© 2022 JPCERT/CC
0
Fight Against Malware
Development Life Cycle
CODE BLUE 2022

© 2022 JPCERT/CC
1
Problem of Incident Response
Attacker vs Defender

© 2022 JPCERT/CC
2
Problem of Incident Response
Attacker vs Defender
We are in the Malware Development Life Cycle…

© 2022 JPCERT/CC
Surface Analysis
Runtime Analysis
Static Analysis
Create YARA Rule
Finished analysis …
3
Malware Analysis Operations (MAOps)

© 2022 JPCERT/CC
Surface Analysis
Runtime Analysis
Static Analysis
Create YARA Rule
Automation！
4
All roads lead to AUTOMATION!

© 2022 JPCERT/CC
5
Problem of MAOps
Attacker vs Malware Analyst

© 2022 JPCERT/CC
6
Problem of MAOps
Attacker vs Malware Analyst
Changed C2 server
Changed encrypt key
Added new function

© 2022 JPCERT/CC
7
Problem of MAOps
Attacker vs Malware Analyst
STOP

© 2022 JPCERT/CC
Maintenance of malware analysis tools is
hard work.
Creating a lot of malware analysis
tools requires the maintenance of
many tools.
8
Problem of MAOps
Need the methods to counter the attacker's
development lifecycle

© 2022 JPCERT/CC
9
Goal of This Presentation
This presentation shares
methods for building
analytical tools to counter
the attacker's lifecycle.

© 2022 JPCERT/CC
Approach
Technologies such as CI/CD and serverless are methods
that make system maintenance and release more efficient.
Cloud services can be a solution to the problems of
malware analysts.
We managed the Malware Analysis System on Cloud.
10
Use cloud services CI/CD, serverless, and
Infrastructure as Code (IaC) to fight the malware
development life cycle.

© 2022 JPCERT/CC
IP addresses can be changed dynamically
Easy to update analysis tools
Easy to build scale-out systems
No server provisioning or maintenance required
Low maintenance costs
11
Advantages of Using the Cloud for Malware Analysis

© 2022 JPCERT/CC
12
Malware Analysis System on Cloud
Scanner
Memory
Forensic
Surface
Analysis
Sandbox
YARA
Log
Analysis
Thread
Research

© 2022 JPCERT/CC
Presentation Topics
13
1 Malware C2 Monitoring
2 Malware Hunting using Cloud
3 YARA CI/CD system
4 Surface Analysis System on Cloud
5 Memory Forensic on Cloud

© 2022 JPCERT/CC
14
1 Malware C2 Monitoring
2 Malware Hunting using Cloud
3 YARA CI/CD system
4 Surface Analysis System on Cloud
5 Memory Forensic on Cloud

© 2022 JPCERT/CC
Blocked access to the C2 server.
Targeted by an attacker.
Cloud services solve these problems.
15
Malware C2 Monitoring
Monitoring the attacker's C2 server is important to
understand their activity.
Notes

© 2022 JPCERT/CC
16
Case1: Monitoring the Lucky Visitor Scam C2

© 2022 JPCERT/CC
17
Lucky Visitor Scam Infrastructure
C2 Server
Compromised Server
Scam Server
Website access
#1 Send client information
#2
Reply scam
server URL
#3
Send scam
server URL
#4
Access scam website
#5

© 2022 JPCERT/CC
18
PHP Backdoor Installed in Compromised Server
C2 Server

© 2022 JPCERT/CC
$ curl -i -X POST http[:]//144.76.47[.]168/app/assets/api2?action=redir -d
"ip=153.213.10.51&qs=dfaljfadfa.com%2Findex.php%3Ffc858f%3DiPhone-Apple-Windows&ua=Mozilla%2F5.0
(...) &conn=close&uid=fb06bc98-576a-d5df-2195-a4b0a64bec44" -H "User-Agent: " -H "Accept: "
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Tue, 23 Feb 2021 23:46:35 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 590
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
a:2:{s:4:"type";s:5:"redir";s:4:"data";a:1:{s:4:"code";s:524:"<html>
<head>
<META http-equiv="refresh" content="1;URL=https[:]//finishsandperson-
9[.]life/?utm_campaign=pEv9cTd8QNHYzqqr5UNFx2COHvnp_JE3r8uVIhm3Qww1&t=main7d">
<script>
window.location = "https[:]//finishsandperson-
9[.]life/?utm_campaign=pEv9cTd8QNHYzqqr5UNFx2COHvnp_JE3r8uVIhm3Qww1&t=main7d";
</script>
</head>
<body>
To the new location please <a href="https[:]//finishsandperson-
9[.]life/?utm_campaign=pEv9cTd8QNHYzqqr5UNFx2COHvnp_JE3r8uVIhm3Qww1&t=main7d"><b>click here.</b></a>
</body>
</html>";}}
19
Request to C2 for Redirect URL

