SlideShare ist ein Scribd-Unternehmen logo

[CB21] Operation Software Concepts: A Beautiful Envelope for Wrapping Weapon by Rintaro Koike, Shogo Hayashi and Ryuichi Tanabe

CODE BLUE
CODE BLUE

In April 2021, we observed new targeted attack campaign and we named it "Operation Software Concepts". Operation Software Concepts aimed at Russia, Mongolia and South Korea as attacking targets by using unknown malwares. Some malwares associate to past Royal Road RTF Weaponizer related attacks and ShimRAT by Mofang. In this presentation, we will show the whole case of Operation Software Concepts, the detailed analysis result about the malwares which were used in the operation, and relations of several past attack cases. Afterwards, we will explain the connection to some attack groups.

Präsentationen & Vorträge
1 von 35
Downloaden Sie, um offline zu lesen
Operation Software Concepts Beautiful Envelope for Wrapping Weapon NTT Security (Japan) KK Rintaro Koike, Shogo Hayashi, Ryuichi Tanabe
© NTT All Rights Reserved About us • Rintaro Koike (小池 倫太郎) • Security analyst at NTT Security Japan (threat research, malware analysis) • Founder of nao_sec • Shogo Hayashi (林 匠悟) • Security analyst at NTT Security Japan (responding to EDR detections, creating custom signatures) • Co-founder of SOCYETI • Ryuichi Tanabe (田邉 龍一) • Security analyst at NTT Security Japan (responding to EDR detections, malware analysis) • Speaker of VB2021 localhost, TheSAS2021
© NTT All Rights Reserved Motivation & Goal Operation Software Concepts • Introducing campaign overview • Targets, characteristics, purpose • Showing detailed analysis results • SSV Dropper, SSV Downloader, SSV RAT and WerNis RAT • Considering relationships and attribution
© NTT All Rights Reserved 4 © NTT All Rights Reserved 2021 1. Attack Overview 2. Malware Analysis 3. Attribution 4. Wrap-Up Agenda
© NTT All Rights Reserved Attack Flow 2021 SCR SSV Dropper DLL EXE Legitimate-A SSV Downloader Malware Server SSV RAT Create & Execute Download Load EXE C&C Server-A EXE Legitimate-B Data WerNis RAT EXE Legitimate-C C&C Server-B EXE Loader Data Mimikatz DLL Decoder Load Execute Download Inject Download Load Domain Controller Zerologon
© NTT All Rights Reserved Evasion Techniques Techniques used in Operation Software Concepts • Valid signature • SSV Dropper • DLL Side-Loading • Symantec Endpoint Protection (RtvStart.exe) • Microsoft Edge Update (MicrosoftEdgeUpdate.exe) • Process Injection • WerNis RAT (dllhost.exe) • Loader & Encoded Data • SSV Downloader, WerNis RAT, Mimikatz 2021
© NTT All Rights Reserved Attack Operation Timeline (2021-04-22) 2021 Time (JST) Object Description 16:32 SSV RAT Executed and accessed to C&C server 16:44 – 16:55 SSV RAT Investigated environment of host 17:09 SSV RAT Downloaded WerNis RAT from C&C server 17:15 WerNis RAT Executed and accessed to C&C server 17:17 – 17:43 WerNis RAT Investigated environment of Active Directory 17:52 Mimikatz Exploited DC by Zerologon 17:47 – 17:56 WerNis RAT Captured Desktop many times 18:08 - Attacker stopped operation
© NTT All Rights Reserved Malware Analysis 8 © NTT All Rights Reserved 2021
© NTT All Rights Reserved SSV Dropper With a valid signature • SOFTWARE CONCEPTS LIMITED 1. Drop exe + dll files • C:¥ProgramData¥Apacha › ssvagent.exe › MSVCR110.dll 2. Execute ssvagent.exe 2021 SSV Dropper (Signed) Legit EXE SSV Downloader
© NTT All Rights Reserved SSV Downloader DLL Side-Loading • ssvagent.exe • Legitimate & signed exe file › Symantec Endpoint Protection (RtvStart.exe) MSVCR110.dll • SSV Downloader • Download encoded SSV RAT › https[:]//www.flushcdn[.]com/download/image9588.jpg 2021 SSV RAT Legit EXE SSV Downloader www.flushcdn[.]com
© NTT All Rights Reserved SSV Downloader MSVCR110.dll • SSV Downloader • Decode “image9588.jpg” › 5bytes XOR » [0x0e, 0x06, 0x33, 0x11, 0x12] » This actor prefers to use 5bytes XOR 2021
© NTT All Rights Reserved SSV RAT Basic RAT • File operation • Download, upload, create, delete, move, copy, search › Download & execute WerNis RAT • Process operation • Create, kill self • Traffic • RC4 encoded (Key: 0x1fa8cc16) 2021 SSV RAT DATA Legit EXE Decoder WerNis RAT (Encoded) api.flushcdn[.]com api.hostupoeui[.]com
