Last known affiliation: NTT Security (Japan) KK
Bio: Ryuichi Tanabe is a SOC analyst at NTT Security (Japan) KK. Currently, his main duty is responding to EDR detection, but he also works as a malware analysis researcher. Now his interest is malware families related to APT attacks targeting East Asia. Previously he worked as a web programmer, but he changed his career to become a SOC engineer in 2012. Since then, he has specialized in SOC related works. He has been a speaker at VB, SAS and CodeBlue.
Yuta Sawabe 🗣 | Ryuichi Tanabe 🗣 | Fumio Ozawa | Rintaro Koike
Abstract (click to view)
Since December 2019, Zloader had revived as “Silent Night”, and it has been used various attack campaigns. It has especially been used in two attack campaigns (PseudoGate and Malsmoke). These attack campaigns are aimed at users in Japan, Canada, or U.S. to obtain banking related information. Zloader connects to its C&C servers with HTTPS and domain names generated by DGA. Therefore, it is difficult to detect Zloader’s attack on network.
We developed a system that collects information of infected hosts from logs on Zloader’s C&C server. To find the C&C servers, we collected Zloader samples and extracted their internal config data by using several public services. We have been making use of the system since March 2021. This system observes all Zloader’s C&C servers for various attack campaigns, and we know the Zloader infection scale of each campaign on a daily basis.
In this presentation, we will share characteristics of Zloader first. Then, we will introduce the Zloader investigation system in detail. Furthermore, we will share the data obtained by the system and the consideration from the data. Therefore, SOC, CSIRT and security researchers who research Zloader will be able to have deeper understanding and to take countermeasure against them.