SlideShare a Scribd company logo

[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yuma Masubuchi

CODE BLUE
CODE BLUE

We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware. To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed. * Malware C2 Monitoring * Malware Hunting using Cloud * YARA CI/CD system * Malware Analysis System on Cloud * Memory Forensic on Cloud Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.

Presentations & Public Speaking
1 of 88
Download to read offline
© 2022 JPCERT/CC 0 Fight Against Malware Development Life Cycle CODE BLUE 2022
© 2022 JPCERT/CC 1 Problem of Incident Response Attacker vs Defender
© 2022 JPCERT/CC 2 Problem of Incident Response Attacker vs Defender We are in the Malware Development Life Cycle…
© 2022 JPCERT/CC Surface Analysis Runtime Analysis Static Analysis Create YARA Rule Finished analysis … 3 Malware Analysis Operations (MAOps)
© 2022 JPCERT/CC Surface Analysis Runtime Analysis Static Analysis Create YARA Rule Automation! 4 All roads lead to AUTOMATION!
© 2022 JPCERT/CC 5 Problem of MAOps Attacker vs Malware Analyst
© 2022 JPCERT/CC 6 Problem of MAOps Attacker vs Malware Analyst Changed C2 server Changed encrypt key Added new function
© 2022 JPCERT/CC 7 Problem of MAOps Attacker vs Malware Analyst STOP
© 2022 JPCERT/CC Maintenance of malware analysis tools is hard work. Creating a lot of malware analysis tools requires the maintenance of many tools. 8 Problem of MAOps Need the methods to counter the attacker's development lifecycle
© 2022 JPCERT/CC 9 Goal of This Presentation This presentation shares methods for building analytical tools to counter the attacker's lifecycle.
© 2022 JPCERT/CC Approach Technologies such as CI/CD and serverless are methods that make system maintenance and release more efficient. Cloud services can be a solution to the problems of malware analysts. We managed the Malware Analysis System on Cloud. 10 Use cloud services CI/CD, serverless, and Infrastructure as Code (IaC) to fight the malware development life cycle.
© 2022 JPCERT/CC IP addresses can be changed dynamically Easy to update analysis tools Easy to build scale-out systems No server provisioning or maintenance required Low maintenance costs 11 Advantages of Using the Cloud for Malware Analysis
© 2022 JPCERT/CC 12 Malware Analysis System on Cloud Scanner Memory Forensic Surface Analysis Sandbox YARA Log Analysis Thread Research
© 2022 JPCERT/CC Presentation Topics 13 1 Malware C2 Monitoring 2 Malware Hunting using Cloud 3 YARA CI/CD system 4 Surface Analysis System on Cloud 5 Memory Forensic on Cloud
© 2022 JPCERT/CC 14 1 Malware C2 Monitoring 2 Malware Hunting using Cloud 3 YARA CI/CD system 4 Surface Analysis System on Cloud 5 Memory Forensic on Cloud
© 2022 JPCERT/CC Blocked access to the C2 server. Targeted by an attacker. Cloud services solve these problems. 15 Malware C2 Monitoring Monitoring the attacker's C2 server is important to understand their activity. Notes
© 2022 JPCERT/CC 16 Case1: Monitoring the Lucky Visitor Scam C2
© 2022 JPCERT/CC 17 Lucky Visitor Scam Infrastructure C2 Server Compromised Server Scam Server Website access #1 Send client information #2 Reply scam server URL #3 Send scam server URL #4 Access scam website #5
© 2022 JPCERT/CC 18 PHP Backdoor Installed in Compromised Server C2 Server
© 2022 JPCERT/CC $ curl -i -X POST http[:]//144.76.47[.]168/app/assets/api2?action=redir -d "ip=153.213.10.51&qs=dfaljfadfa.com%2Findex.php%3Ffc858f%3DiPhone-Apple-Windows&ua=Mozilla%2F5.0 (...) &conn=close&uid=fb06bc98-576a-d5df-2195-a4b0a64bec44" -H "User-Agent: " -H "Accept: " HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Tue, 23 Feb 2021 23:46:35 GMT Content-Type: text/html; charset=utf-8 Content-Length: 590 Connection: keep-alive X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: same-origin a:2:{s:4:"type";s:5:"redir";s:4:"data";a:1:{s:4:"code";s:524:"<html> <head> <META http-equiv="refresh" content="1;URL=https[:]//finishsandperson- 9[.]life/?utm_campaign=pEv9cTd8QNHYzqqr5UNFx2COHvnp_JE3r8uVIhm3Qww1&t=main7d"> <script> window.location = "https[:]//finishsandperson- 9[.]life/?utm_campaign=pEv9cTd8QNHYzqqr5UNFx2COHvnp_JE3r8uVIhm3Qww1&t=main7d"; </script> </head> <body> To the new location please <a href="https[:]//finishsandperson- 9[.]life/?utm_campaign=pEv9cTd8QNHYzqqr5UNFx2COHvnp_JE3r8uVIhm3Qww1&t=main7d"><b>click here.</b></a> </body> </html>";}} 19 Request to C2 for Redirect URL
© 2022 JPCERT/CC Check  Displays the number of files stored on the server templates • Creates a .html file for templates keywords • Creates a .lst file for keywords update_sitemap • Updates sitemap.xml 20 PHP Backdoor Installed in Compromised Server pages  Creates a new page ping  Sends a sitemap.xml URL to google and bing robots  Creates robots.txt eval  Runs PHP code PHP Backdoor Features
© 2022 JPCERT/CC IP Address Status 144.76.47.168 〇 144.76.51.144 × 178.63.30.186 〇 178.63.30.30 〇 178.63.34.6 × 5.9.146.0 ー 5.9.235.245 〇 5.9.239.221 × 5.9.34.13 〇 5.9.37.245 × 94.130.71.28 × 21 Lucky Visitor Scam C2 Attackers use different C2 servers over time.
© 2022 JPCERT/CC Get PHP content form VT Check C2 Get redirect URL form C2 Report to Google safe browsing Blocked by web browser 22 Flow of Lucky Visitor Scam Countermeasures Automatically execute the below process, from discovering C2 servers to blocking redirects in web browsers.
© 2022 JPCERT/CC 23 Monitoring the Lucky Visitor Scam C2 System (AWS) C2 AWS Lambda Amazon EventBridge GitHub Actions Private Public AWS GitHub Git push Git push Event Get HTML content Amazon S3 output bucket Put IoC Get IoC Git checkout Google Safe Browsing Report VirusTotal
© 2022 JPCERT/CC 24 Monitoring the Lucky Visitor Scam C2 System https://github.com/JPCERTCC/Lucky-Visitor-Scam-IoC
© 2022 JPCERT/CC 25 Monitoring the Lucky Visitor Scam C2 System (GCP) C2 Cloud Functions Cloud Scheduler GitHub Actions Private Public GitHub Git push Git push Event Get HTML content Cloud Storage Put IoC Get IoC Git checkout Google Safe Browsing Report