© NTT All Rights Reserved WerNis RAT 2nd RAT • Mutex • WerNisSvc3 • File operation • Download, upload, delete, move, copy, search › Download & execute Mimikatz 2021 DATA Legit EXE Decoder WerNis RAT (Encoded) info.hostupoeui[.]com DATA Decoder Mimikatz (Encoded)
© NTT All Rights Reserved WerNis RAT 2nd RAT • Process operation • Create, remote shell • Information theft • System/disk information, desktop screen, keylogging › Encoded (XOR 0x7f) & write to “SetEvent.dll” • Traffic • HTTPS communication 2021
© NTT All Rights Reserved Tools Mimikatz • mm.exe • Decode crack.dll › 5bytes XOR » [0x09, 0x12, 0x0e, 0x47, 0x51] • crack.dll • Encoded Mimikatz • Attacker exploited Zerologon 2021
© NTT All Rights Reserved Attribution 16 © NTT All Rights Reserved 2021
© NTT All Rights Reserved Activity Timeline 2021 Mar-2019 May-2020 Dec-2020 Jan-2021 Mar-2021 May-2021 Jul-2021 RU WerNis RAT + Lockdown Loader + ShadowPad SSV Dropper -> SSV Downloader MN Royal Road RTF -> SSV Dropper -> SSV Downloader SSV Dropper (looks like Able Soft) -> CobaltStrike Beacon Malicious document files -> PowerShell SSV Dropper -> SSV Downloader etc Tonto exploited Exchange Server and executed ShadowPad SSV Dropper -> SSV Downloader Lockdown Loader -> ShimRAT
© NTT All Rights Reserved 2021 Past SSV family cases In March 2019, SSV Dropper and SSV Downloader were observed in an attack using Royal Road RTF against Mongolia In May 2020, SSV Dropper “AbleRepair.exe” executed CobaltStrike Beacon SSV Dropper Legit EXE SSV Downloader Royal Road RTF DATA Legit EXE Decoder CobaltStrike Beacon SSV Dropper (AbleRepair.exe)
© NTT All Rights Reserved Past SSV family cases In January 2021, SSV Dropper executed SSV Downloader. This can be related to an attack case against Mongolia in December 2020. 2021 SSV Dropper (news.exe) Legit EXE SSV Downloader With Macro PS1 ? drmtake[.]tk in December 2020
© NTT All Rights Reserved Past case using WerNis RAT In March 2021, a Russian defense company submitted some files at the same time to VirusTotal • WerNis RAT Loader (with huge padding) • Lockdown Loader (with huge padding) • ShadowPad 2021
© NTT All Rights Reserved 2021 Lockdown Loader Characteristics • A loader for executing encoded malware • In May 2021, a Lockdown Loader executing ShimRAT was observed • Mainly observed in Russia • Contains huge padding data sometimes Dropper DATA Legit EXE Lockdown Loader Shim RAT
© NTT All Rights Reserved 2021 Overlap with others APT31 (BRONZE VINEWOOD) • HanaLoader/RAT and SSV family are similar • DLL Side-Loading • File path and name • Registry key • Self Deleting method • Target organization • Using Mimikatz Using TopDNS as name server • Operation Software Concepts • Russian incident (in March 2021) • Recent Mofang activities
© NTT All Rights Reserved 2021 Overlap with others Vicious Panda • Same target • 2020/03 › Royal Road RTF • 2021/08 › SSV Dropper https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/
© NTT All Rights Reserved 2021 APT31 Tonto Mofang Secureworks Report Recent Mofang Activity Royal Road Related Attack Microsoft Exchange Related Attack Operation Software Concepts Russian Incident SSV RAT SSV Downloader SSV Dropper WerNis RAT Lockdown Loader ShadowPad ShimRAT TopDNS NameServer
© NTT All Rights Reserved Wrap-Up 25 © NTT All Rights Reserved 2021
© NTT All Rights Reserved Wrap-Up Operation Software Concepts • Targeting Russian and Mongolian government or defense sector • Multiple stages • SSV Dropper drops and executes SSV Downloader • SSV Downloader downloads SSV RAT to operate remotely • WerNis RAT and Mimikatz can be additionally downloaded and executed • SSV family has been in use since March 2019 at least • Overlapping with various attack groups such as Tonto, APT31 and Mofang • One of these groups may have attacked or the tools maybe shared between these groups 2021
© NTT All Rights Reserved Any Questions? 27 2021
