Friday 30 September 2022, 12:00 - 12:30
Yoshihiro Ishikawa (LAC)
Takuma Matsumoto (LAC)
In June 2022 we observed a new APT campaign called 'Operation MINAZUKI' targeting Japanese companies related to electric entities. The campaign is operated by an unknown Chinese APT group. This actor used a trending penetration method supply chain – a subsidiary of the target has been compromised by the actor since around 2019, and they penetrated the target company's network through it.
We have found four new types of malware called 'InetDownLoader', 'CMTDownLoader', 'CmdPipeRAT' and 'TinyCmdPipeRAT' in this attack campaign. The first two are downloaders, and the second two are RATs and hacking tools that are downloaded from compromised legitimate sites. We will describe the RATs, CmdPipeRAT and TinyCmdPipeRAT, with the one feature of arbitrary command execution using an anonymous pipe in detail.
In this presentation we will describe Operation MINAZUKI in technical detail. In addition, we will introduce our findings after having attributed the actor group from traces of PDB paths and C2 infrastructures.
Further, we will demonstrate the RATs to the audience. We made a simulation of the TinyCmdPipeRAT and CmdPipeRAT controllers, which were created from the reversed engineered communication protocol of the malware. The purpose for simulating the C2 controllers is to get possible artifacts from the command operation of the RATs with network products and endpoint detection and response (EDR) products, and to use them for incident response.
Yoshihiro Ishikawa is a member of the Cyber Emergency Center of LAC. He is engaged in malware analysis and cyber threat intelligence, in particular focusing on advanced persistent threat (APT) attacks. Based on the results of research, he has delivered presentations at several security conferences such as AVAR, Botconf, HITCON and FIRST Annual Conference.
Takuma Matsumoto is an analyst at LAC, analysing malware and collecting threat intelligence. He has more than seven years of experience in the security domain. Prior to working as a malware analyst, he was involved in monitoring SIEM, creating detection rules, and developing log analysis support systems. He enjoys analysing malware and writing tools for research, which led him to his current job. He was a speaker at the Japan Security Analyst Conference 2021.