© 2022 JPCERT/CC 26 Access Control for C2 Server C2 C2 server is inaccessible from Japan.
© 2022 JPCERT/CC 27 C2 Activity 0 50 100 150 200 250 300 350 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 (Count) (Time UTC+9) Investigation of the attacker’s redirect URL delivery cycle.
© 2022 JPCERT/CC 28 1 Malware C2 Monitoring 2 Malware Hunting using Cloud 3 YARA CI/CD system 4 Surface Analysis System on Cloud 5 Memory Forensic on Cloud
© 2022 JPCERT/CC Get IoCs Download malware Analyze malware Hunt and detect incident 29 Malware Hunting using Cloud Malware hunting gets unknown IoCs and can be used for incident detection.
© 2022 JPCERT/CC Get IoCs Download malware Analyze malware Hunt and detect incident 30 Malware Hunting using Cloud Malware hunting gets unknown IoCs and can be used for incident detection.
© 2022 JPCERT/CC 31 Case2: Cobalt Strike Beacon Hunting Cobalt Strike is a popular penetration tool among attackers. [1] Cobalt Strike's C2s are found in large numbers and cannot all be analyzed manually.
© 2022 JPCERT/CC Get C2 server form VT Download Cobalt Strike beacon Analysis Cobalt Strike beacon Publish configuration 32 Flow of Cobalt Strike Beacon Hunting Automatically execute from discovering C2 servers to hunting Cobalt Strike beacon.
© 2022 JPCERT/CC 33 C2 Server Data https://www.virustotal.com/api/v3/intelligence/search?query=entity%3Aip%20c omment%3A%23cobaltstrike&limit=300&descriptors_only=true VT API Extract a list of IP addresses of Cobalt Strike's servers from VirusTotal.
© 2022 JPCERT/CC 32bit /aaa9 /aab8 64bit /aab9 /aac8 34 Default URL Path for Cobalt Strike Beacon Many C2 servers do not change the default URL path. Default URL path for Cobalt Strike beacon
© 2022 JPCERT/CC 35 Configuration Data Encode configuration data in Cobalt Strike beacon XOR 0x2E
© 2022 JPCERT/CC set Description Remarks 0x01 BeaconType 0=HTTP, 1=Hybrid HTTP and DNS, 8=HTTPS 0x02 Port number 0x03 Polling time 0x04 Unknown 0x05 Jitter Ratio of jitter in polling time (0- 99%) 0x06 Maxdns Maximum length of host name when using DNS (0-255) 0x07 Unknown 0x08 Destination host 0x09 User agent 0x0a Path when communicating HTTP_Header2 0x0b Unknown 0x0c HTTP_Header1 0x0d HTTP_Header2 0x0e Injection process 0x0f Pipe name 0x10 Year Stops operating after the specified date by Year, Month, Day 36 Configuration Index set Description Remarks 0x11 Month 0x12 Day 0x13 DNS_idle 0x14 DNS_Sleep 0x1a HTTP_Method1 0x1b HTTP_Method2 0x1c Unknown 0x1d Process to inject arbitrary shellcode (32bit) 0x1e Process to inject arbitrary shellcode (64bit) 0x1f Unknown 0x20 Proxy server name 0x21 Proxy user name 0x22 Proxy password 0x23 AccessType 1 = Do not use proxy server 2 = Use IE configuration in the registry 4 = Connect via proxy server 0x24 create_remote_thread Flag whether to allow creating threads in other processes 0x25 Not in use
© 2022 JPCERT/CC 37 Cobalt Strike Beacon Hunting System Cobalt Strike C2 Lambda EventBridge GitHub Actions Private Public AWS Cloud GitHub Git push Git push Event Get beacon S3 output bucket Put Config Get Config Git checkout Put Config VirusTotal Get server list API Gateway WAF Run REST API Client
© 2022 JPCERT/CC 38 Published Configuration Repository https://github.com/JPCERTCC/CobaltStrike-Config
© 2022 JPCERT/CC 39 Cobalt Strike Beacon Hunting System Cobalt Strike C2 Lambda EventBridge GitHub Actions Private Public AWS Cloud GitHub Git push Git push Event Get beacon S3 output bucket Put Config Get Config Git checkout Put Config VirusTotal Get server list API Gateway WAF Run REST API Client
© 2022 JPCERT/CC 40 REST API https://[mask]/cs-scan-api?scan=http://185.38.142.75:80/aaa9 You do not need to download Cobalt Strike Beacon to analyze.
© 2022 JPCERT/CC 41 Changes in Cobalt Strike C2 (Daily) 0 20 40 60 80 100 120 140 160 180 200 2/17/2022 3/17/2022 4/17/2022 5/17/2022 6/17/2022 7/17/2022 8/17/2022 (Count) (Date)
© 2022 JPCERT/CC 42 1 Malware C2 Monitoring 2 Malware Hunting using Cloud 3 YARA CI/CD system 4 Surface Analysis System on Cloud 5 Memory Forensic on Cloud
© 2022 JPCERT/CC Since creating YARA rules cannot be automated, malware analysts create them manually, and they spend too much time on it. Some characteristic malware can be created automatically. 43 YARA CI/CD System Creation of YARA rules must be done manually by the malware analyst, and automation of YARA rule creation is a challenge.
© 2022 JPCERT/CC 44 Case3: HUI Loader Analysis System Legitimate HUI Loader Encoded Malware DLL Data HUI Loader used in APT10, Blue Termite, A41APT and DEV-0401. for i in range(len(enc_data)): data = ord(enc_data[i]) ^ 0x20 ^ ord(key[i % len(key)]) dec_data.append(data) Decode code
© 2022 JPCERT/CC 2015 2016 2017 2018 2019 2020 2021 2022 45 Overview of HUI Loader Timeline 2015 Jan APT10 started using HUI loader 2015 Apr Blue Termite started using HUI loader 2020 Jun A41APT started using HUI loader 2021 Aug DEV-0401 started using HUI loader 2016 Jul  Password randomized  DLL injection 2021 Dec  Security features bypassed  "HUI…" strings deleted
© 2022 JPCERT/CC 46 Common Problems with Loader Legitimate HUI Loader Encoded Malware DLL Data Even if the Loader is found, the function of the malware is unknown because the encoded malware cannot be found. Found it! Not found!
© 2022 JPCERT/CC Get HUI Loader form VT Analysis HUI Loader Create YARA rule Push YARA rule to VT 47 Flow of HUI Loader Analysis System Automatically execute from getting HUI Loader to creating the YARA rule.
© 2022 JPCERT/CC 48 HUI Loader Analysis System Lambda EventBridge Github Action Private Public AWS Cloud Github Git push Git push Event S3 output bucket Put Config Get Result Git checkout Put Config VirusTotal Get HUI Loader API Gateway WAF Run REST API Client Push YARA rule