© NTT All Rights Reserved Appendix: IOC • SSV Dropper • 2b495829b8b3319f98e22f35d7bd48c4dea1b9bafe80749d628da99fede6d694 • c3bf8fb3dbbce74d3448d7608ea6dd0567f6bcc437693abd1dcab0ab7fb48155 • 5d0872d07c6837dbc3bfa85fd8f79da3d83d7bb7504a6de7305833090b214f2c • 78cc364e761701455bdc4bce100c2836566e662b87b5c28251c178eba2e9ce7e • be5431c999094078e617ce27d27a064b44616421bde334e0bc6fe625ce961ced • 002dc9f6823ad8d3de23bcb5e41bcefd895df573ed3d89e0821243aa9b7bb4a8 • 679955ff2a97ea11a181ae60c775eff78fadd767bc641ca0d1cff86a26df8ac8 • 8276c2c3a9680de856f5d6dc920a63445b430496ad16c0f3f45ccaf0e995b296 • 874b946b674715c580e7b379e9597e48c85c04cca3a2790d943f56600b575d2f 2021
© NTT All Rights Reserved Appendix: IOC • SSV Dropper • 33f136069d7c3a030b2e0738a5ee80d442dee1a202f6937121fa4e92a775fead • 80de328bd22e08855af9d05532b89087d2605f6c469925f48e1cc774e7375304 • eb1005ae12b883a69e81d0f1c0dd162b5e48ada337c163ffbca5d62473913a73 • 9ad30d25e74c272a7965f52a5c06f7343df9a493d21d16b339cc0dc65be8cc2a 2021
© NTT All Rights Reserved Appendix: IOC • SSV Downloader • cff71b69e36cd552ab2eb9bc605269bb6859ddaff2151d1361b0306b922f8a0f • c15a475f8324fdfcd959ffc40bcbee655cbdc5ab9cbda0caf59d63700989766f • 93eb4a701aac14be362389665a36f7f0747f118e3fc2095bb93c0ceff72ae605 • 00cf3b462059908085fef43e65417e0cca1ac0314cad8af7d89fb34c01f75a03 • 4d9c89a590deb5f3cda6001ea46f8fe2a6ada74e75a8ad14f5c1d14c2980dc47 • 71bd4e5847776d6731510220c3fdf16ad7a55088bd43681cdb408cb9fde59b3d • 7a16da50a63f7a181d07b45ae552c87ee9ffeb78c512405bd9bf6243f920d56c • 48ca9a8188c6d640f20c93a9a106cedc0f78251e4f6c5ad4eacc0266862c9499 • 9b0557eda035fc5817c2a6ab33859bb824389638afc41f9ba49221b312638b64 2021
© NTT All Rights Reserved Appendix: IOC • SSV Downloader • e724b1ffb3b7aea4c9397a8db348fac3576633faced1c80c739bb439f8b3f8fa • 354bd3dc0f36663e12ec38e302dcfc7a3e57ee13dced3c8a2ff0257532106d3d • b65c14519f2de3115051b0b0ad7ec1cd207ac66228c95006abc9a6b660c2c278 • 0b3d5dd39b60eb43298f4ab89f2c339acf4dc8609d2f7ad6fa1649fd36f5da88 • 34524a538828a976a131c1a9f38294fd50faf0bf671b299e5978b063d3532604 • 61f2a08b3d113fcb57693fb4d392e8327e688e2f126c4286b3d00d72b5098e09 • 900b77a3fb472a8c7a7853e16c736a7eee5607a13bff3c904700815039d0ac90 2021
© NTT All Rights Reserved Appendix: IOC • SSV RAT • 3e3a7233b46f59ae480f970a9a405756a576447e10676f59c61381ba2789a7cf • 2affdebbaa4f0cfa64e5c42e70d78665ef9ccb2c731c5fe07582ccdfdc05b0cc • 727302e57ca2cc3d514786adf940ce1f6665905664856a89ff6be5eb90b1121c • 7b68299383c3f896e13a5990febba55c7ae6f615e07705125aa15771cd401f5d • b993aab918421ad79964d5d719a4988778ab5a09fc4c699a041fd07fc678dcb5 • 070eeb088a46942f50832a3207ab44b843f293f9685344e04744fe4586f9631e 2021
© NTT All Rights Reserved Appendix: IOC • WerNis RAT • 72c4c4d80f5878fe80c7cd2552020ea1c7e2c1d1b5ce7fa6b8a172b050d70aac • a2c65fd4baa610e4d6c764d5ac2cbbce8b4226ca34ce34a8544a5dd09e056a48 • 54d299f45472f0b5aebf7d5461723a23687f521c0878b4a364a25f92372abab1 • Mimikatz • 596070358c9cff3358f265cbc4d518c37edb748126dc1b9cdff31943c9608e54 • 2b391473abb5608f666fde872e8c2f126e126034143f39a159c9e13daa056d2c 2021
© NTT All Rights Reserved Appendix: IOC • Lockdown Loader • 5bc1ea08648b5683b506fe2934999b881516f286b421b92cb45ec8ad8aeb7481 • aaf8bb3d65022444cea3b4810a519b3fb2cecd6fa1c2aae8ef4a55a5f6a007ae • 3b3357f44d2ab14090dd77c1d49be70bfe1f8183cd9f30bfbb1cd845587af4d2 • d4ed5d54f422e7702667e0d7723249e5966b52450adf95e7998358c18d3ca2b2 • 9b0c3478bb2a8f08fca66faaf4a005bf6002266a87e9e6a53690ac4207d2c496 • 905e4e31a499b4982470ed69c756464f3ad5df4e6242fb299ed54d572ffe18f5 • 58cc619c251087e56f761a5c277218785b76138eae357b0f12f955ddf59f5fff • 25750e8196ba73188a91eba8fb2c767bda7450361acc869fbfc86829ed2888e5 2021
© NTT All Rights Reserved Appendix: IOC • ShimRAT • 4ce6e6da83eb521e8735c178b711449c37d2224414a4f05b394e6f80e936a5b4 • 1098eb0ca4e34ca63ba40dd537d00e858c36e14044a6a592c306877401478ffe • D158cf4fa1a954d1fd5609f67a764fbab188dc03916400caaa15b4c3500ea291 • ShadowPad • 83025b94d64e778d9ab800152b239ddc5b19074779d164af89da564367f8aee0 • Malicious document file • b83b1a3fbec8bf0a54bf03ebd89c82d1da00b3012d135974b0183545a3878621 • a92d4b23c85c59c60227a26a9aac6a38520b2d5b52424db2962257c14198501a • a3e81e5bbf5beeb9568f0c801b2407e33cf9bcc0c12842d6bd6bc62280add81d 2021

