Botconf Author Listing – Botconf 2025

Masaki Kubo

Last known affiliation: National Institute of Information and Communications Technology

Botconf 2020

Date: 2020-12-04

NanoCore hunter: tracking NanoCore servers and watching behavior of RAT operators for 180 days
Takashi Matsumoto 🗣 | Yu Tsuda 🗣 | Nobuyuki Kanaya 🗣 | Masaki Kubo | Daisuke Inoue

Abstract (click to view)

NanoCore RAT, which first appeared in 2013, is still actively used in 2020 for its highly functional and user-friendly interace. Around Feburary to March in 2020, NanoCore RAT was used in the malspam campaign on COVID-19. We managed to sinkhole the NanoCore C&C domain and have monitored the liveliness of NanoCore C&C servers. We also experimented luring NanoCore operators into our mimetic enterprise network and succeeded in monitoring the actual behavior of live NanoCore operators.

Botconf 2025

TLP:CLEAR

Date:

Executing RATs in a Long-Term Observable Customized Online Sandbox
Shohei Hiruta 🗣 | Yuki Umemura | Masaki Kubo | Nobuyuki Kanaya | Takahiro Kasama

Abstract (click to view)

Malware sandboxes are essential tools for malware analysis, allowing researchers to execute malware in controlled environments to reveal its behavior, communication destinations, and configuration settings. Due to their convenience, a wide variety of both free and commercial sandboxes are available. However, existing sandboxes face three major challenges: limited execution time for malware, inflexible execution environments, and restricted logging capabilities. To address these limitations, we developed a highly functional sandbox that eliminates execution time restrictions, allows for flexible configuration of execution environments, and provides real-time comprehensive logging. This sandbox is currently in operation at over 50 Japanese companies.

We have been operating this sandbox with improvements, and now we need to evaluate whether these functions are effective. Therefore, we evaluated our sandbox from two perspectives:

Can we observe the activity of the attacker behind malware?

Is the observed activity unobservable by existing sandboxes?

A remote access trojan (RAT), which can control an attacker-infected machine, was appropriate for this evaluation.

We conducted an analysis using RATs collected over a six-month period in our sandbox. As a result, we were able to observe four types of attacker activity through the RATs. We also found that these activities occurred more than an hour after the RAT had connected to the command and control (C2) server. These activities are impossible to observe with existing sandboxes. Finally, we discussed how to improve and operate our sandbox based on these results in the future.