© 2022 JPCERT/CC 49 Created YARA rule rule malware_HUILoader_data_2317d3e14a { meta: description = "HUI Loader loading data" author = "JPCERT/CC Incident Response Group" HUI_loader_hash = "2317d3e14ab214f06ae38a729524646971e21b…" condition: uint32(0) == 0x7A8F473A or vt.metadata.file_name iequals "vlc.cnf" } The file name and encoding key are unique to each loader, and thus rules must be created for each it. YARA rule
© 2022 JPCERT/CC 50 Published Analysis Results Repository https://github.com/JPCERTCC/HUILoader-research
© 2022 JPCERT/CC 51 1 Malware C2 Monitoring 2 Malware Hunting using Cloud 3 YARA CI/CD system 4 Surface Analysis System on Cloud 5 Memory Forensic on Cloud
© 2022 JPCERT/CC 52 Surface Analysis System on Cloud Confusing: each type of malware is called different names by different vendors.
© 2022 JPCERT/CC 53 Surface Analysis System on Cloud Malware names are different for each security vendor and get confusing when looking at each reports. What is this malware? I want to scan using my YARA rule…
© 2022 JPCERT/CC 54 Surface Analysis System on Cloud Same issues on twitter…
© 2022 JPCERT/CC 55 Surface Analysis System on Cloud Same issues on twitter… What is this malware? I want to scan using my YARA rule…
© 2022 JPCERT/CC 56 Can sandbox alone solve all problems?
© 2022 JPCERT/CC 57 Can sandbox alone solve all problems? No. Sandbox analysis results need to be analyzed further, which is time consuming.
© 2022 JPCERT/CC Simple Fewer steps to execute Execute multiple analyses all at once Easy to customize Store analysis results 58 Our Requirements for Malware Analysis Tools
© 2022 JPCERT/CC YARA scan floss capa olevba Sandbox My toolset 59 For Example These analyses are executed in a single step.
© 2022 JPCERT/CC Send analysis job from web browser Get malware form VT Analyze malware for selected tools Save analysis results 60 Flow of Surface Analysis System on Cloud Analysis results in a single action for multiple malware.
© 2022 JPCERT/CC 61 FireFox Add-on
© 2022 JPCERT/CC 62 Analysis Results
© 2022 JPCERT/CC 63 Surface Analysis System on Cloud AWS Cloud S3 REST VirusTotal API Gateway WAF Client Submit job Lambda Batch CodeCommit ECR Run Clone Get malware Push results Image pull Lambda EventBridge EventBridge SNS CloudWatch Twitter Get twitter data Status notification Blog Get contents Submit job
Demo
© 2022 JPCERT/CC 65 Infrastructure as Code (IaC) Code and manage the building of the Surface Analysis System on cloud. Heavy use of IaC increases the cost of managing the code. Limit the cases in which IaC is used. Simple systems that do not need to use IaC. Problem
© 2022 JPCERT/CC 66 IaC using Terraform Building analysis system using Terraform
© 2022 JPCERT/CC 67 Surface Analysis System on Cloud with IaC GitHub Actions Private Github run apply commit AWS Cloud Client S3 API Gateway WAF Lambda Batch CodeCommit ECR Lambda EventBridge EventBridge SNS CloudWatch
Demo - Infrastructure as Code -
© 2022 JPCERT/CC 69 Surface Analysis System on Cloud
© 2022 JPCERT/CC 70 1 Malware C2 Monitoring 2 Malware Hunting using Cloud 3 YARA CI/CD system 4 Surface Analysis System on Cloud 5 Memory Forensic on Cloud
© 2022 JPCERT/CC Investigating multiple hosts simultaneously is time-consuming. Memory forensic system must scale out. Build a memory forensic system that scale out on cloud service. 71 Memory Forensic on Cloud Increased memory size has become a bottleneck for memory forensic investigations.
© 2022 JPCERT/CC Get memory images Send memory images to cloud Run Volatility 3 analysis system (docker image) Save analysis results 72 Flow of Memory Forensic on Cloud Build a memory forensic system that scale out on cloud service.
© 2022 JPCERT/CC 73 Memory Forensic on Cloud AWS Cloud S3 output bucket Client Submit job Lambda Batch CodeCommit ECR Run Clone Push results Image pull Memory Image S3 EventBridge Analysis results REST WAF API Gateway Run EventBridge SNS CloudWatch Status notification
© 2022 JPCERT/CC 74 Memory Forensic on Cloud AWS Cloud S3 output bucket Client Submit job Lambda Batch CodeCommit ECR Run Clone Push results Image pull Memory Image S3 EventBridge Analysis results REST WAF API Gateway Run EventBridge SNS CloudWatch Status notification Scale out
© 2022 JPCERT/CC 75 Analysis Results
© 2022 JPCERT/CC 76 Analysis Results
Demo
© 2022 JPCERT/CC 78 Memory Forensic on Cloud with IaC GitHub Actions GitHub Run commit Client AWS Cloud S3 output bucket Submit job Lambda Batch CodeCommit ECR Run Clone Push results Image pull S3 EventBridge Analysis results WAF API Gateway Run EventBridge SNS CloudWatch apply
© 2022 JPCERT/CC 79 Surface Analysis System on Cloud
Tips
© 2022 JPCERT/CC limit Lambda Batch (Fargate) Cloud Functions Cloud Run runtime 900s - 540s 3600s memory 10G 30G 16G 32G data 10G 200G 16G 32G 81 Limited of Serverless Service Serverless service have limited runtime, memory and data size. Check the limits and select a serverless service.
© 2022 JPCERT/CC API Gateway • 10MB presigned url s3 • 5GB AWS CLI • 160GB 82 Transfer of Large Data Limited transfer of large data, such as memory images, log file etc. CUI is required for large data transfers. For Example (AWS)
© 2022 JPCERT/CC 83 Use as a Serverless System for GitHub Actions GitHub Actions can also be used as a serverless system. (free: 3000min/month)
© 2022 JPCERT/CC 84 Monitoring the Lucky Visitor Scam C2 System (GitHub) C2 AWS Lambda Amazon EventBridge GitHub Actions Private Public AWS Cloud GitHub Git push Git push Event Get HTML content Amazon S3 output bucket Put IoC Git checkout Google Safe Browsing Report Get IoC
© 2022 JPCERT/CC Share MAOps (Malware Analysis Operations) that fight the malware development life cycle. Introduce the case study on how to build a malware analysis system with low maintenance costs. Learn how to build the Malware Analysis System on Cloud. 85 Takeaways (repost)
Thank you! @jpcert_en ir-info@jpcert.or.jp PGP https://www.jpcert.or.jp/english/pgp/ @jpcert_ac
© 2022 JPCERT/CC [1] JSAC2021: Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf 87 Reference