© 2022 JPCERT/CC
Check
 Displays the number of files stored on
the server
templates
• Creates a .html file for templates
keywords
• Creates a .lst file for keywords
update_sitemap
• Updates sitemap.xml
20
PHP Backdoor Installed in Compromised Server
pages
 Creates a new page
ping
 Sends a sitemap.xml URL to google and
bing
robots
 Creates robots.txt
eval
 Runs PHP code
PHP Backdoor Features

© 2022 JPCERT/CC
IP Address Status
144.76.47.168 〇
144.76.51.144 ×
178.63.30.186 〇
178.63.30.30 〇
178.63.34.6 ×
5.9.146.0 ー
5.9.235.245 〇
5.9.239.221 ×
5.9.34.13 〇
5.9.37.245 ×
94.130.71.28 ×
21
Lucky Visitor Scam C2
Attackers use different C2 servers over time.

© 2022 JPCERT/CC
Get PHP content form VT
Check C2
Get redirect URL form C2
Report to Google safe browsing
Blocked by web browser
22
Flow of Lucky Visitor Scam Countermeasures
Automatically execute the below process, from discovering
C2 servers to blocking redirects in web browsers.

© 2022 JPCERT/CC
23
Monitoring the Lucky Visitor Scam C2 System (AWS)
C2
AWS Lambda
Amazon EventBridge
GitHub Actions Private
Public
AWS GitHub
Git push
Git push
Event
Get HTML content
Amazon S3
output bucket
Put IoC Get IoC
Git checkout
Google Safe Browsing
Report
VirusTotal

© 2022 JPCERT/CC
24
Monitoring the Lucky Visitor Scam C2 System
https://github.com/JPCERTCC/Lucky-Visitor-Scam-IoC

© 2022 JPCERT/CC
25
Monitoring the Lucky Visitor Scam C2 System (GCP)
C2
Cloud Functions
Cloud Scheduler
GitHub Actions Private
Public
GitHub
Git push
Git push
Event
Get HTML content
Cloud Storage
Put IoC Get IoC
Git checkout
Google Safe Browsing
Report

© 2022 JPCERT/CC
26
Access Control for C2 Server
C2
C2 server is inaccessible from Japan.

© 2022 JPCERT/CC
27
C2 Activity
0
50
100
150
200
250
300
350
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
(Count)
(Time UTC+9)
Investigation of the attacker’s redirect URL delivery cycle.

© 2022 JPCERT/CC
28
1 Malware C2 Monitoring
2 Malware Hunting using Cloud
3 YARA CI/CD system
4 Surface Analysis System on Cloud
5 Memory Forensic on Cloud

© 2022 JPCERT/CC
Get IoCs
Download malware
Analyze malware
Hunt and detect incident
29
Malware Hunting using Cloud
Malware hunting gets unknown IoCs and can be used for
incident detection.

© 2022 JPCERT/CC
Get IoCs
Download malware
Analyze malware
Hunt and detect incident
30
Malware Hunting using Cloud
Malware hunting gets unknown IoCs and can be used for
incident detection.

© 2022 JPCERT/CC
31
Case2: Cobalt Strike Beacon Hunting
Cobalt Strike is a popular penetration tool among attackers.
[1]
Cobalt Strike's C2s are found in large numbers and cannot all be analyzed manually.

© 2022 JPCERT/CC
Get C2 server form VT
Download Cobalt Strike beacon
Analysis Cobalt Strike beacon
Publish configuration
32
Flow of Cobalt Strike Beacon Hunting
Automatically execute from discovering C2 servers to
hunting Cobalt Strike beacon.

© 2022 JPCERT/CC
33
C2 Server Data
https://www.virustotal.com/api/v3/intelligence/search?query=entity%3Aip%20c
omment%3A%23cobaltstrike&limit=300&descriptors_only=true
VT API
Extract a list of IP addresses of Cobalt Strike's servers from
VirusTotal.

