my case… 6 It’s been an exciting year with tons of information leaks from Chinese APTs due to OPSEC failures! Legacy Threat: PlugX Builder/Controller Discovered in Open Directory https://hunt.io/blog/legacy-threat-plugx-builder-controller-discovered-in- open-directory Data From Chinese Security Services Company i-Soon Linked to Previous Chinese APT Campaigns https://unit42.paloaltonetworks.com/i-soon-data-leaks/
Benefits by Tool Leaks 7 Analyzing from a forensic perspective is very limited because only modules that can be recovered from memory are available for analysis. Before the Leak After the Leak Malware only loads Module A Module B from C2 server Analyst Dumped the RAT implant from memory. Next stage, analyze malware modules…… Analyst The post-exploitation tool delivers the following modules: Module A Module B Module C Module D The functions of the post-exploitation tool are easy to understand intuitively!! Analyzing from a post-exploitation tool perspective makes it much easier to assess the tool’s capabilities and apply insights for defense.
Benefits by Tool Leaks 8 Even a small mistake in the investigation might lead to an exploit and could carry a risk of arrest. Before the Leak After the Leak Analyst Even if we are the victims, we can only conduct a limited investigation…. Analyst Set up a C2 server on the host's local network Reduce the risk of arrest and investigate as much as we want!! Setting up a RAT C2 server in a local environment enables investigations that include the scope of vulnerability exploitation!! Internet scanning
presentation topics • Identified RAT infrastructure’s fingerprint and vulnerabilities from an offensive perspective • Found interesting vulnerabilities along the way • Hoping for future applications in Active Cyber Defense 9 An investigation triggered by the leakage of Nation State- Sponsored APT's Custom RATs
Leaked Over the Past Year • PlugX • Used by chinese APT groups for over 10 years • Hunt.io discovered builder and controller on “opendir” C2 Server [1] • ShadowPad • High-functionality modular RAT, considered a successor to PlugX • Management interface found in i-Soon Leak [2] • nao_sec discovered builder on VirusTotal due to operator’s OPSEC failure [3] • RatelS (a.k.a. micDown, HemiGate) • High-functionality modular RAT reflecting PlugX developer’s intent • First reported by LAC last year in incident report noting the builder was uploaded to VirusTotal [4][5] • nao_sec and Trend Micro also reported it, showing connections across all cases [6][7][8] 11 Three RATs developed by state-sponsored APTs identified by us
Analysis Approach Set up the local server and client environment on the Proxmox • Kali Linux • For RAT C2 server scanning • RAT C2 Server • RAT lister is running on Windows server • Victim machine • RAT implant is running on Windows 10 16 Research Environment Starting Point: Identify unique fingerprints of RAT C2 Infrastructure
Takeaway: Active Cyber Defense • These vulnerabilities, if exploited, are highly dangerous • However, with the legitimate use of these vulnerabilities, a takedown operation like Emotet's might be possible. • Yet, even as laws are under review, the feasibility of this approach remains uncertain... 20 Not just for fun
Takeaway: Active Cyber Defense • Expert meetings continue, but issues remain unresolved • Meeting records raises concerns: • e.g.) Reporting obligations for infrastructure providers — our options are very limited • Need for practical and tactical adjustments beyond theoretical strategies • (even if relevant stakeholders aren't here ) 21 「能動的サイバー防御」 政府 有識者会議の論点整理まとまる https://www3.nhk.or.jp/news/html/20240807/k10014539571000.html
• Focused not only on understanding the modules but also on: • Identifying unique infrastructure fingerprints • Exploring potential vulnerability-based takedown operation • If this presentation has made you interested in RAT C2 servers, don’t miss the PowerShell Empire workshop today ! 24 Deep investigation on RAT & their infrastructure from an offensive perspective
you for listening! 25 Going down the RAT hole: Deep dive into the Vuln-derland of APT-class RAT Tools Your comments & feedbacks are always welcome!! ☞ [email protected]
nttcom
ewolff
tohutohu
naohiro_nakata
nssv
kamina_zzz
takumakouno
tarotene
iwamot
yahonda
tacck
hinono
oracle4engineer
csswizardry
marktimemedia
soudai
chriscoyier
tanoku
scottboms
kneath
jcasabona
skipperchong
mraible
morganepeng
danielanewman
