robust defenses against evolving cyber threats. Beyond his primary role, he actively tracks Democratic People's Republic of Korea (DPRK) state-sponsored threat actors as a personal side project, managing the website lazarus.day and the X (formerly Twitter) account lazarusholic, where he shares in-depth analysis and insights on these cyber adversaries.
Romain Dumont
ESET
Romain Dumont is a malware researcher working for ESET. His work involves deep malware analysis and threat hunting with a current focus on the APAC region. He is passionate about reverse engineering and has previously worked on obfuscation, Windows kernel components, vulnerability assessment, game cheats, and malware from all kinds of platforms.
Yi-Chin Chuang
TeamT5
Yi-Chin Chuang is a threat intelligence researcher at TeamT5. She is passionate about reverse engineering and malware analysis. Her current research focuses on APT threats within the APAC region. She has shared her research findings at Underground Economy, JSAC, CYBERSEC, and TAS.
Yu-Tung Chang
TeamT5
Yu-Tung Chang is a Threat Intelligence Researcher from TeamT5. He is interested in reverse engineering, vulnerability exploiting and malware analysis. He was engaged in network attacks research and rule writing. Currently, his research focuses on cyber threat intelligence in the East Asia region. He has spoken at Code Blue, TAS and JSAC.
Satoshi Kamekawa
ITOCHU Cyber & Intelligence Inc.
Satoshi engages in incident response and threat analysis at ITOCHU Cyber & Intelligence Inc.
Shuhei Sasada
ITOCHU Cyber & Intelligence Inc.
Shuhei engages in incident response and threat analysis at ITOCHU Cyber & Intelligence Inc.
Yusuke Niwa
ITOCHU Cyber & Intelligence Inc.
Yusuke engages in incident response and threat analysis at ITOCHU Cyber & Intelligence Inc.
Yuji Ino
Recruit Co.
Yuji joined Recruit Technologies Co.,Ltd in 2016. As a member of Recruit-CSIRT, he leads security incident response in Recruit. In April 2021, he launched the Cybercrime Countermeasures Group, specializing in analysis and investigation of fraudulent credit card use and spoofed logins for the purpose of cybercrime countermeasures. CISSP, GCIH, GCTI, GNFA.
Masaki Yoshikawa
Recruit Co.
Masaki is engaged in vulnerability assessment and penetration testing at Recruit Co. Currently, he focuses on security incident response, monitoring and threat hunting at Recruit-CSIRT.
Dominik Breitenbacher
ESET
Dominik is a malware researcher at ESET. Coming from academia, he joined ESET in 2019 to help track the activities of APT groups with a particular focus on the China-aligned group MirrorFace. He previously presented at AVAR and also at JSAC 2024. In his spare time, he plays video games and watches bad movies.
Tomohisa Ishikawa
Tokio Marine Holdings, Inc.
Tomohisa has experienced penetration testing, security audit and incident response at a security company since 2009. Currently, at Tokio Marine Holdings, Inc., he specializes in security strategy planning, security architecture, threat intelligence analysis and incident response. He is a committee member for the Information-Technology Engineers Examination and Registered Information Security Specialist Examination, as well as a Cyber Security Expert at the Ministry of Internal Affairs and Communications. He also authors and translates some technical publications.
Tatsuya Daitoku
Tokio Marine Holdings, Inc.
Tatsuya was a Technical Official at the National Police Agency for 16 years, specializing in cyber crime and cyber terrorism. While seconded to the Metropolitan Police Department, he dealt with international criminal organizations. After moving to a security company, he was involved in forensics, intelligence and training for government agencies. Since 2022, he oversees security operations, incident response and security measures for local and overseas group companies at Tokio Marine Holdings, Inc.
Hiroyuki Tomiyama
Tokio Marine Holdings, Inc.
Hiroyuki started his career at Tokio Marine Nichido Systems in 2009. He had been tasked with cyber security measures for its group companies in 2016. Being seconded to Tokio Marine Holdings, Inc. since 2023, he is now responsible for security measures for the CSIRT and both local and overseas group companies. OSCP, CISSP, CISA, RISS and ITILv3Expert.