© 2022 JPCERT/CC
32bit
/aaa9
/aab8
64bit
/aab9
/aac8
34
Default URL Path for Cobalt Strike Beacon
Many C2 servers do not change the default URL path.
Default URL path for Cobalt Strike beacon

© 2022 JPCERT/CC
35
Configuration Data
Encode
configuration data
in Cobalt Strike
beacon
XOR 0x2E

© 2022 JPCERT/CC
set Description Remarks
0x01 BeaconType
0=HTTP, 1=Hybrid HTTP and
DNS, 8=HTTPS
0x02 Port number
0x03 Polling time
0x04 Unknown
0x05 Jitter
Ratio of jitter in polling time (0-
99%)
0x06 Maxdns
Maximum length of host name
when using DNS (0-255)
0x07 Unknown
0x08 Destination host
0x09 User agent
0x0a
Path when communicating
HTTP_Header2
0x0b Unknown
0x0c HTTP_Header1
0x0d HTTP_Header2
0x0e Injection process
0x0f Pipe name
0x10 Year
Stops operating after the
specified date by Year, Month,
Day
36
Configuration Index
set Description Remarks
0x11 Month
0x12 Day
0x13 DNS_idle
0x14 DNS_Sleep
0x1a HTTP_Method1
0x1b HTTP_Method2
0x1c Unknown
0x1d
Process to inject arbitrary
shellcode (32bit)
0x1e
Process to inject arbitrary
shellcode (64bit)
0x1f Unknown
0x20 Proxy server name
0x21 Proxy user name
0x22 Proxy password
0x23 AccessType
1 = Do not use proxy server
2 = Use IE configuration in the
registry
4 = Connect via proxy server
0x24 create_remote_thread
Flag whether to allow creating
threads in other processes
0x25 Not in use

© 2022 JPCERT/CC
37
Cobalt Strike Beacon Hunting System
Cobalt Strike C2
Lambda
EventBridge GitHub Actions Private
Public
AWS Cloud GitHub
Git push
Git push
Event
Get beacon
S3 output bucket
Put Config Get Config
Git checkout
Put Config
VirusTotal
Get server list
API Gateway
WAF
Run
REST API
Client

© 2022 JPCERT/CC
38
Published Configuration Repository
https://github.com/JPCERTCC/CobaltStrike-Config

© 2022 JPCERT/CC
39
Cobalt Strike Beacon Hunting System
Cobalt Strike C2
Lambda
EventBridge GitHub Actions Private
Public
AWS Cloud GitHub
Git push
Git push
Event
Get beacon
S3 output bucket
Put Config Get Config
Git checkout
Put Config
VirusTotal
Get server list
API Gateway
WAF
Run
REST API
Client

© 2022 JPCERT/CC
40
REST API
https://[mask]/cs-scan-api?scan=http://185.38.142.75:80/aaa9
You do not need to download Cobalt Strike Beacon to analyze.

© 2022 JPCERT/CC
41
Changes in Cobalt Strike C2 (Daily)
0
20
40
60
80
100
120
140
160
180
200
2/17/2022 3/17/2022 4/17/2022 5/17/2022 6/17/2022 7/17/2022 8/17/2022
(Count)
(Date)

© 2022 JPCERT/CC
42
1 Malware C2 Monitoring
2 Malware Hunting using Cloud
3 YARA CI/CD system
4 Surface Analysis System on Cloud
5 Memory Forensic on Cloud

© 2022 JPCERT/CC
Since creating YARA rules cannot be automated, malware
analysts create them manually, and they spend too much time
on it.
Some characteristic malware can be created automatically.
43
YARA CI/CD System
Creation of YARA rules must be done manually by the
malware analyst, and automation of YARA rule creation is a
challenge.

