SlideShare a Scribd company logo

[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yuma Masubuchi

CODE BLUE
CODE BLUE

We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware. To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed. * Malware C2 Monitoring * Malware Hunting using Cloud * YARA CI/CD system * Malware Analysis System on Cloud * Memory Forensic on Cloud Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.

Presentations & Public Speaking
1 of 88
Download to read offline
© 2022 JPCERT/CC 0 Fight Against Malware Development Life Cycle CODE BLUE 2022
© 2022 JPCERT/CC 1 Problem of Incident Response Attacker vs Defender
© 2022 JPCERT/CC 2 Problem of Incident Response Attacker vs Defender We are in the Malware Development Life Cycle…
© 2022 JPCERT/CC Surface Analysis Runtime Analysis Static Analysis Create YARA Rule Finished analysis … 3 Malware Analysis Operations (MAOps)
© 2022 JPCERT/CC Surface Analysis Runtime Analysis Static Analysis Create YARA Rule Automation! 4 All roads lead to AUTOMATION!
© 2022 JPCERT/CC 5 Problem of MAOps Attacker vs Malware Analyst
© 2022 JPCERT/CC 6 Problem of MAOps Attacker vs Malware Analyst Changed C2 server Changed encrypt key Added new function
© 2022 JPCERT/CC 7 Problem of MAOps Attacker vs Malware Analyst STOP
© 2022 JPCERT/CC Maintenance of malware analysis tools is hard work. Creating a lot of malware analysis tools requires the maintenance of many tools. 8 Problem of MAOps Need the methods to counter the attacker's development lifecycle
© 2022 JPCERT/CC 9 Goal of This Presentation This presentation shares methods for building analytical tools to counter the attacker's lifecycle.
© 2022 JPCERT/CC Approach Technologies such as CI/CD and serverless are methods that make system maintenance and release more efficient. Cloud services can be a solution to the problems of malware analysts. We managed the Malware Analysis System on Cloud. 10 Use cloud services CI/CD, serverless, and Infrastructure as Code (IaC) to fight the malware development life cycle.
© 2022 JPCERT/CC IP addresses can be changed dynamically Easy to update analysis tools Easy to build scale-out systems No server provisioning or maintenance required Low maintenance costs 11 Advantages of Using the Cloud for Malware Analysis
© 2022 JPCERT/CC 12 Malware Analysis System on Cloud Scanner Memory Forensic Surface Analysis Sandbox YARA Log Analysis Thread Research
© 2022 JPCERT/CC Presentation Topics 13 1 Malware C2 Monitoring 2 Malware Hunting using Cloud 3 YARA CI/CD system 4 Surface Analysis System on Cloud 5 Memory Forensic on Cloud
© 2022 JPCERT/CC 14 1 Malware C2 Monitoring 2 Malware Hunting using Cloud 3 YARA CI/CD system 4 Surface Analysis System on Cloud 5 Memory Forensic on Cloud
© 2022 JPCERT/CC Blocked access to the C2 server. Targeted by an attacker. Cloud services solve these problems. 15 Malware C2 Monitoring Monitoring the attacker's C2 server is important to understand their activity. Notes
© 2022 JPCERT/CC 16 Case1: Monitoring the Lucky Visitor Scam C2
© 2022 JPCERT/CC 17 Lucky Visitor Scam Infrastructure C2 Server Compromised Server Scam Server Website access #1 Send client information #2 Reply scam server URL #3 Send scam server URL #4 Access scam website #5
© 2022 JPCERT/CC 18 PHP Backdoor Installed in Compromised Server C2 Server
© 2022 JPCERT/CC $ curl -i -X POST http[:]//144.76.47[.]168/app/assets/api2?action=redir -d "ip=153.213.10.51&qs=dfaljfadfa.com%2Findex.php%3Ffc858f%3DiPhone-Apple-Windows&ua=Mozilla%2F5.0 (...) &conn=close&uid=fb06bc98-576a-d5df-2195-a4b0a64bec44" -H "User-Agent: " -H "Accept: " HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Tue, 23 Feb 2021 23:46:35 GMT Content-Type: text/html; charset=utf-8 Content-Length: 590 Connection: keep-alive X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: same-origin a:2:{s:4:"type";s:5:"redir";s:4:"data";a:1:{s:4:"code";s:524:"<html> <head> <META http-equiv="refresh" content="1;URL=https[:]//finishsandperson- 9[.]life/?utm_campaign=pEv9cTd8QNHYzqqr5UNFx2COHvnp_JE3r8uVIhm3Qww1&t=main7d"> <script> window.location = "https[:]//finishsandperson- 9[.]life/?utm_campaign=pEv9cTd8QNHYzqqr5UNFx2COHvnp_JE3r8uVIhm3Qww1&t=main7d"; </script> </head> <body> To the new location please <a href="https[:]//finishsandperson- 9[.]life/?utm_campaign=pEv9cTd8QNHYzqqr5UNFx2COHvnp_JE3r8uVIhm3Qww1&t=main7d"><b>click here.</b></a> </body> </html>";}} 19 Request to C2 for Redirect URL
© 2022 JPCERT/CC Check  Displays the number of files stored on the server templates • Creates a .html file for templates keywords • Creates a .lst file for keywords update_sitemap • Updates sitemap.xml 20 PHP Backdoor Installed in Compromised Server pages  Creates a new page ping  Sends a sitemap.xml URL to google and bing robots  Creates robots.txt eval  Runs PHP code PHP Backdoor Features
© 2022 JPCERT/CC IP Address Status 144.76.47.168 〇 144.76.51.144 × 178.63.30.186 〇 178.63.30.30 〇 178.63.34.6 × 5.9.146.0 ー 5.9.235.245 〇 5.9.239.221 × 5.9.34.13 〇 5.9.37.245 × 94.130.71.28 × 21 Lucky Visitor Scam C2 Attackers use different C2 servers over time.
© 2022 JPCERT/CC Get PHP content form VT Check C2 Get redirect URL form C2 Report to Google safe browsing Blocked by web browser 22 Flow of Lucky Visitor Scam Countermeasures Automatically execute the below process, from discovering C2 servers to blocking redirects in web browsers.
© 2022 JPCERT/CC 23 Monitoring the Lucky Visitor Scam C2 System (AWS) C2 AWS Lambda Amazon EventBridge GitHub Actions Private Public AWS GitHub Git push Git push Event Get HTML content Amazon S3 output bucket Put IoC Get IoC Git checkout Google Safe Browsing Report VirusTotal
© 2022 JPCERT/CC 24 Monitoring the Lucky Visitor Scam C2 System https://github.com/JPCERTCC/Lucky-Visitor-Scam-IoC
© 2022 JPCERT/CC 25 Monitoring the Lucky Visitor Scam C2 System (GCP) C2 Cloud Functions Cloud Scheduler GitHub Actions Private Public GitHub Git push Git push Event Get HTML content Cloud Storage Put IoC Get IoC Git checkout Google Safe Browsing Report