Recommended

[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...CODE BLUE
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
Annual Vulnerability Report Insights - 2022
Annual Vulnerability Report Insights - 2022Annual Vulnerability Report Insights - 2022
Annual Vulnerability Report Insights - 2022SecPod
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】Hacks in Taiwan (HITCON)
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablowISSA LA
 
Kubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKawimbaLofgrens
 
[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...CODE BLUE
 
Detección y mitigación de amenazas con Check Point
Detección y mitigación de amenazas con Check PointDetección y mitigación de amenazas con Check Point
Detección y mitigación de amenazas con Check PointNextel S.A.
 

Recommended

[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...CODE BLUE
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
Annual Vulnerability Report Insights - 2022
Annual Vulnerability Report Insights - 2022Annual Vulnerability Report Insights - 2022
Annual Vulnerability Report Insights - 2022SecPod
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】Hacks in Taiwan (HITCON)
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablowISSA LA
 
Kubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKawimbaLofgrens
 
[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...CODE BLUE
 
Detección y mitigación de amenazas con Check Point
Detección y mitigación de amenazas con Check PointDetección y mitigación de amenazas con Check Point
Detección y mitigación de amenazas con Check PointNextel S.A.
 
FIDO Masterclass
FIDO MasterclassFIDO Masterclass
FIDO MasterclassFIDO Alliance
 
2022 December Patch Tuesday
2022 December Patch Tuesday2022 December Patch Tuesday
2022 December Patch TuesdayIvanti
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Black Duck by Synopsys
 
Protecting Pipeline DevOps and IaC
Protecting Pipeline DevOps and IaCProtecting Pipeline DevOps and IaC
Protecting Pipeline DevOps and IaCFernando Cardoso
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor FiorimTI Safe
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud EnvironmentShapeBlue
 
Check Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private CloudCheck Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private CloudCheck Point Software Technologies
 
VMware Developer-Ready Transformation
VMware Developer-Ready TransformationVMware Developer-Ready Transformation
VMware Developer-Ready TransformationVMware Tanzu
 
January 2022 patch tuesday
January 2022 patch tuesdayJanuary 2022 patch tuesday
January 2022 patch tuesdayIvanti
 
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays
 
DFIR Training: RDP Triage
DFIR Training: RDP TriageDFIR Training: RDP Triage
DFIR Training: RDP TriageChristopher Gerritz
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...Eric Vanderburg
 
Gestiona el riesgo de las grandes amenazas
Gestiona el riesgo de las grandes amenazasGestiona el riesgo de las grandes amenazas
Gestiona el riesgo de las grandes amenazasNextel S.A.
 
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...InfluxData
 
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )The WAF book (Web App Firewall )
The WAF book (Web App Firewall )Lior Rotkovitch
 
[Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발
[Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발 [Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발
[Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발 Yunho Maeng
 
Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...
Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...
Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...Cohesive Networks
 
Connectivity is here (5 g, swarm,...). now, let's build interplanetary apps! (1)
Connectivity is here (5 g, swarm,...). now, let's build interplanetary apps! (1)Connectivity is here (5 g, swarm,...). now, let's build interplanetary apps! (1)
Connectivity is here (5 g, swarm,...). now, let's build interplanetary apps! (1)Samy Fodil
 
Mind the gap_cpx2022_moti_sagey_final
Mind the gap_cpx2022_moti_sagey_finalMind the gap_cpx2022_moti_sagey_final
Mind the gap_cpx2022_moti_sagey_finalMoti Sagey מוטי שגיא
 
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 

More Related Content

Similar to [cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yuma Masubuchi

2022 December Patch Tuesday
2022 December Patch Tuesday2022 December Patch Tuesday
2022 December Patch TuesdayIvanti
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Black Duck by Synopsys
 
Protecting Pipeline DevOps and IaC
Protecting Pipeline DevOps and IaCProtecting Pipeline DevOps and IaC
Protecting Pipeline DevOps and IaCFernando Cardoso
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor FiorimTI Safe
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud EnvironmentShapeBlue
 
VMware Developer-Ready Transformation
VMware Developer-Ready TransformationVMware Developer-Ready Transformation
VMware Developer-Ready TransformationVMware Tanzu
 
January 2022 patch tuesday
January 2022 patch tuesdayJanuary 2022 patch tuesday
January 2022 patch tuesdayIvanti
 
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...Eric Vanderburg
 
Gestiona el riesgo de las grandes amenazas
Gestiona el riesgo de las grandes amenazasGestiona el riesgo de las grandes amenazas
Gestiona el riesgo de las grandes amenazasNextel S.A.
 
