Shusei Tomonaga
Last known affiliation: JPCERT/CC
Shusei Tomonaga 🗣 | Tomoaki Tani 🗣 | Kota Kino 🗣
Abstract (click to view)
QuasarRAT is the most famous open source RAT project among many. Since xRAT (the predecessor of Quasar RAT) was released in 2014, many attackers have deployed this RAT in many attack campaigns. Particularly, they take advantage of the open source attack tool which enables conducting attacks in a generic way in order to avoid being attributed. This trend is commonly seen in recent years, and open source tools including QuasarRAT have been used in many cases.
Our investigation has identified many RAT projects related to QuasarRAT. In these projects, QuasarRAT has been upgraded with new functions or transformed into an entirely new type of malware. The Quasar family malware has been used in many attack cases. It is important to understand the details of the Quasar RAT and its family, particularly how each project develops from the QuasarRAT and is being used for new types of attacks.
Shusei Tomonaga 🗣 | Keisuke Muda 🗣
Abstract (click to view)
When attackers intrude into a network by APT attack, malware infection spreads to many hosts and servers. In incident investigations, it is important to examine what actually happened during lateral movement through log analysis and forensic investigation of infected hosts. However, in many cases, there may not be sufficient logs left on the host, which makes it difficult to reveal what attackers did on the network.
Therefore, we investigated attackers’ activities after network intrusion by investigating C2 servers and decoding the malware communication. As a result, we found that there are some common patterns in lateral movement methods and tools that are often used.
In addition, we analyzed the tools and Windows commands and investigated the logs recorded on the host upon execution. As a result, it was revealed that the tools’ execution logs are not recorded with the Windows default settings.
This presentation will explain some attack patterns and typical tools used in lateral movement that are identified through our research. We will also demonstrate how to investigate or detect incidents where such tools and commands are used.