© 2022 JPCERT/CC 26 Access Control for C2 Server C2 C2 server is inaccessible from Japan.
© 2022 JPCERT/CC 27 C2 Activity 0 50 100 150 200 250 300 350 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 (Count) (Time UTC+9) Investigation of the attacker’s redirect URL delivery cycle.
© 2022 JPCERT/CC 28 1 Malware C2 Monitoring 2 Malware Hunting using Cloud 3 YARA CI/CD system 4 Surface Analysis System on Cloud 5 Memory Forensic on Cloud
© 2022 JPCERT/CC Get IoCs Download malware Analyze malware Hunt and detect incident 29 Malware Hunting using Cloud Malware hunting gets unknown IoCs and can be used for incident detection.
© 2022 JPCERT/CC Get IoCs Download malware Analyze malware Hunt and detect incident 30 Malware Hunting using Cloud Malware hunting gets unknown IoCs and can be used for incident detection.
© 2022 JPCERT/CC 31 Case2: Cobalt Strike Beacon Hunting Cobalt Strike is a popular penetration tool among attackers. [1] Cobalt Strike's C2s are found in large numbers and cannot all be analyzed manually.
© 2022 JPCERT/CC Get C2 server form VT Download Cobalt Strike beacon Analysis Cobalt Strike beacon Publish configuration 32 Flow of Cobalt Strike Beacon Hunting Automatically execute from discovering C2 servers to hunting Cobalt Strike beacon.
© 2022 JPCERT/CC 33 C2 Server Data https://www.virustotal.com/api/v3/intelligence/search?query=entity%3Aip%20c omment%3A%23cobaltstrike&limit=300&descriptors_only=true VT API Extract a list of IP addresses of Cobalt Strike's servers from VirusTotal.
© 2022 JPCERT/CC 32bit /aaa9 /aab8 64bit /aab9 /aac8 34 Default URL Path for Cobalt Strike Beacon Many C2 servers do not change the default URL path. Default URL path for Cobalt Strike beacon
© 2022 JPCERT/CC 35 Configuration Data Encode configuration data in Cobalt Strike beacon XOR 0x2E
© 2022 JPCERT/CC set Description Remarks 0x01 BeaconType 0=HTTP, 1=Hybrid HTTP and DNS, 8=HTTPS 0x02 Port number 0x03 Polling time 0x04 Unknown 0x05 Jitter Ratio of jitter in polling time (0- 99%) 0x06 Maxdns Maximum length of host name when using DNS (0-255) 0x07 Unknown 0x08 Destination host 0x09 User agent 0x0a Path when communicating HTTP_Header2 0x0b Unknown 0x0c HTTP_Header1 0x0d HTTP_Header2 0x0e Injection process 0x0f Pipe name 0x10 Year Stops operating after the specified date by Year, Month, Day 36 Configuration Index set Description Remarks 0x11 Month 0x12 Day 0x13 DNS_idle 0x14 DNS_Sleep 0x1a HTTP_Method1 0x1b HTTP_Method2 0x1c Unknown 0x1d Process to inject arbitrary shellcode (32bit) 0x1e Process to inject arbitrary shellcode (64bit) 0x1f Unknown 0x20 Proxy server name 0x21 Proxy user name 0x22 Proxy password 0x23 AccessType 1 = Do not use proxy server 2 = Use IE configuration in the registry 4 = Connect via proxy server 0x24 create_remote_thread Flag whether to allow creating threads in other processes 0x25 Not in use
© 2022 JPCERT/CC 37 Cobalt Strike Beacon Hunting System Cobalt Strike C2 Lambda EventBridge GitHub Actions Private Public AWS Cloud GitHub Git push Git push Event Get beacon S3 output bucket Put Config Get Config Git checkout Put Config VirusTotal Get server list API Gateway WAF Run REST API Client
© 2022 JPCERT/CC 38 Published Configuration Repository https://github.com/JPCERTCC/CobaltStrike-Config
© 2022 JPCERT/CC 39 Cobalt Strike Beacon Hunting System Cobalt Strike C2 Lambda EventBridge GitHub Actions Private Public AWS Cloud GitHub Git push Git push Event Get beacon S3 output bucket Put Config Get Config Git checkout Put Config VirusTotal Get server list API Gateway WAF Run REST API Client
© 2022 JPCERT/CC 40 REST API https://[mask]/cs-scan-api?scan=http://185.38.142.75:80/aaa9 You do not need to download Cobalt Strike Beacon to analyze.
© 2022 JPCERT/CC 41 Changes in Cobalt Strike C2 (Daily) 0 20 40 60 80 100 120 140 160 180 200 2/17/2022 3/17/2022 4/17/2022 5/17/2022 6/17/2022 7/17/2022 8/17/2022 (Count) (Date)
© 2022 JPCERT/CC 42 1 Malware C2 Monitoring 2 Malware Hunting using Cloud 3 YARA CI/CD system 4 Surface Analysis System on Cloud 5 Memory Forensic on Cloud
© 2022 JPCERT/CC Since creating YARA rules cannot be automated, malware analysts create them manually, and they spend too much time on it. Some characteristic malware can be created automatically. 43 YARA CI/CD System Creation of YARA rules must be done manually by the malware analyst, and automation of YARA rule creation is a challenge.
© 2022 JPCERT/CC 44 Case3: HUI Loader Analysis System Legitimate HUI Loader Encoded Malware DLL Data HUI Loader used in APT10, Blue Termite, A41APT and DEV-0401. for i in range(len(enc_data)): data = ord(enc_data[i]) ^ 0x20 ^ ord(key[i % len(key)]) dec_data.append(data) Decode code
© 2022 JPCERT/CC 2015 2016 2017 2018 2019 2020 2021 2022 45 Overview of HUI Loader Timeline 2015 Jan APT10 started using HUI loader 2015 Apr Blue Termite started using HUI loader 2020 Jun A41APT started using HUI loader 2021 Aug DEV-0401 started using HUI loader 2016 Jul  Password randomized  DLL injection 2021 Dec  Security features bypassed  "HUI…" strings deleted
© 2022 JPCERT/CC 46 Common Problems with Loader Legitimate HUI Loader Encoded Malware DLL Data Even if the Loader is found, the function of the malware is unknown because the encoded malware cannot be found. Found it! Not found!
© 2022 JPCERT/CC Get HUI Loader form VT Analysis HUI Loader Create YARA rule Push YARA rule to VT 47 Flow of HUI Loader Analysis System Automatically execute from getting HUI Loader to creating the YARA rule.
© 2022 JPCERT/CC 48 HUI Loader Analysis System Lambda EventBridge Github Action Private Public AWS Cloud Github Git push Git push Event S3 output bucket Put Config Get Result Git checkout Put Config VirusTotal Get HUI Loader API Gateway WAF Run REST API Client Push YARA rule
