Botconf Author Listing

Analyzing malware is an important part of preventing and detecting cyber threats. But it’s not enough. You should learn how malware is spread for understanding the overall threat landscape. So we’d like to propose a unique training which combines malware analysis and C2 / landing page detection by holding Roaming Mantis as an example.

Roaming Mantis is a campaign which uses DNS hijacking to distribute cyber threats such as web-mining, phishing and malicious Android applications. This criminals activities were discovered by Mcafee. After then, the campaign is named by Kaspersky in April 2018 and it’s still very active and rapidly evolving.

We’d like to propose a hands-on for research that takes the campaign as an example. More than 80% of our training is hands-on. Because, we believe analysts / researchers have doing own way everyday. So, we just want to share and introduce our way, method, tools and viewpoints with attendees through this course.

In March 2018, thousands of home routers were potentially compromised by a criminal campaign called “Roaming Mantis” in Japan to overwrite DNS settings to use a rogue DNS. This criminal has strong financial motivation. Devices under the compromised router, such as Android, iOS, PC were targeted. They have been rapidly improving their malicious contents for each platform. In addition, the attacker implemented their malicious contents which support 27 languages for targeting around the world. Based on our research, we would like to disclose the details of this campaign such as the mind of the criminals, the details of malicious contents and how they compromised routers to share with researchers and CERTs…

In August 2023, TrendMicro published a blog post announcing a new sophisticated Advanced Persistent Threat (APT) campaign known as “Earth Estries.” The campaign specifically targeted government-related organizations and technology companies in the Philippines, Taiwan, South Africa, Germany, and the United States.

From this information and open source intelligence, we identified several characteristics within the attack infrastructure. These included the watermark of Cobalt Strike and WHOIS registration details of the C2 servers, which allowed us to discover concealed C2 domains and IP addresses associated with further hidden attack infrastructure.

After further detailed analysis of the unknown malware, we concluded by reverse engineering that this malware is a new form of malware that shares code similarities and data structures with Deed RAT, a variant of ShadowPad. Therefore, we strongly believe that this is a new variant of Deed RAT.

The purpose of this presentation is to share a comprehensive analysis of Cobalt Strike Beacon and an analysis of BLOODALCHEMY characteristics not covered in the Elastic Security blog, based on a survey of APT activity in 2023.

In addition, we will describe the methodology for identifying Deed RAT variants, thereby revealing the associated attack infrastructure, with the aim of tracking the activities of these threat actors, which can be applied to botnet actors as well as APTs.