Empfohlen

Implementing ossec
Implementing ossecImplementing ossec
Implementing ossecJeronimo Zucco
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecuritySplunk
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Florian Roth
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burpTomasz Fajks
 

Empfohlen

Implementing ossec
Implementing ossecImplementing ossec
Implementing ossecJeronimo Zucco
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityChris Sistrunk
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecuritySplunk
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Florian Roth
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burpTomasz Fajks
 
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...CODE BLUE
 
Rise of software supply chain attack
Rise of software supply chain attackRise of software supply chain attack
Rise of software supply chain attackYadnyawalkya Tale
 
Nessus Software
Nessus SoftwareNessus Software
Nessus SoftwareMegha Sahu
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdfMAHESHUMANATHGOPALAK
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSECMayank Gaikwad
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIArash Ramez
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
SLSA - An End-to-End Framework for Supply Chain Integrity
SLSA - An End-to-End Framework for Supply Chain IntegritySLSA - An End-to-End Framework for Supply Chain Integrity
SLSA - An End-to-End Framework for Supply Chain IntegritySakha Global
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyUpping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyKaspersky
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
ADB(Android Debug Bridge): How it works?
ADB(Android Debug Bridge): How it works?ADB(Android Debug Bridge): How it works?
ADB(Android Debug Bridge): How it works?Tetsuyuki Kobayashi
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDPDaniel T. Lee
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Targeted attacks on major industry sectors in south korea 20171201 cha minseo...
Targeted attacks on major industry sectors in south korea 20171201 cha minseo...Targeted attacks on major industry sectors in south korea 20171201 cha minseo...
Targeted attacks on major industry sectors in south korea 20171201 cha minseo...Minseok(Jacky) Cha
 
OpenSSF Day Tokyo 2023 Keynote presentation.
OpenSSF Day Tokyo 2023 Keynote presentation.OpenSSF Day Tokyo 2023 Keynote presentation.
OpenSSF Day Tokyo 2023 Keynote presentation.Kazuki Omo
 

Weitere ähnliche Inhalte

Was ist angesagt?

[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...CODE BLUE
 
Rise of software supply chain attack
Rise of software supply chain attackRise of software supply chain attack
Rise of software supply chain attackYadnyawalkya Tale
 
Nessus Software
Nessus SoftwareNessus Software
Nessus SoftwareMegha Sahu
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdfMAHESHUMANATHGOPALAK
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSECMayank Gaikwad
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIArash Ramez
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
SLSA - An End-to-End Framework for Supply Chain Integrity
SLSA - An End-to-End Framework for Supply Chain IntegritySLSA - An End-to-End Framework for Supply Chain Integrity
SLSA - An End-to-End Framework for Supply Chain IntegritySakha Global
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyUpping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyKaspersky
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
ADB(Android Debug Bridge): How it works?
ADB(Android Debug Bridge): How it works?ADB(Android Debug Bridge): How it works?
ADB(Android Debug Bridge): How it works?Tetsuyuki Kobayashi
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDPDaniel T. Lee
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 

Was ist angesagt? (20)

[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
 
Rise of software supply chain attack
Rise of software supply chain attackRise of software supply chain attack
Rise of software supply chain attack
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSEC
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
SLSA - An End-to-End Framework for Supply Chain Integrity
SLSA - An End-to-End Framework for Supply Chain IntegritySLSA - An End-to-End Framework for Supply Chain Integrity
SLSA - An End-to-End Framework for Supply Chain Integrity
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyUpping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from Kaspersky
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
ADB(Android Debug Bridge): How it works?
ADB(Android Debug Bridge): How it works?ADB(Android Debug Bridge): How it works?
ADB(Android Debug Bridge): How it works?
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 

Ähnlich wie [CB21] Operation Software Concepts: A Beautiful Envelope for Wrapping Weapon by Rintaro Koike, Shogo Hayashi and Ryuichi Tanabe

Targeted attacks on major industry sectors in south korea 20171201 cha minseo...
Targeted attacks on major industry sectors in south korea 20171201 cha minseo...Targeted attacks on major industry sectors in south korea 20171201 cha minseo...
Targeted attacks on major industry sectors in south korea 20171201 cha minseo...Minseok(Jacky) Cha
 
OpenSSF Day Tokyo 2023 Keynote presentation.
OpenSSF Day Tokyo 2023 Keynote presentation.OpenSSF Day Tokyo 2023 Keynote presentation.
OpenSSF Day Tokyo 2023 Keynote presentation.Kazuki Omo
 