© 2022 JPCERT/CC 49 Created YARA rule rule malware_HUILoader_data_2317d3e14a { meta: description = "HUI Loader loading data" author = "JPCERT/CC Incident Response Group" HUI_loader_hash = "2317d3e14ab214f06ae38a729524646971e21b…" condition: uint32(0) == 0x7A8F473A or vt.metadata.file_name iequals "vlc.cnf" } The file name and encoding key are unique to each loader, and thus rules must be created for each it. YARA rule
© 2022 JPCERT/CC 50 Published Analysis Results Repository https://github.com/JPCERTCC/HUILoader-research
© 2022 JPCERT/CC 51 1 Malware C2 Monitoring 2 Malware Hunting using Cloud 3 YARA CI/CD system 4 Surface Analysis System on Cloud 5 Memory Forensic on Cloud
© 2022 JPCERT/CC 52 Surface Analysis System on Cloud Confusing: each type of malware is called different names by different vendors.
© 2022 JPCERT/CC 53 Surface Analysis System on Cloud Malware names are different for each security vendor and get confusing when looking at each reports. What is this malware? I want to scan using my YARA rule…
© 2022 JPCERT/CC 54 Surface Analysis System on Cloud Same issues on twitter…
© 2022 JPCERT/CC 55 Surface Analysis System on Cloud Same issues on twitter… What is this malware? I want to scan using my YARA rule…
© 2022 JPCERT/CC 56 Can sandbox alone solve all problems?
© 2022 JPCERT/CC 57 Can sandbox alone solve all problems? No. Sandbox analysis results need to be analyzed further, which is time consuming.
© 2022 JPCERT/CC Simple Fewer steps to execute Execute multiple analyses all at once Easy to customize Store analysis results 58 Our Requirements for Malware Analysis Tools
© 2022 JPCERT/CC YARA scan floss capa olevba Sandbox My toolset 59 For Example These analyses are executed in a single step.
© 2022 JPCERT/CC Send analysis job from web browser Get malware form VT Analyze malware for selected tools Save analysis results 60 Flow of Surface Analysis System on Cloud Analysis results in a single action for multiple malware.
© 2022 JPCERT/CC 61 FireFox Add-on
© 2022 JPCERT/CC 62 Analysis Results
© 2022 JPCERT/CC 63 Surface Analysis System on Cloud AWS Cloud S3 REST VirusTotal API Gateway WAF Client Submit job Lambda Batch CodeCommit ECR Run Clone Get malware Push results Image pull Lambda EventBridge EventBridge SNS CloudWatch Twitter Get twitter data Status notification Blog Get contents Submit job
Demo
© 2022 JPCERT/CC 65 Infrastructure as Code (IaC) Code and manage the building of the Surface Analysis System on cloud. Heavy use of IaC increases the cost of managing the code. Limit the cases in which IaC is used. Simple systems that do not need to use IaC. Problem
© 2022 JPCERT/CC 66 IaC using Terraform Building analysis system using Terraform
© 2022 JPCERT/CC 67 Surface Analysis System on Cloud with IaC GitHub Actions Private Github run apply commit AWS Cloud Client S3 API Gateway WAF Lambda Batch CodeCommit ECR Lambda EventBridge EventBridge SNS CloudWatch
Demo - Infrastructure as Code -
© 2022 JPCERT/CC 69 Surface Analysis System on Cloud
© 2022 JPCERT/CC 70 1 Malware C2 Monitoring 2 Malware Hunting using Cloud 3 YARA CI/CD system 4 Surface Analysis System on Cloud 5 Memory Forensic on Cloud
© 2022 JPCERT/CC Investigating multiple hosts simultaneously is time-consuming. Memory forensic system must scale out. Build a memory forensic system that scale out on cloud service. 71 Memory Forensic on Cloud Increased memory size has become a bottleneck for memory forensic investigations.
© 2022 JPCERT/CC Get memory images Send memory images to cloud Run Volatility 3 analysis system (docker image) Save analysis results 72 Flow of Memory Forensic on Cloud Build a memory forensic system that scale out on cloud service.
© 2022 JPCERT/CC 73 Memory Forensic on Cloud AWS Cloud S3 output bucket Client Submit job Lambda Batch CodeCommit ECR Run Clone Push results Image pull Memory Image S3 EventBridge Analysis results REST WAF API Gateway Run EventBridge SNS CloudWatch Status notification
© 2022 JPCERT/CC 74 Memory Forensic on Cloud AWS Cloud S3 output bucket Client Submit job Lambda Batch CodeCommit ECR Run Clone Push results Image pull Memory Image S3 EventBridge Analysis results REST WAF API Gateway Run EventBridge SNS CloudWatch Status notification Scale out
© 2022 JPCERT/CC 75 Analysis Results
© 2022 JPCERT/CC 76 Analysis Results
Demo
© 2022 JPCERT/CC 78 Memory Forensic on Cloud with IaC GitHub Actions GitHub Run commit Client AWS Cloud S3 output bucket Submit job Lambda Batch CodeCommit ECR Run Clone Push results Image pull S3 EventBridge Analysis results WAF API Gateway Run EventBridge SNS CloudWatch apply
© 2022 JPCERT/CC 79 Surface Analysis System on Cloud
Tips
© 2022 JPCERT/CC limit Lambda Batch (Fargate) Cloud Functions Cloud Run runtime 900s - 540s 3600s memory 10G 30G 16G 32G data 10G 200G 16G 32G 81 Limited of Serverless Service Serverless service have limited runtime, memory and data size. Check the limits and select a serverless service.
© 2022 JPCERT/CC API Gateway • 10MB presigned url s3 • 5GB AWS CLI • 160GB 82 Transfer of Large Data Limited transfer of large data, such as memory images, log file etc. CUI is required for large data transfers. For Example (AWS)
© 2022 JPCERT/CC 83 Use as a Serverless System for GitHub Actions GitHub Actions can also be used as a serverless system. (free: 3000min/month)
© 2022 JPCERT/CC 84 Monitoring the Lucky Visitor Scam C2 System (GitHub) C2 AWS Lambda Amazon EventBridge GitHub Actions Private Public AWS Cloud GitHub Git push Git push Event Get HTML content Amazon S3 output bucket Put IoC Git checkout Google Safe Browsing Report Get IoC
© 2022 JPCERT/CC Share MAOps (Malware Analysis Operations) that fight the malware development life cycle. Introduce the case study on how to build a malware analysis system with low maintenance costs. Learn how to build the Malware Analysis System on Cloud. 85 Takeaways (repost)
Thank you! @jpcert_en ir-info@jpcert.or.jp PGP https://www.jpcert.or.jp/english/pgp/ @jpcert_ac
© 2022 JPCERT/CC [1] JSAC2021: Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf 87 Reference