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...InfluxData
 
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )The WAF book (Web App Firewall )
The WAF book (Web App Firewall )Lior Rotkovitch
 
[Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발
[Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발 [Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발
[Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발 Yunho Maeng
 
Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...
Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...
Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...Cohesive Networks
 
Connectivity is here (5 g, swarm,...). now, let's build interplanetary apps! (1)
Connectivity is here (5 g, swarm,...). now, let's build interplanetary apps! (1)Connectivity is here (5 g, swarm,...). now, let's build interplanetary apps! (1)
Connectivity is here (5 g, swarm,...). now, let's build interplanetary apps! (1)Samy Fodil
 

Similar to [cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yuma Masubuchi (20)

FIDO Masterclass
FIDO MasterclassFIDO Masterclass
FIDO Masterclass
 
2022 December Patch Tuesday
2022 December Patch Tuesday2022 December Patch Tuesday
2022 December Patch Tuesday
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
Protecting Pipeline DevOps and IaC
Protecting Pipeline DevOps and IaCProtecting Pipeline DevOps and IaC
Protecting Pipeline DevOps and IaC
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud Environment
 
Check Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private CloudCheck Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private Cloud
 
VMware Developer-Ready Transformation
VMware Developer-Ready TransformationVMware Developer-Ready Transformation
VMware Developer-Ready Transformation
 
January 2022 patch tuesday
January 2022 patch tuesdayJanuary 2022 patch tuesday
January 2022 patch tuesday
 
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
 
DFIR Training: RDP Triage
DFIR Training: RDP TriageDFIR Training: RDP Triage
DFIR Training: RDP Triage
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
 
Gestiona el riesgo de las grandes amenazas
Gestiona el riesgo de las grandes amenazasGestiona el riesgo de las grandes amenazas
Gestiona el riesgo de las grandes amenazas
 
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...
 
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )The WAF book (Web App Firewall )
The WAF book (Web App Firewall )
 
[Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발
[Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발 [Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발
[Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발
 
Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...
Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...
Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...
 
Connectivity is here (5 g, swarm,...). now, let's build interplanetary apps! (1)
Connectivity is here (5 g, swarm,...). now, let's build interplanetary apps! (1)Connectivity is here (5 g, swarm,...). now, let's build interplanetary apps! (1)
Connectivity is here (5 g, swarm,...). now, let's build interplanetary apps! (1)
 
Mind the gap_cpx2022_moti_sagey_final
Mind the gap_cpx2022_moti_sagey_finalMind the gap_cpx2022_moti_sagey_final
Mind the gap_cpx2022_moti_sagey_final
 

More from CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo PupilloCODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫CODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
 
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛CODE BLUE
 

More from CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口 剛
 

Recently uploaded

VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesPooja Nehwal
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxmohammadalnahdi22
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxraffaeleoman
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCamilleBoulbin1
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatmentnswingard
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Vipesco
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lodhisaajjda
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Baileyhlharris
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyPooja Nehwal
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Kayode Fayemi
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Chameera Dedduwage
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubssamaasim06
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Hasting Chen
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaKayode Fayemi
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Delhi Call girls
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar TrainingKylaCullinane
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxNikitaBankoti2
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsaqsarehman5055
 

Recently uploaded (20)

VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptx
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animals
 