The waf book intro attack elements v1.0 lior rotkovitch
The waf book intro attack elements v1.0 lior rotkovitchThe waf book intro attack elements v1.0 lior rotkovitch
The waf book intro attack elements v1.0 lior rotkovitchLior Rotkovitch
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdfVishwas N
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
 
Paul Dix [InfluxData] | InfluxDays Keynote: Future of InfluxDB | InfluxDays N...
Paul Dix [InfluxData] | InfluxDays Keynote: Future of InfluxDB | InfluxDays N...Paul Dix [InfluxData] | InfluxDays Keynote: Future of InfluxDB | InfluxDays N...
Paul Dix [InfluxData] | InfluxDays Keynote: Future of InfluxDB | InfluxDays N...InfluxData
 
Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfSoftware management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfLior Rotkovitch
 
The Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software UpdatersThe Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software UpdatersPriyanka Aash
 
Apache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security ConsiderationsApache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security ConsiderationsAndrew Carr
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2Mohammed Adam
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】Hacks in Taiwan (HITCON)
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)ClubHack
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
Collaborative security : Securing open source software
Collaborative security : Securing open source softwareCollaborative security : Securing open source software
Collaborative security : Securing open source softwarePriyanka Aash
 

Ähnlich wie [CB21] Operation Software Concepts: A Beautiful Envelope for Wrapping Weapon by Rintaro Koike, Shogo Hayashi and Ryuichi Tanabe (20)

Targeted attacks on major industry sectors in south korea 20171201 cha minseo...
Targeted attacks on major industry sectors in south korea 20171201 cha minseo...Targeted attacks on major industry sectors in south korea 20171201 cha minseo...
Targeted attacks on major industry sectors in south korea 20171201 cha minseo...
 
OpenSSF Day Tokyo 2023 Keynote presentation.
OpenSSF Day Tokyo 2023 Keynote presentation.OpenSSF Day Tokyo 2023 Keynote presentation.
OpenSSF Day Tokyo 2023 Keynote presentation.
 
The waf book intro attack elements v1.0 lior rotkovitch
The waf book intro attack elements v1.0 lior rotkovitchThe waf book intro attack elements v1.0 lior rotkovitch
The waf book intro attack elements v1.0 lior rotkovitch
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdf
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
 
Paul Dix [InfluxData] | InfluxDays Keynote: Future of InfluxDB | InfluxDays N...
Paul Dix [InfluxData] | InfluxDays Keynote: Future of InfluxDB | InfluxDays N...Paul Dix [InfluxData] | InfluxDays Keynote: Future of InfluxDB | InfluxDays N...
Paul Dix [InfluxData] | InfluxDays Keynote: Future of InfluxDB | InfluxDays N...
 
Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfSoftware management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdf
 
The Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software UpdatersThe Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software Updaters
 
Apache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security ConsiderationsApache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security Considerations
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
 
Ongoing management of your PHP 7 application
Ongoing management of your PHP 7 applicationOngoing management of your PHP 7 application
Ongoing management of your PHP 7 application
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Collaborative security : Securing open source software
Collaborative security : Securing open source softwareCollaborative security : Securing open source software
Collaborative security : Securing open source software
 

Mehr von CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo PupilloCODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫CODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
 

Mehr von CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 

Kürzlich hochgeladen

Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...amilabibi1
 
Zone Chairperson Role and Responsibilities New updated.pptx
Zone Chairperson Role and Responsibilities New updated.pptxZone Chairperson Role and Responsibilities New updated.pptx
Zone Chairperson Role and Responsibilities New updated.pptxlionnarsimharajumjf
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lodhisaajjda
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIINhPhngng3
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfSkillCertProExams
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Baileyhlharris
 
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...David Celestin
 
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...ZurliaSoop
 
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdfSOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdfMahamudul Hasan
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoKayode Fayemi
 
Digital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalDigital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalFabian de Rijk
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatmentnswingard
 
Introduction to Artificial intelligence.
Introduction to Artificial intelligence.Introduction to Artificial intelligence.
Introduction to Artificial intelligence.thamaeteboho94
 
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven CuriosityUnlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven CuriosityHung Le
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar TrainingKylaCullinane
 

Kürzlich hochgeladen (17)

Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
 
Zone Chairperson Role and Responsibilities New updated.pptx
Zone Chairperson Role and Responsibilities New updated.pptxZone Chairperson Role and Responsibilities New updated.pptx
Zone Chairperson Role and Responsibilities New updated.pptx
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
 
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdfSOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
 
Digital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalDigital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of Drupal
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 
Introduction to Artificial intelligence.
Introduction to Artificial intelligence.Introduction to Artificial intelligence.
Introduction to Artificial intelligence.
 
in kuwait௹+918133066128....) @abortion pills for sale in Kuwait City
in kuwait௹+918133066128....) @abortion pills for sale in Kuwait Cityin kuwait௹+918133066128....) @abortion pills for sale in Kuwait City
in kuwait௹+918133066128....) @abortion pills for sale in Kuwait City
 
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven CuriosityUnlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 

[CB21] Operation Software Concepts: A Beautiful Envelope for Wrapping Weapon by Rintaro Koike, Shogo Hayashi and Ryuichi Tanabe