Recommended

[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
CODE BLUE
 
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
CODE BLUE
 
Infer:人工知能を使った静的コードチェック
Infer:人工知能を使った静的コードチェックInfer:人工知能を使った静的コードチェック
Infer:人工知能を使った静的コードチェック
Tetsuya Hasegawa
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101
SUSE Labs Taipei
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
Brendan Gregg
 
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼 [CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼
CODE BLUE
 
Staring into the eBPF Abyss
Staring into the eBPF AbyssStaring into the eBPF Abyss
Staring into the eBPF Abyss
Sasha Goldshtein
 

Recommended

[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
CODE BLUE
 
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
CODE BLUE
 
Infer:人工知能を使った静的コードチェック
Infer:人工知能を使った静的コードチェックInfer:人工知能を使った静的コードチェック
Infer:人工知能を使った静的コードチェック
Tetsuya Hasegawa
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101
SUSE Labs Taipei
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
Brendan Gregg
 
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼 [CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼
[CB19] アンチウイルスをオラクルとしたWindows Defenderに対する新しい攻撃手法 by 市川遼
CODE BLUE
 
Staring into the eBPF Abyss
Staring into the eBPF AbyssStaring into the eBPF Abyss
Staring into the eBPF Abyss
Sasha Goldshtein
 
Wiresharkの解析プラグインを作る ssmjp 201409
Wiresharkの解析プラグインを作る ssmjp 201409Wiresharkの解析プラグインを作る ssmjp 201409
Wiresharkの解析プラグインを作る ssmjp 201409
稔 小林
 
Cfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF SuperpowersCfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF Superpowers
Raphaël PINSON
 
DockerとKubernetesをかけめぐる
DockerとKubernetesをかけめぐるDockerとKubernetesをかけめぐる
DockerとKubernetesをかけめぐる
Kohei Tokunaga
 
Ctfのためのpython入門
Ctfのためのpython入門Ctfのためのpython入門
Ctfのためのpython入門
shiracamus
 
ZynqMP勉強会
ZynqMP勉強会ZynqMP勉強会
ZynqMP勉強会
Hidemi Ishihara
 
ZynqMPのブートとパワーマネージメント : (ZynqMP Boot and Power Management)
ZynqMPのブートとパワーマネージメント : (ZynqMP Boot and Power Management)ZynqMPのブートとパワーマネージメント : (ZynqMP Boot and Power Management)
ZynqMPのブートとパワーマネージメント : (ZynqMP Boot and Power Management)
Mr. Vengineer
 
CTF for ビギナーズ ネットワーク講習資料
CTF for ビギナーズ ネットワーク講習資料CTF for ビギナーズ ネットワーク講習資料
CTF for ビギナーズ ネットワーク講習資料
SECCON Beginners
 
QUICとNATと
QUICとNATとQUICとNATと
QUICとNATと
Yuya Rin
 
UM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of SoftwareUM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of Software
Brendan Gregg
 
Scapyで作る・解析するパケット
Scapyで作る・解析するパケットScapyで作る・解析するパケット
Scapyで作る・解析するパケット
Takaaki Hoyo
 
[cb22] Understanding the Chinese underground card shop ecosystem and becoming...
[cb22] Understanding the Chinese underground card shop ecosystem and becoming...[cb22] Understanding the Chinese underground card shop ecosystem and becoming...
[cb22] Understanding the Chinese underground card shop ecosystem and becoming...
CODE BLUE
 
Interrupt Affinityについて
Interrupt AffinityについてInterrupt Affinityについて
Interrupt Affinityについて
Takuya ASADA
 
ゼロからはじめるKVM超入門
ゼロからはじめるKVM超入門ゼロからはじめるKVM超入門
ゼロからはじめるKVM超入門
VirtualTech Japan Inc.
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
Brendan Gregg
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracing
Viller Hsiao
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
CODE BLUE
 
Node-v0.12の新機能について
Node-v0.12の新機能についてNode-v0.12の新機能について
Node-v0.12の新機能について
shigeki_ohtsu
 
SPAセキュリティ入門~PHP Conference Japan 2021
SPAセキュリティ入門~PHP Conference Japan 2021SPAセキュリティ入門~PHP Conference Japan 2021
SPAセキュリティ入門~PHP Conference Japan 2021
Hiroshi Tokumaru
 
Linux kernel tracing
Linux kernel tracingLinux kernel tracing
Linux kernel tracing
Viller Hsiao
 
外部キー制約に伴うロックの小話
外部キー制約に伴うロックの小話外部キー制約に伴うロックの小話
外部キー制約に伴うロックの小話
ichirin2501
 
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
CODE BLUE
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
ShapeBlue
 

More Related Content

What's hot

DockerとKubernetesをかけめぐる
DockerとKubernetesをかけめぐるDockerとKubernetesをかけめぐる
DockerとKubernetesをかけめぐる
Kohei Tokunaga
 
UM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of SoftwareUM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of Software
Brendan Gregg
 
[cb22] Understanding the Chinese underground card shop ecosystem and becoming...
[cb22] Understanding the Chinese underground card shop ecosystem and becoming...[cb22] Understanding the Chinese underground card shop ecosystem and becoming...
[cb22] Understanding the Chinese underground card shop ecosystem and becoming...
CODE BLUE
 
Interrupt Affinityについて
Interrupt AffinityについてInterrupt Affinityについて
Interrupt Affinityについて
Takuya ASADA
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
CODE BLUE
 
Node-v0.12の新機能について
Node-v0.12の新機能についてNode-v0.12の新機能について
Node-v0.12の新機能について
shigeki_ohtsu
 
SPAセキュリティ入門~PHP Conference Japan 2021
SPAセキュリティ入門~PHP Conference Japan 2021SPAセキュリティ入門~PHP Conference Japan 2021
SPAセキュリティ入門~PHP Conference Japan 2021
Hiroshi Tokumaru
 

What's hot (20)

Wiresharkの解析プラグインを作る ssmjp 201409
Wiresharkの解析プラグインを作る ssmjp 201409Wiresharkの解析プラグインを作る ssmjp 201409
Wiresharkの解析プラグインを作る ssmjp 201409
 
Cfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF SuperpowersCfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF Superpowers
 
DockerとKubernetesをかけめぐる
DockerとKubernetesをかけめぐるDockerとKubernetesをかけめぐる
DockerとKubernetesをかけめぐる
 
Ctfのためのpython入門
Ctfのためのpython入門Ctfのためのpython入門
Ctfのためのpython入門
 
ZynqMP勉強会
ZynqMP勉強会ZynqMP勉強会
ZynqMP勉強会
 
ZynqMPのブートとパワーマネージメント : (ZynqMP Boot and Power Management)
ZynqMPのブートとパワーマネージメント : (ZynqMP Boot and Power Management)ZynqMPのブートとパワーマネージメント : (ZynqMP Boot and Power Management)
ZynqMPのブートとパワーマネージメント : (ZynqMP Boot and Power Management)
 
CTF for ビギナーズ ネットワーク講習資料
CTF for ビギナーズ ネットワーク講習資料CTF for ビギナーズ ネットワーク講習資料
CTF for ビギナーズ ネットワーク講習資料
 
QUICとNATと
QUICとNATとQUICとNATと
QUICとNATと
 
UM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of SoftwareUM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of Software
 
Scapyで作る・解析するパケット
Scapyで作る・解析するパケットScapyで作る・解析するパケット
Scapyで作る・解析するパケット
 
[cb22] Understanding the Chinese underground card shop ecosystem and becoming...
[cb22] Understanding the Chinese underground card shop ecosystem and becoming...[cb22] Understanding the Chinese underground card shop ecosystem and becoming...
[cb22] Understanding the Chinese underground card shop ecosystem and becoming...
 
Interrupt Affinityについて
Interrupt AffinityについてInterrupt Affinityについて
Interrupt Affinityについて
 
ゼロからはじめるKVM超入門
ゼロからはじめるKVM超入門ゼロからはじめるKVM超入門
ゼロからはじめるKVM超入門
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracing
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
Node-v0.12の新機能について
Node-v0.12の新機能についてNode-v0.12の新機能について
Node-v0.12の新機能について
 
SPAセキュリティ入門~PHP Conference Japan 2021
SPAセキュリティ入門~PHP Conference Japan 2021SPAセキュリティ入門~PHP Conference Japan 2021
SPAセキュリティ入門~PHP Conference Japan 2021
 
Linux kernel tracing
Linux kernel tracingLinux kernel tracing
Linux kernel tracing
 
外部キー制約に伴うロックの小話
外部キー制約に伴うロックの小話外部キー制約に伴うロックの小話
外部キー制約に伴うロックの小話
 

Similar to [cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yuma Masubuchi

[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
CODE BLUE
 
Kubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdf
KawimbaLofgrens
 
[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...
CODE BLUE
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
Tim Mackey
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
Black Duck by Synopsys
 

Similar to [cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yuma Masubuchi (20)

[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Annual Vulnerability Report Insights - 2022
Annual Vulnerability Report Insights - 2022Annual Vulnerability Report Insights - 2022
Annual Vulnerability Report Insights - 2022
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablow
 
Kubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdf
 
[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...
 
Detección y mitigación de amenazas con Check Point
Detección y mitigación de amenazas con Check PointDetección y mitigación de amenazas con Check Point
Detección y mitigación de amenazas con Check Point
 
FIDO Masterclass
FIDO MasterclassFIDO Masterclass
FIDO Masterclass
 
2022 December Patch Tuesday
2022 December Patch Tuesday2022 December Patch Tuesday
2022 December Patch Tuesday
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
Protecting Pipeline DevOps and IaC
Protecting Pipeline DevOps and IaCProtecting Pipeline DevOps and IaC
Protecting Pipeline DevOps and IaC
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud Environment
 
Check Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private CloudCheck Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private Cloud
 
VMware Developer-Ready Transformation
VMware Developer-Ready TransformationVMware Developer-Ready Transformation
VMware Developer-Ready Transformation
 
January 2022 patch tuesday
January 2022 patch tuesdayJanuary 2022 patch tuesday
January 2022 patch tuesday
 
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
 
DFIR Training: RDP Triage
DFIR Training: RDP TriageDFIR Training: RDP Triage
DFIR Training: RDP Triage
 

More from CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
CODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
CODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
CODE BLUE
 
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
CODE BLUE
 
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...
CODE BLUE
 
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...
CODE BLUE
 
[cb22] Lets Dance in the Cache Destabilizing Hash Table on Microsoft IIS by O...
[cb22] Lets Dance in the Cache Destabilizing Hash Table on Microsoft IIS by O...[cb22] Lets Dance in the Cache Destabilizing Hash Table on Microsoft IIS by O...
[cb22] Lets Dance in the Cache Destabilizing Hash Table on Microsoft IIS by O...
CODE BLUE
 

More from CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
 
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...
 
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...
 
[cb22] Lets Dance in the Cache Destabilizing Hash Table on Microsoft IIS by O...
[cb22] Lets Dance in the Cache Destabilizing Hash Table on Microsoft IIS by O...[cb22] Lets Dance in the Cache Destabilizing Hash Table on Microsoft IIS by O...
[cb22] Lets Dance in the Cache Destabilizing Hash Table on Microsoft IIS by O...
 

Recently uploaded

Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
Kayode Fayemi
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
amilabibi1
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
Kayode Fayemi
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
raffaeleoman
 
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
David Celestin
 

Recently uploaded (15)

ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 
Digital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalDigital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of Drupal
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdfSOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
 
