Botconf Author Listing

NanoCore RAT, which first appeared in 2013, is still actively used in 2020 for its highly functional and user-friendly interace. Around Feburary to March in 2020, NanoCore RAT was used in the malspam campaign on COVID-19. We managed to sinkhole the NanoCore C&C domain and have monitored the liveliness of NanoCore C&C servers. We also experimented luring NanoCore operators into our mimetic enterprise network and succeeded in monitoring the actual behavior of live NanoCore operators.

Malware sandboxes are essential tools for malware analysis, allowing researchers to execute malware in controlled environments to reveal its behavior, communication destinations, and configuration settings. Due to their convenience, a wide variety of both free and commercial sandboxes are available. However, existing sandboxes face three major challenges: limited execution time for malware, inflexible execution environments, and restricted logging capabilities. To address these limitations, we developed a highly functional sandbox that eliminates execution time restrictions, allows for flexible configuration of execution environments, and provides real-time comprehensive logging. This sandbox is currently in operation at over 50 Japanese companies.

We have been operating this sandbox with improvements, and now we need to evaluate whether these functions are effective. Therefore, we evaluated our sandbox from two perspectives:

• Can we observe the activity of the attacker behind malware?
• Is the observed activity unobservable by existing sandboxes?

A remote access trojan (RAT), which can control an attacker-infected machine, was appropriate for this evaluation.

We conducted an analysis using RATs collected over a six-month period in our sandbox. As a result, we were able to observe four types of attacker activity through the RATs. We also found that these activities occurred more than an hour after the RAT had connected to the command and control (C2) server. These activities are impossible to observe with existing sandboxes. Finally, we discussed how to improve and operate our sandbox based on these results in the future.

Since December 2021, we have been investigating DVRs that have been exploited as DDoS launchpads, impacting ISP networks. Our initial discovery came from external information provided by an ISP, revealing that infected devices do not propagate scans like Mirai. As a result, infections spread covertly and remain undetected.

The attackers identify research target devices through using passive scan data like shodan/Censys, as well as internet scanning. After identifying the target, they launch attacks exclusively against these specific devices. This focused targeting makes it impossible to observe the campaign through general honeypots because to observe the actual attacks, honeypot must return the actual response and unless the actual target is known, it is difficult to emulate. Using information from external sources, we have identified the targeted devices/brands, purchased them, and initiated direct analysis. Over the past three years, each time a new device was identified as a target, we acquired the physical hardware for analysis. This approach allowed us to investigate the ecosystem of the IoT bot:

• the global distribution of targeted devices
• Chinese, Korean, and Taiwanese OEM vendors and their rebranded ODM products
• the zero-day vulnerabilities exploited by attackers
• attack tools (obtained from confiscated attack infrastructure)
• and malware characteristics.

In this presentation, we will share the findings and insights gained from our three-year investigation and analysis.