[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yuma Masubuchi

  • 1. © 2022 JPCERT/CC 0 Fight Against Malware Development Life Cycle CODE BLUE 2022
  • 2. © 2022 JPCERT/CC 1 Problem of Incident Response Attacker vs Defender
  • 3. © 2022 JPCERT/CC 2 Problem of Incident Response Attacker vs Defender We are in the Malware Development Life Cycle…
  • 4. © 2022 JPCERT/CC Surface Analysis Runtime Analysis Static Analysis Create YARA Rule Finished analysis … 3 Malware Analysis Operations (MAOps)
  • 5. © 2022 JPCERT/CC Surface Analysis Runtime Analysis Static Analysis Create YARA Rule Automation! 4 All roads lead to AUTOMATION!
  • 6. © 2022 JPCERT/CC 5 Problem of MAOps Attacker vs Malware Analyst
  • 7. © 2022 JPCERT/CC 6 Problem of MAOps Attacker vs Malware Analyst Changed C2 server Changed encrypt key Added new function
  • 8. © 2022 JPCERT/CC 7 Problem of MAOps Attacker vs Malware Analyst STOP
  • 9. © 2022 JPCERT/CC Maintenance of malware analysis tools is hard work. Creating a lot of malware analysis tools requires the maintenance of many tools. 8 Problem of MAOps Need the methods to counter the attacker's development lifecycle
  • 10. © 2022 JPCERT/CC 9 Goal of This Presentation This presentation shares methods for building analytical tools to counter the attacker's lifecycle.
  • 11. © 2022 JPCERT/CC Approach Technologies such as CI/CD and serverless are methods that make system maintenance and release more efficient. Cloud services can be a solution to the problems of malware analysts. We managed the Malware Analysis System on Cloud. 10 Use cloud services CI/CD, serverless, and Infrastructure as Code (IaC) to fight the malware development life cycle.
  • 12. © 2022 JPCERT/CC IP addresses can be changed dynamically Easy to update analysis tools Easy to build scale-out systems No server provisioning or maintenance required Low maintenance costs 11 Advantages of Using the Cloud for Malware Analysis
  • 13. © 2022 JPCERT/CC 12 Malware Analysis System on Cloud Scanner Memory Forensic Surface Analysis Sandbox YARA Log Analysis Thread Research
  • 14. © 2022 JPCERT/CC Presentation Topics 13 1 Malware C2 Monitoring 2 Malware Hunting using Cloud 3 YARA CI/CD system 4 Surface Analysis System on Cloud 5 Memory Forensic on Cloud
  • 15. © 2022 JPCERT/CC 14 1 Malware C2 Monitoring 2 Malware Hunting using Cloud 3 YARA CI/CD system 4 Surface Analysis System on Cloud 5 Memory Forensic on Cloud
  • 16. © 2022 JPCERT/CC Blocked access to the C2 server. Targeted by an attacker. Cloud services solve these problems. 15 Malware C2 Monitoring Monitoring the attacker's C2 server is important to understand their activity. Notes
  • 17. © 2022 JPCERT/CC 16 Case1: Monitoring the Lucky Visitor Scam C2
  • 18. © 2022 JPCERT/CC 17 Lucky Visitor Scam Infrastructure C2 Server Compromised Server Scam Server Website access #1 Send client information #2 Reply scam server URL #3 Send scam server URL #4 Access scam website #5
  • 19. © 2022 JPCERT/CC 18 PHP Backdoor Installed in Compromised Server C2 Server
  • 20. © 2022 JPCERT/CC $ curl -i -X POST http[:]//144.76.47[.]168/app/assets/api2?action=redir -d "ip=153.213.10.51&qs=dfaljfadfa.com%2Findex.php%3Ffc858f%3DiPhone-Apple-Windows&ua=Mozilla%2F5.0 (...) &conn=close&uid=fb06bc98-576a-d5df-2195-a4b0a64bec44" -H "User-Agent: " -H "Accept: " HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Tue, 23 Feb 2021 23:46:35 GMT Content-Type: text/html; charset=utf-8 Content-Length: 590 Connection: keep-alive X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: same-origin a:2:{s:4:"type";s:5:"redir";s:4:"data";a:1:{s:4:"code";s:524:"<html> <head> <META http-equiv="refresh" content="1;URL=https[:]//finishsandperson- 9[.]life/?utm_campaign=pEv9cTd8QNHYzqqr5UNFx2COHvnp_JE3r8uVIhm3Qww1&t=main7d"> <script> window.location = "https[:]//finishsandperson- 9[.]life/?utm_campaign=pEv9cTd8QNHYzqqr5UNFx2COHvnp_JE3r8uVIhm3Qww1&t=main7d"; </script> </head> <body> To the new location please <a href="https[:]//finishsandperson- 9[.]life/?utm_campaign=pEv9cTd8QNHYzqqr5UNFx2COHvnp_JE3r8uVIhm3Qww1&t=main7d"><b>click here.</b></a> </body> </html>";}} 19 Request to C2 for Redirect URL
  • 21. © 2022 JPCERT/CC Check  Displays the number of files stored on the server templates • Creates a .html file for templates keywords • Creates a .lst file for keywords update_sitemap • Updates sitemap.xml 20 PHP Backdoor Installed in Compromised Server pages  Creates a new page ping  Sends a sitemap.xml URL to google and bing robots  Creates robots.txt eval  Runs PHP code PHP Backdoor Features
  • 22. © 2022 JPCERT/CC IP Address Status 144.76.47.168 〇 144.76.51.144 × 178.63.30.186 〇 178.63.30.30 〇 178.63.34.6 × 5.9.146.0 ー 5.9.235.245 〇 5.9.239.221 × 5.9.34.13 〇 5.9.37.245 × 94.130.71.28 × 21 Lucky Visitor Scam C2 Attackers use different C2 servers over time.
  • 23. © 2022 JPCERT/CC Get PHP content form VT Check C2 Get redirect URL form C2 Report to Google safe browsing Blocked by web browser 22 Flow of Lucky Visitor Scam Countermeasures Automatically execute the below process, from discovering C2 servers to blocking redirects in web browsers.
  • 24. © 2022 JPCERT/CC 23 Monitoring the Lucky Visitor Scam C2 System (AWS) C2 AWS Lambda Amazon EventBridge GitHub Actions Private Public AWS GitHub Git push Git push Event Get HTML content Amazon S3 output bucket Put IoC Get IoC Git checkout Google Safe Browsing Report VirusTotal
  • 25. © 2022 JPCERT/CC 24 Monitoring the Lucky Visitor Scam C2 System https://github.com/JPCERTCC/Lucky-Visitor-Scam-IoC
  • 26. © 2022 JPCERT/CC 25 Monitoring the Lucky Visitor Scam C2 System (GCP) C2 Cloud Functions Cloud Scheduler GitHub Actions Private Public GitHub Git push Git push Event Get HTML content Cloud Storage Put IoC Get IoC Git checkout Google Safe Browsing Report
  • 27. © 2022 JPCERT/CC 26 Access Control for C2 Server C2 C2 server is inaccessible from Japan.