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
 

[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yuma Masubuchi

  • 1. © 2022 JPCERT/CC 0 Fight Against Malware Development Life Cycle CODE BLUE 2022
  • 2. © 2022 JPCERT/CC 1 Problem of Incident Response Attacker vs Defender
  • 3. © 2022 JPCERT/CC 2 Problem of Incident Response Attacker vs Defender We are in the Malware Development Life Cycle…
  • 4. © 2022 JPCERT/CC Surface Analysis Runtime Analysis Static Analysis Create YARA Rule Finished analysis … 3 Malware Analysis Operations (MAOps)
  • 5. © 2022 JPCERT/CC Surface Analysis Runtime Analysis Static Analysis Create YARA Rule Automation! 4 All roads lead to AUTOMATION!
  • 6. © 2022 JPCERT/CC 5 Problem of MAOps Attacker vs Malware Analyst
  • 7. © 2022 JPCERT/CC 6 Problem of MAOps Attacker vs Malware Analyst Changed C2 server Changed encrypt key Added new function
  • 8. © 2022 JPCERT/CC 7 Problem of MAOps Attacker vs Malware Analyst STOP
  • 9. © 2022 JPCERT/CC Maintenance of malware analysis tools is hard work. Creating a lot of malware analysis tools requires the maintenance of many tools. 8 Problem of MAOps Need the methods to counter the attacker's development lifecycle
  • 10. © 2022 JPCERT/CC 9 Goal of This Presentation This presentation shares methods for building analytical tools to counter the attacker's lifecycle.
  • 11. © 2022 JPCERT/CC Approach Technologies such as CI/CD and serverless are methods that make system maintenance and release more efficient. Cloud services can be a solution to the problems of malware analysts. We managed the Malware Analysis System on Cloud. 10 Use cloud services CI/CD, serverless, and Infrastructure as Code (IaC) to fight the malware development life cycle.
  • 12. © 2022 JPCERT/CC IP addresses can be changed dynamically Easy to update analysis tools Easy to build scale-out systems No server provisioning or maintenance required Low maintenance costs 11 Advantages of Using the Cloud for Malware Analysis
  • 13. © 2022 JPCERT/CC 12 Malware Analysis System on Cloud Scanner Memory Forensic Surface Analysis Sandbox YARA Log Analysis Thread Research
  • 14. © 2022 JPCERT/CC Presentation Topics 13 1 Malware C2 Monitoring 2 Malware Hunting using Cloud 3 YARA CI/CD system 4 Surface Analysis System on Cloud 5 Memory Forensic on Cloud
  • 15. © 2022 JPCERT/CC 14 1 Malware C2 Monitoring 2 Malware Hunting using Cloud 3 YARA CI/CD system 4 Surface Analysis System on Cloud 5 Memory Forensic on Cloud
  • 16. © 2022 JPCERT/CC Blocked access to the C2 server. Targeted by an attacker. Cloud services solve these problems. 15 Malware C2 Monitoring Monitoring the attacker's C2 server is important to understand their activity. Notes
  • 17. © 2022 JPCERT/CC 16 Case1: Monitoring the Lucky Visitor Scam C2
  • 18. © 2022 JPCERT/CC 17 Lucky Visitor Scam Infrastructure C2 Server Compromised Server Scam Server Website access #1 Send client information #2 Reply scam server URL #3 Send scam server URL #4 Access scam website #5
  • 19. © 2022 JPCERT/CC 18 PHP Backdoor Installed in Compromised Server C2 Server
  • 20. © 2022 JPCERT/CC $ curl -i -X POST http[:]//144.76.47[.]168/app/assets/api2?action=redir -d "ip=153.213.10.51&qs=dfaljfadfa.com%2Findex.php%3Ffc858f%3DiPhone-Apple-Windows&ua=Mozilla%2F5.0 (...) &conn=close&uid=fb06bc98-576a-d5df-2195-a4b0a64bec44" -H "User-Agent: " -H "Accept: " HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Tue, 23 Feb 2021 23:46:35 GMT Content-Type: text/html; charset=utf-8 Content-Length: 590 Connection: keep-alive X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: same-origin a:2:{s:4:"type";s:5:"redir";s:4:"data";a:1:{s:4:"code";s:524:"<html> <head> <META http-equiv="refresh" content="1;URL=https[:]//finishsandperson- 9[.]life/?utm_campaign=pEv9cTd8QNHYzqqr5UNFx2COHvnp_JE3r8uVIhm3Qww1&t=main7d"> <script> window.location = "https[:]//finishsandperson- 9[.]life/?utm_campaign=pEv9cTd8QNHYzqqr5UNFx2COHvnp_JE3r8uVIhm3Qww1&t=main7d"; </script> </head> <body> To the new location please <a href="https[:]//finishsandperson- 9[.]life/?utm_campaign=pEv9cTd8QNHYzqqr5UNFx2COHvnp_JE3r8uVIhm3Qww1&t=main7d"><b>click here.</b></a> </body> </html>";}} 19 Request to C2 for Redirect URL
  • 21. © 2022 JPCERT/CC Check  Displays the number of files stored on the server templates • Creates a .html file for templates keywords • Creates a .lst file for keywords update_sitemap • Updates sitemap.xml 20 PHP Backdoor Installed in Compromised Server pages  Creates a new page ping  Sends a sitemap.xml URL to google and bing robots  Creates robots.txt eval  Runs PHP code PHP Backdoor Features
  • 22. © 2022 JPCERT/CC IP Address Status 144.76.47.168 〇 144.76.51.144 × 178.63.30.186 〇 178.63.30.30 〇 178.63.34.6 × 5.9.146.0 ー 5.9.235.245 〇 5.9.239.221 × 5.9.34.13 〇 5.9.37.245 × 94.130.71.28 × 21 Lucky Visitor Scam C2 Attackers use different C2 servers over time.
  • 23. © 2022 JPCERT/CC Get PHP content form VT Check C2 Get redirect URL form C2 Report to Google safe browsing Blocked by web browser 22 Flow of Lucky Visitor Scam Countermeasures Automatically execute the below process, from discovering C2 servers to blocking redirects in web browsers.
  • 24. © 2022 JPCERT/CC 23 Monitoring the Lucky Visitor Scam C2 System (AWS) C2 AWS Lambda Amazon EventBridge GitHub Actions Private Public AWS GitHub Git push Git push Event Get HTML content Amazon S3 output bucket Put IoC Get IoC Git checkout Google Safe Browsing Report VirusTotal
  • 25. © 2022 JPCERT/CC 24 Monitoring the Lucky Visitor Scam C2 System https://github.com/JPCERTCC/Lucky-Visitor-Scam-IoC
  • 26. © 2022 JPCERT/CC 25 Monitoring the Lucky Visitor Scam C2 System (GCP) C2 Cloud Functions Cloud Scheduler GitHub Actions Private Public GitHub Git push Git push Event Get HTML content Cloud Storage Put IoC Get IoC Git checkout Google Safe Browsing Report
  • 27. © 2022 JPCERT/CC 26 Access Control for C2 Server C2 C2 server is inaccessible from Japan.