© 2022 JPCERT/CC
44
Case3: HUI Loader Analysis System
Legitimate HUI Loader Encoded Malware
DLL Data
HUI Loader used in APT10, Blue Termite,
A41APT and DEV-0401.
for i in range(len(enc_data)):
data = ord(enc_data[i]) ^ 0x20 ^ ord(key[i % len(key)])
dec_data.append(data)
Decode code

© 2022 JPCERT/CC
2015
2016
2017
2018
2019
2020
2021
2022
45
Overview of HUI Loader Timeline
2015 Jan
APT10 started using HUI loader
2015 Apr
Blue Termite started using HUI loader
2020 Jun
A41APT started using HUI loader
2021 Aug
DEV-0401 started using HUI loader
2016 Jul
 Password randomized
 DLL injection
2021 Dec
 Security features bypassed
 "HUI…" strings deleted

© 2022 JPCERT/CC
46
Common Problems with Loader
Legitimate HUI Loader Encoded Malware
DLL Data
Even if the Loader is found, the function of the malware is
unknown because the encoded malware cannot be found.
Found it!
Not found!

© 2022 JPCERT/CC
Get HUI Loader form VT
Analysis HUI Loader
Create YARA rule
Push YARA rule to VT
47
Flow of HUI Loader Analysis System
Automatically execute from getting HUI Loader to creating
the YARA rule.

© 2022 JPCERT/CC
48
HUI Loader Analysis System
Lambda
EventBridge Github Action Private
Public
AWS Cloud Github
Git push
Git push
Event
S3 output bucket
Put Config Get Result
Git checkout
Put Config
VirusTotal
Get HUI Loader
API Gateway
WAF
Run
REST API
Client
Push YARA rule

© 2022 JPCERT/CC
49
Created YARA rule
rule malware_HUILoader_data_2317d3e14a {
meta:
description = "HUI Loader loading data"
author = "JPCERT/CC Incident Response Group"
HUI_loader_hash = "2317d3e14ab214f06ae38a729524646971e21b…"
condition:
uint32(0) == 0x7A8F473A or
vt.metadata.file_name iequals "vlc.cnf"
}
The file name and encoding key are unique to each loader, and thus rules
must be created for each it.
YARA rule

© 2022 JPCERT/CC
50
Published Analysis Results Repository
https://github.com/JPCERTCC/HUILoader-research

© 2022 JPCERT/CC
51
1 Malware C2 Monitoring
2 Malware Hunting using Cloud
3 YARA CI/CD system
4 Surface Analysis System on Cloud
5 Memory Forensic on Cloud

© 2022 JPCERT/CC
52
Surface Analysis System on Cloud
Confusing: each type of malware is called different names
by different vendors.

© 2022 JPCERT/CC
53
Surface Analysis System on Cloud
Malware names are different for each security vendor and
get confusing when looking at each reports.
What is this
malware?
I want to scan
using my YARA
rule…

© 2022 JPCERT/CC
54
Surface Analysis System on Cloud
Same issues on twitter…

© 2022 JPCERT/CC
55
Surface Analysis System on Cloud
Same issues on twitter…
What is this
malware?
I want to scan
using my YARA
rule…

© 2022 JPCERT/CC
56
Can sandbox alone solve all problems?

© 2022 JPCERT/CC
57
Can sandbox alone solve all problems?
No.
Sandbox analysis results
need to be analyzed further,
which is time consuming.

© 2022 JPCERT/CC
Simple
Fewer steps to execute
Execute multiple analyses all at once
Easy to customize
Store analysis results
58
Our Requirements for Malware Analysis Tools

© 2022 JPCERT/CC
YARA
scan
floss capa
olevba Sandbox
My
toolset
59
For Example
These analyses are executed in a single step.

© 2022 JPCERT/CC
Send analysis job from web browser
Get malware form VT
Analyze malware for selected tools
Save analysis results
60
Flow of Surface Analysis System on Cloud
Analysis results in a single action for multiple malware.

© 2022 JPCERT/CC
61
FireFox Add-on

© 2022 JPCERT/CC
62
Analysis Results

© 2022 JPCERT/CC
63
Surface Analysis System on Cloud
AWS Cloud
S3
REST
VirusTotal
API Gateway
WAF
Client
Submit job
Lambda Batch
CodeCommit ECR
Run
Clone
Get malware Push results
Image
pull
Lambda
EventBridge
EventBridge
SNS
CloudWatch
Twitter
Get twitter data
Status notification
Blog
Get contents
Submit job

Demo

© 2022 JPCERT/CC
65
Infrastructure as Code (IaC)
Code and manage the building of the Surface Analysis
System on cloud.
Heavy use of IaC increases the cost of managing the code.
Limit the cases in which IaC is used.
Simple systems that do not need to use IaC.
Problem