  • 1. Operation Software Concepts Beautiful Envelope for Wrapping Weapon NTT Security (Japan) KK Rintaro Koike, Shogo Hayashi, Ryuichi Tanabe
  • 2. © NTT All Rights Reserved About us • Rintaro Koike (小池 倫太郎) • Security analyst at NTT Security Japan (threat research, malware analysis) • Founder of nao_sec • Shogo Hayashi (林 匠悟) • Security analyst at NTT Security Japan (responding to EDR detections, creating custom signatures) • Co-founder of SOCYETI • Ryuichi Tanabe (田邉 龍一) • Security analyst at NTT Security Japan (responding to EDR detections, malware analysis) • Speaker of VB2021 localhost, TheSAS2021
  • 3. © NTT All Rights Reserved Motivation & Goal Operation Software Concepts • Introducing campaign overview • Targets, characteristics, purpose • Showing detailed analysis results • SSV Dropper, SSV Downloader, SSV RAT and WerNis RAT • Considering relationships and attribution
  • 4. © NTT All Rights Reserved 4 © NTT All Rights Reserved 2021 1. Attack Overview 2. Malware Analysis 3. Attribution 4. Wrap-Up Agenda
  • 5. © NTT All Rights Reserved Attack Flow 2021 SCR SSV Dropper DLL EXE Legitimate-A SSV Downloader Malware Server SSV RAT Create & Execute Download Load EXE C&C Server-A EXE Legitimate-B Data WerNis RAT EXE Legitimate-C C&C Server-B EXE Loader Data Mimikatz DLL Decoder Load Execute Download Inject Download Load Domain Controller Zerologon
  • 6. © NTT All Rights Reserved Evasion Techniques Techniques used in Operation Software Concepts • Valid signature • SSV Dropper • DLL Side-Loading • Symantec Endpoint Protection (RtvStart.exe) • Microsoft Edge Update (MicrosoftEdgeUpdate.exe) • Process Injection • WerNis RAT (dllhost.exe) • Loader & Encoded Data • SSV Downloader, WerNis RAT, Mimikatz 2021
  • 7. © NTT All Rights Reserved Attack Operation Timeline (2021-04-22) 2021 Time (JST) Object Description 16:32 SSV RAT Executed and accessed to C&C server 16:44 – 16:55 SSV RAT Investigated environment of host 17:09 SSV RAT Downloaded WerNis RAT from C&C server 17:15 WerNis RAT Executed and accessed to C&C server 17:17 – 17:43 WerNis RAT Investigated environment of Active Directory 17:52 Mimikatz Exploited DC by Zerologon 17:47 – 17:56 WerNis RAT Captured Desktop many times 18:08 - Attacker stopped operation
  • 8. © NTT All Rights Reserved Malware Analysis 8 © NTT All Rights Reserved 2021
  • 9. © NTT All Rights Reserved SSV Dropper With a valid signature • SOFTWARE CONCEPTS LIMITED 1. Drop exe + dll files • C:¥ProgramData¥Apacha › ssvagent.exe › MSVCR110.dll 2. Execute ssvagent.exe 2021 SSV Dropper (Signed) Legit EXE SSV Downloader
  • 10. © NTT All Rights Reserved SSV Downloader DLL Side-Loading • ssvagent.exe • Legitimate & signed exe file › Symantec Endpoint Protection (RtvStart.exe) MSVCR110.dll • SSV Downloader • Download encoded SSV RAT › https[:]//www.flushcdn[.]com/download/image9588.jpg 2021 SSV RAT Legit EXE SSV Downloader www.flushcdn[.]com
  • 11. © NTT All Rights Reserved SSV Downloader MSVCR110.dll • SSV Downloader • Decode “image9588.jpg” › 5bytes XOR » [0x0e, 0x06, 0x33, 0x11, 0x12] » This actor prefers to use 5bytes XOR 2021
  • 12. © NTT All Rights Reserved SSV RAT Basic RAT • File operation • Download, upload, create, delete, move, copy, search › Download & execute WerNis RAT • Process operation • Create, kill self • Traffic • RC4 encoded (Key: 0x1fa8cc16) 2021 SSV RAT DATA Legit EXE Decoder WerNis RAT (Encoded) api.flushcdn[.]com api.hostupoeui[.]com
  • 13. © NTT All Rights Reserved WerNis RAT 2nd RAT • Mutex • WerNisSvc3 • File operation • Download, upload, delete, move, copy, search › Download & execute Mimikatz 2021 DATA Legit EXE Decoder WerNis RAT (Encoded) info.hostupoeui[.]com DATA Decoder Mimikatz (Encoded)
  • 14. © NTT All Rights Reserved WerNis RAT 2nd RAT • Process operation • Create, remote shell • Information theft • System/disk information, desktop screen, keylogging › Encoded (XOR 0x7f) & write to “SetEvent.dll” • Traffic • HTTPS communication 2021
