Did Subdomain Abuse by BlackTech “Evolve”?
DAY 2
9:00-
9:40
On Sep. 27, 2023, National Police Agency, NISC, NSA, FBI, and CISA jointly called attention to the threat regarding BlackTech. BlackTech started attacks in Japan around 2017 and continued to evolve RAT tools like DbgPrint (aka Waterbear or Deuterbear). To defend against attacks by BlackTech, many security vendors published reports related to the APT group. Although these reports showed details of malware behavior and were very useful, the reports did not analyze DNS abuse at all. Since APT groups rarely leave traces of their activities in DNS behavior, the vendors might not have to pay attention to the DNS abuse. On the other hand, we conducted a comparison study of the DNS abuse among 8 APT groups, then identified an original subdomain abuse regarding attacks by BlackTech related to DgbPrint since Aug. 2023. While we found this operation interesting, we have one question: Did subdomain abuse by BlackTech evolve? Generally, it is difficult for defenders to detect attacks by APT groups. While BlackTech continued to evolve RAT tools, the APT group strategically changed DNS operations. Here, we noticed that BlackTech prioritized the efficiency of constructing attack infrastructure related to the DNS operations. There is a chance that defenders could catch BlackTech off guard. In fact, APT groups do not necessarily put in enough effort to fly under the radar. It might be a good idea to detect DNS abuse that security vendors did not pay attention to rather than hard-to-detect RAT tools. To conduct an in-depth analysis of time-series changes of strategies and differences of DNS abuse between APT groups, we will provide audience with our know-how for the analysis based on threat intelligence, Passive DNS, and WHOIS as the result of trial and error. In addition, we will show our presented techniques in our previous CODE BLUE presentations for detecting the changes and differences of APT group’s strategy.
-
Location :
-
Track 1(HALL B)
-
-
Category :
-
Technical
-
-
Share :
Speakers
-
Tsuyoshi Taniguchi
谷口 剛
Tsuyoshi Taniguchi is a researcher of Fujitsu Defense & National Security Limited. He focuses on network security and cyber threat intelligence based on an in-depth analysis of malicious behavior around domain name system (DNS). He was a speaker of CODE BLUE 2017 Day0 Special Track, CODE BLUE 2018, 2020, 2021, 2022, Black Hat Asia 2021, and ACM ASIACCS 2021. Prior to joining Fujitsu, he got his Ph.D. in computer science from Graduate School of Information Science and Technology, University of Hokkaido.
-
Kotaro Ohsugi
大杉 浩太郎
Kotaro Ohsugi is a security researcher at FDNS. He is a graduate of National Security Camp 2017 and was previously involved in Digital Forensics using EDR products. With these backgrounds, he is currently engaged in software reverse engineering, malware analysis and binary exploitation.