Last known affiliation: NTT Security (Japan) KK
Bio: Fumio Ozawa is a security analyst at NTT Security (Japan) KK, where he runs malware and exploit analysis, and the SOC operation. Recently he has focused on analyzing APT attacks to East Asia. He has spoken at JSAC 2018 and VB 2020, and has written several white papers.
Yuta Sawabe 🗣 | Ryuichi Tanabe 🗣 | Fumio Ozawa | Rintaro Koike
Abstract (click to view)
Since December 2019, Zloader had revived as “Silent Night”, and it has been used various attack campaigns. It has especially been used in two attack campaigns (PseudoGate and Malsmoke). These attack campaigns are aimed at users in Japan, Canada, or U.S. to obtain banking related information. Zloader connects to its C&C servers with HTTPS and domain names generated by DGA. Therefore, it is difficult to detect Zloader’s attack on network.
We developed a system that collects information of infected hosts from logs on Zloader’s C&C server. To find the C&C servers, we collected Zloader samples and extracted their internal config data by using several public services. We have been making use of the system since March 2021. This system observes all Zloader’s C&C servers for various attack campaigns, and we know the Zloader infection scale of each campaign on a daily basis.
In this presentation, we will share characteristics of Zloader first. Then, we will introduce the Zloader investigation system in detail. Furthermore, we will share the data obtained by the system and the consideration from the data. Therefore, SOC, CSIRT and security researchers who research Zloader will be able to have deeper understanding and to take countermeasure against them.