Time Table

On Sep. 27, 2023, National Police Agency, NISC, NSA, FBI, and CISA jointly called attention to the threat regarding BlackTech. BlackTech started attacks in Japan around 2017 and continued to evolve RAT tools like DbgPrint (aka Waterbear or Deuterbear). To defend against attacks by BlackTech, many security vendors published reports related to the APT group. Although these reports showed details of malware behavior and were very useful, the reports did not analyze DNS abuse at all. Since APT groups rarely leave traces of their activities in DNS behavior, the vendors might not have to pay attention to the DNS abuse. On the other hand, we conducted a comparison study of the DNS abuse among 8 APT groups, then identified an original subdomain abuse regarding attacks by BlackTech related to DgbPrint since Aug. 2023. While we found this operation interesting, we have one question: Did subdomain abuse by BlackTech evolve? Generally, it is difficult for defenders to detect attacks by APT groups. While BlackTech continued to evolve RAT tools, the APT group strategically changed DNS operations. Here, we noticed that BlackTech prioritized the efficiency of constructing attack infrastructure related to the DNS operations. There is a chance that defenders could catch BlackTech off guard. In fact, APT groups do not necessarily put in enough effort to fly under the radar. It might be a good idea to detect DNS abuse that security vendors did not pay attention to rather than hard-to-detect RAT tools. To conduct an in-depth analysis of time-series changes of strategies and differences of DNS abuse between APT groups, we will provide audience with our know-how for the analysis based on threat intelligence, Passive DNS, and WHOIS as the result of trial and error. In addition, we will show our presented techniques in our previous CODE BLUE presentations for detecting the changes and differences of APT group’s strategy.