  • 15. © NTT All Rights Reserved Tools Mimikatz • mm.exe • Decode crack.dll › 5bytes XOR » [0x09, 0x12, 0x0e, 0x47, 0x51] • crack.dll • Encoded Mimikatz • Attacker exploited Zerologon 2021
  • 16. © NTT All Rights Reserved Attribution 16 © NTT All Rights Reserved 2021
  • 17. © NTT All Rights Reserved Activity Timeline 2021 Mar-2019 May-2020 Dec-2020 Jan-2021 Mar-2021 May-2021 Jul-2021 RU WerNis RAT + Lockdown Loader + ShadowPad SSV Dropper -> SSV Downloader MN Royal Road RTF -> SSV Dropper -> SSV Downloader SSV Dropper (looks like Able Soft) -> CobaltStrike Beacon Malicious document files -> PowerShell SSV Dropper -> SSV Downloader etc Tonto exploited Exchange Server and executed ShadowPad SSV Dropper -> SSV Downloader Lockdown Loader -> ShimRAT
  • 18. © NTT All Rights Reserved 2021 Past SSV family cases In March 2019, SSV Dropper and SSV Downloader were observed in an attack using Royal Road RTF against Mongolia In May 2020, SSV Dropper “AbleRepair.exe” executed CobaltStrike Beacon SSV Dropper Legit EXE SSV Downloader Royal Road RTF DATA Legit EXE Decoder CobaltStrike Beacon SSV Dropper (AbleRepair.exe)
  • 19. © NTT All Rights Reserved Past SSV family cases In January 2021, SSV Dropper executed SSV Downloader. This can be related to an attack case against Mongolia in December 2020. 2021 SSV Dropper (news.exe) Legit EXE SSV Downloader With Macro PS1 ? drmtake[.]tk in December 2020
  • 20. © NTT All Rights Reserved Past case using WerNis RAT In March 2021, a Russian defense company submitted some files at the same time to VirusTotal • WerNis RAT Loader (with huge padding) • Lockdown Loader (with huge padding) • ShadowPad 2021
  • 21. © NTT All Rights Reserved 2021 Lockdown Loader Characteristics • A loader for executing encoded malware • In May 2021, a Lockdown Loader executing ShimRAT was observed • Mainly observed in Russia • Contains huge padding data sometimes Dropper DATA Legit EXE Lockdown Loader Shim RAT
  • 22. © NTT All Rights Reserved 2021 Overlap with others APT31 (BRONZE VINEWOOD) • HanaLoader/RAT and SSV family are similar • DLL Side-Loading • File path and name • Registry key • Self Deleting method • Target organization • Using Mimikatz Using TopDNS as name server • Operation Software Concepts • Russian incident (in March 2021) • Recent Mofang activities
  • 23. © NTT All Rights Reserved 2021 Overlap with others Vicious Panda • Same target • 2020/03 › Royal Road RTF • 2021/08 › SSV Dropper https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/
  • 24. © NTT All Rights Reserved 2021 APT31 Tonto Mofang Secureworks Report Recent Mofang Activity Royal Road Related Attack Microsoft Exchange Related Attack Operation Software Concepts Russian Incident SSV RAT SSV Downloader SSV Dropper WerNis RAT Lockdown Loader ShadowPad ShimRAT TopDNS NameServer
  • 25. © NTT All Rights Reserved Wrap-Up 25 © NTT All Rights Reserved 2021
  • 26. © NTT All Rights Reserved Wrap-Up Operation Software Concepts • Targeting Russian and Mongolian government or defense sector • Multiple stages • SSV Dropper drops and executes SSV Downloader • SSV Downloader downloads SSV RAT to operate remotely • WerNis RAT and Mimikatz can be additionally downloaded and executed • SSV family has been in use since March 2019 at least • Overlapping with various attack groups such as Tonto, APT31 and Mofang • One of these groups may have attacked or the tools maybe shared between these groups 2021
  • 27. © NTT All Rights Reserved Any Questions? 27 2021
  • 28. © NTT All Rights Reserved Appendix: IOC • SSV Dropper • 2b495829b8b3319f98e22f35d7bd48c4dea1b9bafe80749d628da99fede6d694 • c3bf8fb3dbbce74d3448d7608ea6dd0567f6bcc437693abd1dcab0ab7fb48155 • 5d0872d07c6837dbc3bfa85fd8f79da3d83d7bb7504a6de7305833090b214f2c • 78cc364e761701455bdc4bce100c2836566e662b87b5c28251c178eba2e9ce7e • be5431c999094078e617ce27d27a064b44616421bde334e0bc6fe625ce961ced • 002dc9f6823ad8d3de23bcb5e41bcefd895df573ed3d89e0821243aa9b7bb4a8 • 679955ff2a97ea11a181ae60c775eff78fadd767bc641ca0d1cff86a26df8ac8 • 8276c2c3a9680de856f5d6dc920a63445b430496ad16c0f3f45ccaf0e995b296 • 874b946b674715c580e7b379e9597e48c85c04cca3a2790d943f56600b575d2f 2021
