Operation LagTime IT: colourful Panda footprint

Fumio Ozawa (NTT Security)
Shogo Hayashi (NTT Security)
Rintaro Koike (NTT Security)

Operation LagTime IT by TA428 is an attack campaign targeting govermental organizations of East Asian countries reported by Proofpoint in July 2019. It is still in the wild and actively working as of 2020. We successfully unveiled and grasped the whole attack picture, including how TA428 interacts with a target, through detailed research on two samples (document file on Qasem Soleimani and COVID-19) observed in January and February 2020. The existing research results on Operation LagTime IT only reported that it used Royal Road RTF Weaponizer, Poison Ivy and Cotx RAT. But according to the behaviour that we observed, TA428 also performed user environment checking, credential stealing, lateral movement and highly sophisticated defense evasion.

In this presentation, we describe the operational steps that TA428 has taken from initial samples to reaching the deepest part of victim system. We also reveal the analysis result of the malware used by TA428 and the codes that decode encrypted communication. Because it is estimated that the techniques, tools and malware used in Operation LagTIme IT have similarity or relations with other various APT actors, we discuss how they overlap.

Through this presentation, SOC, CSIRT and security researchers will be able to have deeper understanding of Operation LagTime IT and gain knowledge on how to detect or defend against the attack. 



Fumio Ozawa

Fumio Ozawa is a security analyst at NTT Security (Japan) KK, where he runs malware and exploit analysis, and the SOC operation. Now he focuses on APT threat analysis and hunting. He has spoken at the Japan Security Analyst Conference 2018 hosted by JPCERT/CC. He has written some white papers about the banking trojan Ursnif and APT watering hole attacks in Japanese.



Shogo Hayashi

Shogo Hayashi has worked as a SOC analyst for more than 10 years at NTT Security (Japan) KK. His main specialization is responding to EDR detections, creating IoCs, malware analysis and researching endpoint behaviour of threat actors. In addition, he posts articles and whitepapers in NTT Security. He is a cofounder of SOCYETI, an orgnization for sharing threat information and analysis techneque to SOC analysts in Japan.



Rintaro Koike

Rintaro Koike is a security analyst at NTT Security (Japan) KK. He has been engaged in SOC and malware analysis. In addition, he is the founder of 'nao_sec'. He always collects and analyses threat information. He has been a speaker at Japan Security Analyst Conference 2018/19/20, HITCON Community 2019, VB 2019, AVAR 2019, CPRCon 2020 and Black Hat USA 2018 Arsenal.

Back to VB2020 Programme page

Other VB2020 papers

LATAM financial cybercrime: competitors in crime sharing TTPs

Jakub Souček (ESET)
Martin Jirkal (ESET)

A new open-source hypervisor-level malware monitoring and extraction system - current state and further challenges

Michał Leszczyński (CERT Polska)
Krzysztof Stopczański (CERT Polska (Former))


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.