CryptoMimic（also called Dangerous Password）is an APT actor observed since around March 2018. It is reported that CryptoMimic attacks worldwide companies and organizations, especially targeting crypto currency companies. Several security researchers all over the world had alreadly published reports on this attack, but they only dealt with the initial part of the attack. CryptoMimic is very careful and it is extreamely difficult to observe the attack under virtual environments including sandbox. As a result, there has been no detailed report that deals with the malware that the attacker finally executes or how it behaves during the attack.
In this presentation, we will reveal the analysis result of unknown malware never reported before and the picture of the whole attack. In this presentation, we first introduce two initial samples (LNK file and macro-embedded MS Office file) used by CryptoMimic. Then, focusing on the attack using LNK file, we disclose the whole picture of CryptoMimic that we observed in February 2020.
We detail how the attack proceeds from initial sample to final malware execution along with the results of analysis of the attacker's behaviours and executed malware. We also found various metadata that the attacker left on the victim. By leveraging the metadata, we also try to unveil the attacker's profile or attribution.
Finally, we share Yara rules and characteristics of the attack for defending or threat hunting. Through this presentation, SOC, CSIRT and security researcher will be able to have deeper understanding on the attack by CryptoMimic and gain knowledge on how to detect or defend against the attack.
Hajime Takai currently works as a SOC analyst and a malware researcher at NTT Security (Japan) KK. He joined NTT Security in 2016, before which he worked for five years as a software engineer. He contributes to the NTT Security blog about malware research. He has written a white paper about Taidoor in Japanese. He has presented at Japan Security Analyst Conference 2020. He loves mahjong.
Shogo Hayashi has worked as a SOC analyst for more than 10 years at NTT Security (Japan) KK. His main specialization is responding to EDR detections, creating IoCs, malware analysis and researching endpoint behaviour of threat actors. In addition, he posts articles and whitepapers in NTT Security. He is a cofounder of SOCYETI, an orgnization for sharing threat information and analysis techneque to SOC analysts in Japan.
Rintaro Koike is a security analyst at NTT Security (Japan) KK. He has been engaged in SOC and malware analysis. In addition, he is the founder of 'nao_sec'. He always collects and analyses threat information. He has been a speaker at Japan Security Analyst Conference 2018/19/20, HITCON Community 2019, VB 2019, AVAR 2019, CPRCon 2020 and Black Hat USA 2018 Arsenal.
Daniel Lunghi (Trend Micro)
Jaromir Horejsi (Trend Micro)
Hajime Takai (NTT Security)
Shogo Hayashi (NTT Security)
Rintaro Koike (NTT Security)