  • 28. © 2022 JPCERT/CC 27 C2 Activity 0 50 100 150 200 250 300 350 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 (Count) (Time UTC+9) Investigation of the attacker’s redirect URL delivery cycle.
  • 29. © 2022 JPCERT/CC 28 1 Malware C2 Monitoring 2 Malware Hunting using Cloud 3 YARA CI/CD system 4 Surface Analysis System on Cloud 5 Memory Forensic on Cloud
  • 30. © 2022 JPCERT/CC Get IoCs Download malware Analyze malware Hunt and detect incident 29 Malware Hunting using Cloud Malware hunting gets unknown IoCs and can be used for incident detection.
  • 31. © 2022 JPCERT/CC Get IoCs Download malware Analyze malware Hunt and detect incident 30 Malware Hunting using Cloud Malware hunting gets unknown IoCs and can be used for incident detection.
  • 32. © 2022 JPCERT/CC 31 Case2: Cobalt Strike Beacon Hunting Cobalt Strike is a popular penetration tool among attackers. [1] Cobalt Strike's C2s are found in large numbers and cannot all be analyzed manually.
  • 33. © 2022 JPCERT/CC Get C2 server form VT Download Cobalt Strike beacon Analysis Cobalt Strike beacon Publish configuration 32 Flow of Cobalt Strike Beacon Hunting Automatically execute from discovering C2 servers to hunting Cobalt Strike beacon.
  • 34. © 2022 JPCERT/CC 33 C2 Server Data https://www.virustotal.com/api/v3/intelligence/search?query=entity%3Aip%20c omment%3A%23cobaltstrike&limit=300&descriptors_only=true VT API Extract a list of IP addresses of Cobalt Strike's servers from VirusTotal.
  • 35. © 2022 JPCERT/CC 32bit /aaa9 /aab8 64bit /aab9 /aac8 34 Default URL Path for Cobalt Strike Beacon Many C2 servers do not change the default URL path. Default URL path for Cobalt Strike beacon
  • 36. © 2022 JPCERT/CC 35 Configuration Data Encode configuration data in Cobalt Strike beacon XOR 0x2E
  • 37. © 2022 JPCERT/CC set Description Remarks 0x01 BeaconType 0=HTTP, 1=Hybrid HTTP and DNS, 8=HTTPS 0x02 Port number 0x03 Polling time 0x04 Unknown 0x05 Jitter Ratio of jitter in polling time (0- 99%) 0x06 Maxdns Maximum length of host name when using DNS (0-255) 0x07 Unknown 0x08 Destination host 0x09 User agent 0x0a Path when communicating HTTP_Header2 0x0b Unknown 0x0c HTTP_Header1 0x0d HTTP_Header2 0x0e Injection process 0x0f Pipe name 0x10 Year Stops operating after the specified date by Year, Month, Day 36 Configuration Index set Description Remarks 0x11 Month 0x12 Day 0x13 DNS_idle 0x14 DNS_Sleep 0x1a HTTP_Method1 0x1b HTTP_Method2 0x1c Unknown 0x1d Process to inject arbitrary shellcode (32bit) 0x1e Process to inject arbitrary shellcode (64bit) 0x1f Unknown 0x20 Proxy server name 0x21 Proxy user name 0x22 Proxy password 0x23 AccessType 1 = Do not use proxy server 2 = Use IE configuration in the registry 4 = Connect via proxy server 0x24 create_remote_thread Flag whether to allow creating threads in other processes 0x25 Not in use
  • 38. © 2022 JPCERT/CC 37 Cobalt Strike Beacon Hunting System Cobalt Strike C2 Lambda EventBridge GitHub Actions Private Public AWS Cloud GitHub Git push Git push Event Get beacon S3 output bucket Put Config Get Config Git checkout Put Config VirusTotal Get server list API Gateway WAF Run REST API Client
  • 39. © 2022 JPCERT/CC 38 Published Configuration Repository https://github.com/JPCERTCC/CobaltStrike-Config
  • 40. © 2022 JPCERT/CC 39 Cobalt Strike Beacon Hunting System Cobalt Strike C2 Lambda EventBridge GitHub Actions Private Public AWS Cloud GitHub Git push Git push Event Get beacon S3 output bucket Put Config Get Config Git checkout Put Config VirusTotal Get server list API Gateway WAF Run REST API Client
  • 41. © 2022 JPCERT/CC 40 REST API https://[mask]/cs-scan-api?scan=http://185.38.142.75:80/aaa9 You do not need to download Cobalt Strike Beacon to analyze.
  • 42. © 2022 JPCERT/CC 41 Changes in Cobalt Strike C2 (Daily) 0 20 40 60 80 100 120 140 160 180 200 2/17/2022 3/17/2022 4/17/2022 5/17/2022 6/17/2022 7/17/2022 8/17/2022 (Count) (Date)
  • 43. © 2022 JPCERT/CC 42 1 Malware C2 Monitoring 2 Malware Hunting using Cloud 3 YARA CI/CD system 4 Surface Analysis System on Cloud 5 Memory Forensic on Cloud
  • 44. © 2022 JPCERT/CC Since creating YARA rules cannot be automated, malware analysts create them manually, and they spend too much time on it. Some characteristic malware can be created automatically. 43 YARA CI/CD System Creation of YARA rules must be done manually by the malware analyst, and automation of YARA rule creation is a challenge.
  • 45. © 2022 JPCERT/CC 44 Case3: HUI Loader Analysis System Legitimate HUI Loader Encoded Malware DLL Data HUI Loader used in APT10, Blue Termite, A41APT and DEV-0401. for i in range(len(enc_data)): data = ord(enc_data[i]) ^ 0x20 ^ ord(key[i % len(key)]) dec_data.append(data) Decode code
  • 46. © 2022 JPCERT/CC 2015 2016 2017 2018 2019 2020 2021 2022 45 Overview of HUI Loader Timeline 2015 Jan APT10 started using HUI loader 2015 Apr Blue Termite started using HUI loader 2020 Jun A41APT started using HUI loader 2021 Aug DEV-0401 started using HUI loader 2016 Jul  Password randomized  DLL injection 2021 Dec  Security features bypassed  "HUI…" strings deleted
  • 47. © 2022 JPCERT/CC 46 Common Problems with Loader Legitimate HUI Loader Encoded Malware DLL Data Even if the Loader is found, the function of the malware is unknown because the encoded malware cannot be found. Found it! Not found!
  • 48. © 2022 JPCERT/CC Get HUI Loader form VT Analysis HUI Loader Create YARA rule Push YARA rule to VT 47 Flow of HUI Loader Analysis System Automatically execute from getting HUI Loader to creating the YARA rule.
  • 49. © 2022 JPCERT/CC 48 HUI Loader Analysis System Lambda EventBridge Github Action Private Public AWS Cloud Github Git push Git push Event S3 output bucket Put Config Get Result Git checkout Put Config VirusTotal Get HUI Loader API Gateway WAF Run REST API Client Push YARA rule