  • 29. © NTT All Rights Reserved Appendix: IOC • SSV Dropper • 33f136069d7c3a030b2e0738a5ee80d442dee1a202f6937121fa4e92a775fead • 80de328bd22e08855af9d05532b89087d2605f6c469925f48e1cc774e7375304 • eb1005ae12b883a69e81d0f1c0dd162b5e48ada337c163ffbca5d62473913a73 • 9ad30d25e74c272a7965f52a5c06f7343df9a493d21d16b339cc0dc65be8cc2a 2021
  • 30. © NTT All Rights Reserved Appendix: IOC • SSV Downloader • cff71b69e36cd552ab2eb9bc605269bb6859ddaff2151d1361b0306b922f8a0f • c15a475f8324fdfcd959ffc40bcbee655cbdc5ab9cbda0caf59d63700989766f • 93eb4a701aac14be362389665a36f7f0747f118e3fc2095bb93c0ceff72ae605 • 00cf3b462059908085fef43e65417e0cca1ac0314cad8af7d89fb34c01f75a03 • 4d9c89a590deb5f3cda6001ea46f8fe2a6ada74e75a8ad14f5c1d14c2980dc47 • 71bd4e5847776d6731510220c3fdf16ad7a55088bd43681cdb408cb9fde59b3d • 7a16da50a63f7a181d07b45ae552c87ee9ffeb78c512405bd9bf6243f920d56c • 48ca9a8188c6d640f20c93a9a106cedc0f78251e4f6c5ad4eacc0266862c9499 • 9b0557eda035fc5817c2a6ab33859bb824389638afc41f9ba49221b312638b64 2021
  • 31. © NTT All Rights Reserved Appendix: IOC • SSV Downloader • e724b1ffb3b7aea4c9397a8db348fac3576633faced1c80c739bb439f8b3f8fa • 354bd3dc0f36663e12ec38e302dcfc7a3e57ee13dced3c8a2ff0257532106d3d • b65c14519f2de3115051b0b0ad7ec1cd207ac66228c95006abc9a6b660c2c278 • 0b3d5dd39b60eb43298f4ab89f2c339acf4dc8609d2f7ad6fa1649fd36f5da88 • 34524a538828a976a131c1a9f38294fd50faf0bf671b299e5978b063d3532604 • 61f2a08b3d113fcb57693fb4d392e8327e688e2f126c4286b3d00d72b5098e09 • 900b77a3fb472a8c7a7853e16c736a7eee5607a13bff3c904700815039d0ac90 2021
  • 32. © NTT All Rights Reserved Appendix: IOC • SSV RAT • 3e3a7233b46f59ae480f970a9a405756a576447e10676f59c61381ba2789a7cf • 2affdebbaa4f0cfa64e5c42e70d78665ef9ccb2c731c5fe07582ccdfdc05b0cc • 727302e57ca2cc3d514786adf940ce1f6665905664856a89ff6be5eb90b1121c • 7b68299383c3f896e13a5990febba55c7ae6f615e07705125aa15771cd401f5d • b993aab918421ad79964d5d719a4988778ab5a09fc4c699a041fd07fc678dcb5 • 070eeb088a46942f50832a3207ab44b843f293f9685344e04744fe4586f9631e 2021
  • 33. © NTT All Rights Reserved Appendix: IOC • WerNis RAT • 72c4c4d80f5878fe80c7cd2552020ea1c7e2c1d1b5ce7fa6b8a172b050d70aac • a2c65fd4baa610e4d6c764d5ac2cbbce8b4226ca34ce34a8544a5dd09e056a48 • 54d299f45472f0b5aebf7d5461723a23687f521c0878b4a364a25f92372abab1 • Mimikatz • 596070358c9cff3358f265cbc4d518c37edb748126dc1b9cdff31943c9608e54 • 2b391473abb5608f666fde872e8c2f126e126034143f39a159c9e13daa056d2c 2021
  • 34. © NTT All Rights Reserved Appendix: IOC • Lockdown Loader • 5bc1ea08648b5683b506fe2934999b881516f286b421b92cb45ec8ad8aeb7481 • aaf8bb3d65022444cea3b4810a519b3fb2cecd6fa1c2aae8ef4a55a5f6a007ae • 3b3357f44d2ab14090dd77c1d49be70bfe1f8183cd9f30bfbb1cd845587af4d2 • d4ed5d54f422e7702667e0d7723249e5966b52450adf95e7998358c18d3ca2b2 • 9b0c3478bb2a8f08fca66faaf4a005bf6002266a87e9e6a53690ac4207d2c496 • 905e4e31a499b4982470ed69c756464f3ad5df4e6242fb299ed54d572ffe18f5 • 58cc619c251087e56f761a5c277218785b76138eae357b0f12f955ddf59f5fff • 25750e8196ba73188a91eba8fb2c767bda7450361acc869fbfc86829ed2888e5 2021
  • 35. © NTT All Rights Reserved Appendix: IOC • ShimRAT • 4ce6e6da83eb521e8735c178b711449c37d2224414a4f05b394e6f80e936a5b4 • 1098eb0ca4e34ca63ba40dd537d00e858c36e14044a6a592c306877401478ffe • D158cf4fa1a954d1fd5609f67a764fbab188dc03916400caaa15b4c3500ea291 • ShadowPad • 83025b94d64e778d9ab800152b239ddc5b19074779d164af89da564367f8aee0 • Malicious document file • b83b1a3fbec8bf0a54bf03ebd89c82d1da00b3012d135974b0183545a3878621 • a92d4b23c85c59c60227a26a9aac6a38520b2d5b52424db2962257c14198501a • a3e81e5bbf5beeb9568f0c801b2407e33cf9bcc0c12842d6bd6bc62280add81d 2021