  • 28. © 2022 JPCERT/CC 27 C2 Activity 0 50 100 150 200 250 300 350 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 (Count) (Time UTC+9) Investigation of the attacker’s redirect URL delivery cycle.
  • 29. © 2022 JPCERT/CC 28 1 Malware C2 Monitoring 2 Malware Hunting using Cloud 3 YARA CI/CD system 4 Surface Analysis System on Cloud 5 Memory Forensic on Cloud
  • 30. © 2022 JPCERT/CC Get IoCs Download malware Analyze malware Hunt and detect incident 29 Malware Hunting using Cloud Malware hunting gets unknown IoCs and can be used for incident detection.
  • 31. © 2022 JPCERT/CC Get IoCs Download malware Analyze malware Hunt and detect incident 30 Malware Hunting using Cloud Malware hunting gets unknown IoCs and can be used for incident detection.
  • 32. © 2022 JPCERT/CC 31 Case2: Cobalt Strike Beacon Hunting Cobalt Strike is a popular penetration tool among attackers. [1] Cobalt Strike's C2s are found in large numbers and cannot all be analyzed manually.
  • 33. © 2022 JPCERT/CC Get C2 server form VT Download Cobalt Strike beacon Analysis Cobalt Strike beacon Publish configuration 32 Flow of Cobalt Strike Beacon Hunting Automatically execute from discovering C2 servers to hunting Cobalt Strike beacon.
  • 34. © 2022 JPCERT/CC 33 C2 Server Data https://www.virustotal.com/api/v3/intelligence/search?query=entity%3Aip%20c omment%3A%23cobaltstrike&limit=300&descriptors_only=true VT API Extract a list of IP addresses of Cobalt Strike's servers from VirusTotal.
  • 35. © 2022 JPCERT/CC 32bit /aaa9 /aab8 64bit /aab9 /aac8 34 Default URL Path for Cobalt Strike Beacon Many C2 servers do not change the default URL path. Default URL path for Cobalt Strike beacon
  • 36. © 2022 JPCERT/CC 35 Configuration Data Encode configuration data in Cobalt Strike beacon XOR 0x2E
  • 37. © 2022 JPCERT/CC set Description Remarks 0x01 BeaconType 0=HTTP, 1=Hybrid HTTP and DNS, 8=HTTPS 0x02 Port number 0x03 Polling time 0x04 Unknown 0x05 Jitter Ratio of jitter in polling time (0- 99%) 0x06 Maxdns Maximum length of host name when using DNS (0-255) 0x07 Unknown 0x08 Destination host 0x09 User agent 0x0a Path when communicating HTTP_Header2 0x0b Unknown 0x0c HTTP_Header1 0x0d HTTP_Header2 0x0e Injection process 0x0f Pipe name 0x10 Year Stops operating after the specified date by Year, Month, Day 36 Configuration Index set Description Remarks 0x11 Month 0x12 Day 0x13 DNS_idle 0x14 DNS_Sleep 0x1a HTTP_Method1 0x1b HTTP_Method2 0x1c Unknown 0x1d Process to inject arbitrary shellcode (32bit) 0x1e Process to inject arbitrary shellcode (64bit) 0x1f Unknown 0x20 Proxy server name 0x21 Proxy user name 0x22 Proxy password 0x23 AccessType 1 = Do not use proxy server 2 = Use IE configuration in the registry 4 = Connect via proxy server 0x24 create_remote_thread Flag whether to allow creating threads in other processes 0x25 Not in use
  • 38. © 2022 JPCERT/CC 37 Cobalt Strike Beacon Hunting System Cobalt Strike C2 Lambda EventBridge GitHub Actions Private Public AWS Cloud GitHub Git push Git push Event Get beacon S3 output bucket Put Config Get Config Git checkout Put Config VirusTotal Get server list API Gateway WAF Run REST API Client
  • 39. © 2022 JPCERT/CC 38 Published Configuration Repository https://github.com/JPCERTCC/CobaltStrike-Config
  • 40. © 2022 JPCERT/CC 39 Cobalt Strike Beacon Hunting System Cobalt Strike C2 Lambda EventBridge GitHub Actions Private Public AWS Cloud GitHub Git push Git push Event Get beacon S3 output bucket Put Config Get Config Git checkout Put Config VirusTotal Get server list API Gateway WAF Run REST API Client
  • 41. © 2022 JPCERT/CC 40 REST API https://[mask]/cs-scan-api?scan=http://185.38.142.75:80/aaa9 You do not need to download Cobalt Strike Beacon to analyze.
  • 42. © 2022 JPCERT/CC 41 Changes in Cobalt Strike C2 (Daily) 0 20 40 60 80 100 120 140 160 180 200 2/17/2022 3/17/2022 4/17/2022 5/17/2022 6/17/2022 7/17/2022 8/17/2022 (Count) (Date)
  • 43. © 2022 JPCERT/CC 42 1 Malware C2 Monitoring 2 Malware Hunting using Cloud 3 YARA CI/CD system 4 Surface Analysis System on Cloud 5 Memory Forensic on Cloud
  • 44. © 2022 JPCERT/CC Since creating YARA rules cannot be automated, malware analysts create them manually, and they spend too much time on it. Some characteristic malware can be created automatically. 43 YARA CI/CD System Creation of YARA rules must be done manually by the malware analyst, and automation of YARA rule creation is a challenge.
  • 45. © 2022 JPCERT/CC 44 Case3: HUI Loader Analysis System Legitimate HUI Loader Encoded Malware DLL Data HUI Loader used in APT10, Blue Termite, A41APT and DEV-0401. for i in range(len(enc_data)): data = ord(enc_data[i]) ^ 0x20 ^ ord(key[i % len(key)]) dec_data.append(data) Decode code
  • 46. © 2022 JPCERT/CC 2015 2016 2017 2018 2019 2020 2021 2022 45 Overview of HUI Loader Timeline 2015 Jan APT10 started using HUI loader 2015 Apr Blue Termite started using HUI loader 2020 Jun A41APT started using HUI loader 2021 Aug DEV-0401 started using HUI loader 2016 Jul  Password randomized  DLL injection 2021 Dec  Security features bypassed  "HUI…" strings deleted
  • 47. © 2022 JPCERT/CC 46 Common Problems with Loader Legitimate HUI Loader Encoded Malware DLL Data Even if the Loader is found, the function of the malware is unknown because the encoded malware cannot be found. Found it! Not found!
  • 48. © 2022 JPCERT/CC Get HUI Loader form VT Analysis HUI Loader Create YARA rule Push YARA rule to VT 47 Flow of HUI Loader Analysis System Automatically execute from getting HUI Loader to creating the YARA rule.
  • 49. © 2022 JPCERT/CC 48 HUI Loader Analysis System Lambda EventBridge Github Action Private Public AWS Cloud Github Git push Git push Event S3 output bucket Put Config Get Result Git checkout Put Config VirusTotal Get HUI Loader API Gateway WAF Run REST API Client Push YARA rule
