Last known affiliation: NTT Security (Japan) KK
Bio: Rintaro Koike is a security researcher at NTT Security (Japan) KK. He is engaged in threat research and malware analysis. In addition, he is the founder of “nao_sec”. He focuses on APT attacks targeting East Asia and web-based attacks. He has been a speaker at VB, SAS, Black Hat USA Arsenal and others.
Yuta Sawabe 🗣 | Ryuichi Tanabe 🗣 | Fumio Ozawa | Rintaro Koike
Abstract (click to view)
Since December 2019, Zloader had revived as “Silent Night”, and it has been used various attack campaigns. It has especially been used in two attack campaigns (PseudoGate and Malsmoke). These attack campaigns are aimed at users in Japan, Canada, or U.S. to obtain banking related information. Zloader connects to its C&C servers with HTTPS and domain names generated by DGA. Therefore, it is difficult to detect Zloader’s attack on network.
We developed a system that collects information of infected hosts from logs on Zloader’s C&C server. To find the C&C servers, we collected Zloader samples and extracted their internal config data by using several public services. We have been making use of the system since March 2021. This system observes all Zloader’s C&C servers for various attack campaigns, and we know the Zloader infection scale of each campaign on a daily basis.
In this presentation, we will share characteristics of Zloader first. Then, we will introduce the Zloader investigation system in detail. Furthermore, we will share the data obtained by the system and the consideration from the data. Therefore, SOC, CSIRT and security researchers who research Zloader will be able to have deeper understanding and to take countermeasure against them.