  • 50. © 2022 JPCERT/CC 49 Created YARA rule rule malware_HUILoader_data_2317d3e14a { meta: description = "HUI Loader loading data" author = "JPCERT/CC Incident Response Group" HUI_loader_hash = "2317d3e14ab214f06ae38a729524646971e21b…" condition: uint32(0) == 0x7A8F473A or vt.metadata.file_name iequals "vlc.cnf" } The file name and encoding key are unique to each loader, and thus rules must be created for each it. YARA rule
  • 51. © 2022 JPCERT/CC 50 Published Analysis Results Repository https://github.com/JPCERTCC/HUILoader-research
  • 52. © 2022 JPCERT/CC 51 1 Malware C2 Monitoring 2 Malware Hunting using Cloud 3 YARA CI/CD system 4 Surface Analysis System on Cloud 5 Memory Forensic on Cloud
  • 53. © 2022 JPCERT/CC 52 Surface Analysis System on Cloud Confusing: each type of malware is called different names by different vendors.
  • 54. © 2022 JPCERT/CC 53 Surface Analysis System on Cloud Malware names are different for each security vendor and get confusing when looking at each reports. What is this malware? I want to scan using my YARA rule…
  • 55. © 2022 JPCERT/CC 54 Surface Analysis System on Cloud Same issues on twitter…
  • 56. © 2022 JPCERT/CC 55 Surface Analysis System on Cloud Same issues on twitter… What is this malware? I want to scan using my YARA rule…
  • 57. © 2022 JPCERT/CC 56 Can sandbox alone solve all problems?
  • 58. © 2022 JPCERT/CC 57 Can sandbox alone solve all problems? No. Sandbox analysis results need to be analyzed further, which is time consuming.
  • 59. © 2022 JPCERT/CC Simple Fewer steps to execute Execute multiple analyses all at once Easy to customize Store analysis results 58 Our Requirements for Malware Analysis Tools
  • 60. © 2022 JPCERT/CC YARA scan floss capa olevba Sandbox My toolset 59 For Example These analyses are executed in a single step.
  • 61. © 2022 JPCERT/CC Send analysis job from web browser Get malware form VT Analyze malware for selected tools Save analysis results 60 Flow of Surface Analysis System on Cloud Analysis results in a single action for multiple malware.
  • 64. © 2022 JPCERT/CC 63 Surface Analysis System on Cloud AWS Cloud S3 REST VirusTotal API Gateway WAF Client Submit job Lambda Batch CodeCommit ECR Run Clone Get malware Push results Image pull Lambda EventBridge EventBridge SNS CloudWatch Twitter Get twitter data Status notification Blog Get contents Submit job
  • 65. Demo
  • 66. © 2022 JPCERT/CC 65 Infrastructure as Code (IaC) Code and manage the building of the Surface Analysis System on cloud. Heavy use of IaC increases the cost of managing the code. Limit the cases in which IaC is used. Simple systems that do not need to use IaC. Problem
  • 67. © 2022 JPCERT/CC 66 IaC using Terraform Building analysis system using Terraform
  • 68. © 2022 JPCERT/CC 67 Surface Analysis System on Cloud with IaC GitHub Actions Private Github run apply commit AWS Cloud Client S3 API Gateway WAF Lambda Batch CodeCommit ECR Lambda EventBridge EventBridge SNS CloudWatch
  • 70. © 2022 JPCERT/CC 69 Surface Analysis System on Cloud
  • 71. © 2022 JPCERT/CC 70 1 Malware C2 Monitoring 2 Malware Hunting using Cloud 3 YARA CI/CD system 4 Surface Analysis System on Cloud 5 Memory Forensic on Cloud
  • 72. © 2022 JPCERT/CC Investigating multiple hosts simultaneously is time-consuming. Memory forensic system must scale out. Build a memory forensic system that scale out on cloud service. 71 Memory Forensic on Cloud Increased memory size has become a bottleneck for memory forensic investigations.
  • 73. © 2022 JPCERT/CC Get memory images Send memory images to cloud Run Volatility 3 analysis system (docker image) Save analysis results 72 Flow of Memory Forensic on Cloud Build a memory forensic system that scale out on cloud service.
  • 74. © 2022 JPCERT/CC 73 Memory Forensic on Cloud AWS Cloud S3 output bucket Client Submit job Lambda Batch CodeCommit ECR Run Clone Push results Image pull Memory Image S3 EventBridge Analysis results REST WAF API Gateway Run EventBridge SNS CloudWatch Status notification
  • 75. © 2022 JPCERT/CC 74 Memory Forensic on Cloud AWS Cloud S3 output bucket Client Submit job Lambda Batch CodeCommit ECR Run Clone Push results Image pull Memory Image S3 EventBridge Analysis results REST WAF API Gateway Run EventBridge SNS CloudWatch Status notification Scale out
  • 78. Demo
  • 79. © 2022 JPCERT/CC 78 Memory Forensic on Cloud with IaC GitHub Actions GitHub Run commit Client AWS Cloud S3 output bucket Submit job Lambda Batch CodeCommit ECR Run Clone Push results Image pull S3 EventBridge Analysis results WAF API Gateway Run EventBridge SNS CloudWatch apply
  • 80. © 2022 JPCERT/CC 79 Surface Analysis System on Cloud
  • 81. Tips
  • 82. © 2022 JPCERT/CC limit Lambda Batch (Fargate) Cloud Functions Cloud Run runtime 900s - 540s 3600s memory 10G 30G 16G 32G data 10G 200G 16G 32G 81 Limited of Serverless Service Serverless service have limited runtime, memory and data size. Check the limits and select a serverless service.
  • 83. © 2022 JPCERT/CC API Gateway • 10MB presigned url s3 • 5GB AWS CLI • 160GB 82 Transfer of Large Data Limited transfer of large data, such as memory images, log file etc. CUI is required for large data transfers. For Example (AWS)
  • 84. © 2022 JPCERT/CC 83 Use as a Serverless System for GitHub Actions GitHub Actions can also be used as a serverless system. (free: 3000min/month)
  • 85. © 2022 JPCERT/CC 84 Monitoring the Lucky Visitor Scam C2 System (GitHub) C2 AWS Lambda Amazon EventBridge GitHub Actions Private Public AWS Cloud GitHub Git push Git push Event Get HTML content Amazon S3 output bucket Put IoC Git checkout Google Safe Browsing Report Get IoC
  • 86. © 2022 JPCERT/CC Share MAOps (Malware Analysis Operations) that fight the malware development life cycle. Introduce the case study on how to build a malware analysis system with low maintenance costs. Learn how to build the Malware Analysis System on Cloud. 85 Takeaways (repost)
  • 87. Thank you! @jpcert_en ir-info@jpcert.or.jp PGP https://www.jpcert.or.jp/english/pgp/ @jpcert_ac
  • 88. © 2022 JPCERT/CC [1] JSAC2021: Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf 87 Reference