Yoshihiro Ishikawa
Last known affiliation: LAC
Yoshihiro Ishikawa 🗣 | Shinichi Nagano 🗣
Abstract (click to view)
The Go language (GoLang) is an open source programming language developed by Google Inc. in 2009, and it can be run on various platforms such as Linux, Mac, Windows, Android.
Speaking of malware using Golang, Mirai is one of the famous one (they use it for the C2 program), but malware such as Encriyoko, Lady, GoARM.Bot, Go Athena RAT and others are also confirmed.
However, we can’t say that Golang malware is commonly used as development basis for malware coding when looking at the ratio of popular malware.
In this presentation, we would like to introduce the analysis result of a new malware, we called it as “WellMess” that was coded on Golang on multiple platform operating systems. This malware was used by several incident cases that we confirmed from January 2018, we recognize it as a new malware according to our team’s analysis and the traffic generated on its communication to the C2 servers.
Additionally, we will perform reverse engineering explanation of the WellMess malware and perform demonstration on its botnet operation.
Yoshihiro Ishikawa 🗣 | Takuma Matsumoto 🗣
Abstract (click to view)
In March 2023, we have observed a new APT malware used by an unknown APT actor in several Japanese companies. The malware is a modular remote access trojan (RAT) like PlugX or ShadowPad which have been shared among China-based APT actors and used in various campaigns. We named this malware “RatelS” based on the strings contained in the file path and window title.
RatelS has 11 malicious modules, including command execution, file manipulation, and keylogging, which can be dynamically loaded and unloaded in response to commands from the C2 server. Also, this RAT has two communication capabilities with different directions: Reverse mode and Listen mode. The former callbacks from the infected host to the C2 server, while the latter opens a port and listens for connections. The C2 communication is performed via TCP, TLS, HTTP, or HTTPS.
During the investigation of RatelS incident, we discovered a builder and controller that can build RatelS by simply selection options and remotely operate infected machines. It is notable that RatelS has some similarities with PlugX in its implemented features and code, and moreover this actor also utilized PlugX with P2P communication functionality in the campaign. This suggests the possibility that RatelS is a successor to PlugX.
In this presentation, we are going to share technical details on the analysis result of new malware RatelS, the similarities with PlugX, and the methods to detect and response the malware activity for future prevention. This includes the demonstration of RatelS C2 operation using the builder and controller. In addition to that, we will indicate attribution of APT actors using RatelS based on other similar malware.