ランサムウェアと「maline(Malicious LINE Installer)」の脅威を理解する / Understanding the Threats of Ransomware and "maline (Malicious LINE Installer)"

Transcript

1. Understanding the Threats of Ransomware and "maline (Malicious LINE Installer)"

   TI Analysis & Response Team CISO Supervisory Group Kubiura Hiromu

2. Security Engineer / Researcher Joined LY Corporation in 2023. Conduct

   threat intelligence with a focus on malware analysis. • Presentation: Black Hat USA, BSides Tokyo • Hold CVEs related to IoT devices. • SECCON 2022 CTF Domestic Finals 2nd • SecHack365 2022 Outstanding Graduate • Instructor at the National Security Camp. Kubiura Hiromu

3. Computer Viruses Exist Around Us Ransomware Trojan Other

4. 1. What is Ransomware? 2. What is maline(Malicious LINE Installer)?

   3. Counterplan & Wrap-up Agenda

5. What is Ransomware?

6. Do you know Ransomware? RaaS, Leak Site, Actor Groups •

   Why is ransomware prevalent? • How is ransom demanded? • What types of actor groups are involved? File Encryption Logic • Why can a large number of files be encrypted? • Why can’t we decrypt them ourself? • What encryption functions are used?

7. Actor groups don’t distribute ransomware directly; instead, they distribute it

   through affiliates. • Actor Group • Develop ransomware affiliates use. • Earn money is ransomware subscription and a portion of the ransom collected by affiliate. • Affiliate • Attack organizations with ransomware. • Demand ransom through threats and negotiate with the organization. RaaS(Ransomware as a Service) ~ The RaaS model as seen through LockBit ~

8. Deploy ransomware Victim Affiliate LockBit Pay a commission Provision of

   infrastructure • Ransomware build tools • Tor-based sites for negotiations Negotiation Pay a ransom

9. LeakSite source: https://www.bitdefender.com/en-us/blog/hotforsecurity/the-lockbit-ransomware-gang-rears-its-ugly-head-again-after-law-enforcement-takedown

10. The following points are essential for the core file encryption

    function of ransomware. • Fast encryption system • Ability to decrypt Symmetric key encryption algorithms like AES and RC4 are commonly used. These are often customized by each actor, making it challenging for analysts. Additionally, by encrypting and embedding the key used for file encryption, the victim is unable to decrypt the files, while the actor retains the ability to decrypt them. (By examining the ransom note, it's possible to determine how the ransomware was built and deployed, which can reveal the decryption key.) File Encryption Logic ~ Analyze the Ransomware to uncover its full scope ~

11. Let‘s reading the virus! If the file size exceeds approximately

    1.5MB, a different encryption function is called.

12. Encryption of File Data Encryption of AES Key The same

    Key and IV are used for encrypting both the file data and AES Key. hExFile: Exist File(Original Data) hNeFile: New File(Encrypted Data)

13. Encryption of File Data Three chunks are read and concatenated.

    Each chunk size is 0x40000.

14. What is maline?

15. Definition of maline 1. Windows PC Installer Only 2. Excludes

    LINE-Based Scams/Phishing Since around 2023, computer viruses have been observed distributing RAT (Remote Access Trojan) using fake Windows PC LINE installers. maline = + Malicious LINE

16. Feature of maline • A type of malware known as

    a Trojan. • LINE is correctly installed and usable. • It has been observed since around 2023. • Victims are directed to fake download sites through SEO poisoning. • It targets Chinese speakers and has been observed in Southeast Asia and East Asia. In 2025, a variant of maline was observed. This type distributes a RAT known as ValleyRAT. ValleyRAT is used by an actor group known as Silver Fox APT, which is based in China. New Discovery！

17. Fake Website

18. Infection Chain(maline to ValleyRAT) Fake Website EasiNote.dll ShellExperienceHosts.exe yyzyBase.dll rtbxszwx.png

    ValleyRAT Malicious binaries Create backup import

19. Let‘s reading the virus! It uses DLL sideloading techniques to

    call malicious functions. This method is commonly observed among Chinese actor groups.

20. The called functions perform file copying, command execution, and communication

    with the C2 server.

21. The binary received from the C2 server is unpacked into

    memory. Upon extraction, it becomes clear that this is the final payload, ValleyRAT.

22. Counterplan & Wrap-up

23. Countermeasures Against Ransomware • Don’t comply with ransom demands. •

    Paying the ransom doesn’t guarantee that your files will be fully decrypted. • Paying the ransom can further empower and expand actor groups. • Don’t download files attached to suspicious emails. • Don’t trust suspicious content in various situations, not just in emails. Counterplan

24. Countermeasures Against Fake Installer(Trojan) • Install from official websites. •

    Sites displayed through advertisements are often fake. • However, don’t be complacent in thinking you can always tell the difference. Counterplan

25. This analysis is conducted on a VM with appropriate configurations.

    Please don’t perform the analysis on your local environment. Malware exists all around us. Instead of being overly fearful, let's learn why infections occur and how attackers conduct their operations. “知彼知己、百戰不殆” (孫子) (If you know your enemy and understand your own strengths, you need not fear the result of a hundred battles. Sun Tzu) Wrap-up

26. Wrap-up https://techblog.lycorp.co.jp/ja/20250605a https://techblog.lycorp.co.jp/ja/20241209a

27. Thank you. https://www.linkedin.com/in/hiromu-kubiura-b795b2362/