  • 50. © 2022 JPCERT/CC 49 Created YARA rule rule malware_HUILoader_data_2317d3e14a { meta: description = "HUI Loader loading data" author = "JPCERT/CC Incident Response Group" HUI_loader_hash = "2317d3e14ab214f06ae38a729524646971e21b…" condition: uint32(0) == 0x7A8F473A or vt.metadata.file_name iequals "vlc.cnf" } The file name and encoding key are unique to each loader, and thus rules must be created for each it. YARA rule
  • 51. © 2022 JPCERT/CC 50 Published Analysis Results Repository https://github.com/JPCERTCC/HUILoader-research
  • 52. © 2022 JPCERT/CC 51 1 Malware C2 Monitoring 2 Malware Hunting using Cloud 3 YARA CI/CD system 4 Surface Analysis System on Cloud 5 Memory Forensic on Cloud
  • 53. © 2022 JPCERT/CC 52 Surface Analysis System on Cloud Confusing: each type of malware is called different names by different vendors.
  • 54. © 2022 JPCERT/CC 53 Surface Analysis System on Cloud Malware names are different for each security vendor and get confusing when looking at each reports. What is this malware? I want to scan using my YARA rule…
  • 55. © 2022 JPCERT/CC 54 Surface Analysis System on Cloud Same issues on twitter…
  • 56. © 2022 JPCERT/CC 55 Surface Analysis System on Cloud Same issues on twitter… What is this malware? I want to scan using my YARA rule…
  • 57. © 2022 JPCERT/CC 56 Can sandbox alone solve all problems?
  • 58. © 2022 JPCERT/CC 57 Can sandbox alone solve all problems? No. Sandbox analysis results need to be analyzed further, which is time consuming.
  • 59. © 2022 JPCERT/CC Simple Fewer steps to execute Execute multiple analyses all at once Easy to customize Store analysis results 58 Our Requirements for Malware Analysis Tools
  • 60. © 2022 JPCERT/CC YARA scan floss capa olevba Sandbox My toolset 59 For Example These analyses are executed in a single step.
  • 61. © 2022 JPCERT/CC Send analysis job from web browser Get malware form VT Analyze malware for selected tools Save analysis results 60 Flow of Surface Analysis System on Cloud Analysis results in a single action for multiple malware.
  • 64. © 2022 JPCERT/CC 63 Surface Analysis System on Cloud AWS Cloud S3 REST VirusTotal API Gateway WAF Client Submit job Lambda Batch CodeCommit ECR Run Clone Get malware Push results Image pull Lambda EventBridge EventBridge SNS CloudWatch Twitter Get twitter data Status notification Blog Get contents Submit job
  • 65. Demo
  • 66. © 2022 JPCERT/CC 65 Infrastructure as Code (IaC) Code and manage the building of the Surface Analysis System on cloud. Heavy use of IaC increases the cost of managing the code. Limit the cases in which IaC is used. Simple systems that do not need to use IaC. Problem
  • 67. © 2022 JPCERT/CC 66 IaC using Terraform Building analysis system using Terraform
  • 68. © 2022 JPCERT/CC 67 Surface Analysis System on Cloud with IaC GitHub Actions Private Github run apply commit AWS Cloud Client S3 API Gateway WAF Lambda Batch CodeCommit ECR Lambda EventBridge EventBridge SNS CloudWatch
  • 70. © 2022 JPCERT/CC 69 Surface Analysis System on Cloud
  • 71. © 2022 JPCERT/CC 70 1 Malware C2 Monitoring 2 Malware Hunting using Cloud 3 YARA CI/CD system 4 Surface Analysis System on Cloud 5 Memory Forensic on Cloud
  • 72. © 2022 JPCERT/CC Investigating multiple hosts simultaneously is time-consuming. Memory forensic system must scale out. Build a memory forensic system that scale out on cloud service. 71 Memory Forensic on Cloud Increased memory size has become a bottleneck for memory forensic investigations.
  • 73. © 2022 JPCERT/CC Get memory images Send memory images to cloud Run Volatility 3 analysis system (docker image) Save analysis results 72 Flow of Memory Forensic on Cloud Build a memory forensic system that scale out on cloud service.
  • 74. © 2022 JPCERT/CC 73 Memory Forensic on Cloud AWS Cloud S3 output bucket Client Submit job Lambda Batch CodeCommit ECR Run Clone Push results Image pull Memory Image S3 EventBridge Analysis results REST WAF API Gateway Run EventBridge SNS CloudWatch Status notification
  • 75. © 2022 JPCERT/CC 74 Memory Forensic on Cloud AWS Cloud S3 output bucket Client Submit job Lambda Batch CodeCommit ECR Run Clone Push results Image pull Memory Image S3 EventBridge Analysis results REST WAF API Gateway Run EventBridge SNS CloudWatch Status notification Scale out
  • 78. Demo
  • 79. © 2022 JPCERT/CC 78 Memory Forensic on Cloud with IaC GitHub Actions GitHub Run commit Client AWS Cloud S3 output bucket Submit job Lambda Batch CodeCommit ECR Run Clone Push results Image pull S3 EventBridge Analysis results WAF API Gateway Run EventBridge SNS CloudWatch apply
  • 80. © 2022 JPCERT/CC 79 Surface Analysis System on Cloud
  • 81. Tips
  • 82. © 2022 JPCERT/CC limit Lambda Batch (Fargate) Cloud Functions Cloud Run runtime 900s - 540s 3600s memory 10G 30G 16G 32G data 10G 200G 16G 32G 81 Limited of Serverless Service Serverless service have limited runtime, memory and data size. Check the limits and select a serverless service.
  • 83. © 2022 JPCERT/CC API Gateway • 10MB presigned url s3 • 5GB AWS CLI • 160GB 82 Transfer of Large Data Limited transfer of large data, such as memory images, log file etc. CUI is required for large data transfers. For Example (AWS)
  • 84. © 2022 JPCERT/CC 83 Use as a Serverless System for GitHub Actions GitHub Actions can also be used as a serverless system. (free: 3000min/month)
  • 85. © 2022 JPCERT/CC 84 Monitoring the Lucky Visitor Scam C2 System (GitHub) C2 AWS Lambda Amazon EventBridge GitHub Actions Private Public AWS Cloud GitHub Git push Git push Event Get HTML content Amazon S3 output bucket Put IoC Git checkout Google Safe Browsing Report Get IoC
  • 86. © 2022 JPCERT/CC Share MAOps (Malware Analysis Operations) that fight the malware development life cycle. Introduce the case study on how to build a malware analysis system with low maintenance costs. Learn how to build the Malware Analysis System on Cloud. 85 Takeaways (repost)
  • 87. Thank you! @jpcert_en ir-info@jpcert.or.jp PGP https://www.jpcert.or.jp/english/pgp/ @jpcert_ac
  • 88. © 2022 JPCERT/CC [1] JSAC2021: Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf 87 Reference