© 2022 JPCERT/CC
66
IaC using Terraform
Building analysis system using Terraform

© 2022 JPCERT/CC
67
Surface Analysis System on Cloud with IaC
GitHub Actions
Private
Github
run
apply
commit
AWS Cloud
Client
S3
API Gateway
WAF Lambda Batch
CodeCommit ECR
Lambda
EventBridge
EventBridge
SNS
CloudWatch

Demo
- Infrastructure as Code -

© 2022 JPCERT/CC
69
Surface Analysis System on Cloud

© 2022 JPCERT/CC
70
1 Malware C2 Monitoring
2 Malware Hunting using Cloud
3 YARA CI/CD system
4 Surface Analysis System on Cloud
5 Memory Forensic on Cloud

© 2022 JPCERT/CC
Investigating multiple hosts simultaneously is time-consuming.
Memory forensic system must scale out.
Build a memory forensic system that scale out on cloud service.
71
Memory Forensic on Cloud
Increased memory size has become a bottleneck for
memory forensic investigations.

© 2022 JPCERT/CC
Get memory images
Send memory images to cloud
Run Volatility 3 analysis system (docker image)
Save analysis results
72
Flow of Memory Forensic on Cloud
Build a memory forensic system that scale out on
cloud service.

© 2022 JPCERT/CC
73
Memory Forensic on Cloud
AWS Cloud
S3 output bucket
Client
Submit job
Lambda Batch
CodeCommit ECR
Run
Clone
Push results
Image pull
Memory Image
S3 EventBridge
Analysis results
REST
WAF API Gateway
Run
EventBridge
SNS
CloudWatch
Status notification

© 2022 JPCERT/CC
74
Memory Forensic on Cloud
AWS Cloud
S3 output bucket
Client
Submit job
Lambda Batch
CodeCommit ECR
Run
Clone
Push results
Image pull
Memory Image
S3 EventBridge
Analysis results
REST
WAF API Gateway
Run
EventBridge
SNS
CloudWatch
Status notification
Scale out

© 2022 JPCERT/CC
75
Analysis Results

© 2022 JPCERT/CC
76
Analysis Results

Demo

© 2022 JPCERT/CC
78
Memory Forensic on Cloud with IaC
GitHub Actions
GitHub
Run
commit
Client
AWS Cloud
S3 output bucket
Submit job
Lambda Batch
CodeCommit ECR
Run
Clone
Push results
Image pull
S3 EventBridge
Analysis results
WAF API Gateway
Run
EventBridge
SNS
CloudWatch
apply

© 2022 JPCERT/CC
79
Surface Analysis System on Cloud

Tips

© 2022 JPCERT/CC
limit Lambda
Batch
(Fargate)
Cloud
Functions
Cloud Run
runtime 900s - 540s 3600s
memory 10G 30G 16G 32G
data 10G 200G 16G 32G
81
Limited of Serverless Service
Serverless service have limited runtime, memory
and data size.
Check the limits and select a serverless service.

© 2022 JPCERT/CC
API Gateway
• 10MB
presigned url s3
• 5GB
AWS CLI
• 160GB
82
Transfer of Large Data
Limited transfer of large data, such as memory
images, log file etc.
CUI is required for large
data transfers.
For Example (AWS)

© 2022 JPCERT/CC
83
Use as a Serverless System for GitHub Actions
GitHub Actions can also be used as a serverless
system. (free: 3000min/month)

© 2022 JPCERT/CC
84
Monitoring the Lucky Visitor Scam C2 System (GitHub)
C2
AWS Lambda
Amazon EventBridge
GitHub Actions Private
Public
AWS Cloud GitHub
Git push
Git push
Event
Get HTML content
Amazon S3
output bucket
Put IoC
Git checkout
Google Safe Browsing
Report
Get IoC

© 2022 JPCERT/CC
Share MAOps (Malware Analysis Operations) that
fight the malware development life cycle.
Introduce the case study on how to build a malware
analysis system with low maintenance costs.
Learn how to build the Malware Analysis System on
Cloud.
85
Takeaways (repost)

Thank you!
@jpcert_en ir-info@jpcert.or.jp
PGP https://www.jpcert.or.jp/english/pgp/
@jpcert_ac

© 2022 JPCERT/CC
[1] JSAC2021: Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation
https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf
87
Reference