Welcome to the VB2021 conference!

Where is the cuckoo egg?

Ryuichi Tanabe (NTT Security (Japan) KK), Hajime Takai (NTT Security (Japan) KK) & Rintaro Koike (NTT Security (Japan) KK)
partner message

Do you like doing work that matters to you… and really frustrates the bad guys?

https://talosintelligence.com/careers

At Talos, our mission is to make the internet a safer place and fight the good fight for our customers

and users. If you think you have the expertise and attitude to help lead the world in cutting-edge security,

we’d like to talk.

partner message

Looking for performance validation for your product?

https://www.virusbulletin.com/testing/

Get an edge over your competitors with Virus Bulletin’s anti-malware & email security certification

programmes, supported by 30+ years of experience. Or take advantage of our bespoke testing service

offering valuable performance feedback for R&D. Email [email protected]

partner message

Calling all Hackers!

https://www.ise.io/careers/#op-470256-hacker-midseniorprincipal

We are hiring mid-senior-principal level hackers!

Remote option • Flex schedule • Unlimited vacation • Opportunities for research and publication

partner message

F5 helps find malware hiding in plain sight

https://www.f5.com/company/blog/half-the-world-s-malware-is-now-encrypted

Encrypted malware is becoming increasingly common, and daisy-chaining security devices is neither

cost-effective, nor efficient. Detecting and stopping malware doesn’t have to be overwhelming with

F5’s innovative products.

partner message

QI-ANXIN Technology Group Inc. Leader of New Generation Cybersecurity

https://ti.qianxin.com/marketing/vb2021/

QI-ANXIN Technology Group Inc. offers next generation enterprise-class cybersecurity products

and services to government and businesses. QI-ANXIN is the Official Cyber Security Services and

Anti-Virus Software Sponsor of the Olympic and Paralympic Winter Games Beijing 2022.

partner message

We don’t just talk about sharing. We do it every day.

https://www.cyberthreatalliance.org/about-cta

Learn how to collaborate with the Cyber Threat Alliance to improve your overall cyber resilience.

We are a greater team when we work together; our collective efforts magnifies our success and

ensures that we are and remain cyber resilient.

partner message

Threat Intelligence and Cyber Resilience

https://vblocalhost.com/programme/#TIPS

Join the VB2021 Threat Intelligence Practitioners' Summit (TIPS), sponsored by the Cyber Threat Alliance,

and learn how investment in threat intelligence builds cyber resilience, allowing you to be more effective

when addressing today's dynamic threat landscape.

partner message

IoT security begins with your Smart TV

https://chomar.link/smarttv

CHOMAR Smart TV Security.

Protect your Android Smart TV against malicious activities and use your IoT devices without any worries.

partner message

Stay ahead of threats with VirusTotal

https://www.virustotal.com/

Stay ahead of the next generation of threats and get relevant insights to solve

the most critical security challenges.

partner message

Farsight Security DNSDB® is the world's largest real-time and historical database of DNS resolutions

https://www.farsightsecurity.com/get-started-guide/

DNSDB 2.0 introduces Flexible Search support, unlocking both Regular Expressions and Globbing syntaxes for more granular and accurate search results. Get your free DNSDB API key and use it in our newly updated

web GUI, DNSDB Scout as well as your own existing environments. Contextualize everything that is DNS related with one API key - DNSDB.

partner message

VirusTotal: Actionable crowdsourced threat intelligence

https://www.virustotal.com/

Comprehensive context and cutting-edge functionality to proactively protect from cybersecurity threats.

partner message

Amazon Information Security - come build the future with us!

https://www.amazon.jobs/en-gb/team/infosec

Do you want to work on privacy and security challenges at unprecedented scale?

We have Privacy and Information Security opportunities available now across

the United States, Dublin, Ireland, and Sydney, Australia.

partner message

Ransomware prevention starts with zero

https://www.zscaler.com/solutions/security-transformation/ransomware-protection

Ransomware attacks are increasing 500% year-over-year.

Learn how Zscaler's Zero Trust Exchange helps minimize exposure, damage, and risk

at every stage of a ransomware attack.

In 2020, we observed that TA428, which might belong to China, had used a new unknown malware. We named it "Tmanger". Then we analysed it in detail, and we found that there have been other examples of Tmanger-like malware. These are called ‘Allbaniiutas’ or ‘Smanager’ and they have been reported to be used in two supply chain attacks.

In this presentation we describe the detailed analysis result for each member of the Tmanger malware family. In particular, we focus on the unclear things such as the relationships among the Tmanger family and the generation timeline of the malware. Furthermore, we introduce how supply chain attacks using the Tmanger family occurred by sharing the concrete intrusion cases.

Next, we share how to find Tmanger malware and how to research it. In this section, you will learn how to detect the Tmanger-related malware effectively.

At the end of the presentation, we consider the relationship between TA428 and other APT groups by showing relationships of malware builders and infrastructures and by comparing shared cases such as Royal Road RTF Weaponizer and ShadowPad. The Tmanger family was used by TA428 at first, but other APT groups such as Lucky Mouse also started using it later. This can be considered as the malware being shared between TA428 and the other APT groups.

Through this presentation, we will share various information (details about the campaign, the toolsets, the TTPs, the infrastructure, and the actor's information). SOC analysts, CSIRTs, and security researchers who research APT groups which might belong to China will gain a deeper understanding of the attacks and how to take countermeasure against them.

Got a question about this presentation? To get in touch with the speakers, contact Hajime Takai on Twitter at @ich11chi.
Ryuichi Tanabe
NTT Security (Japan) KK

Ryuichi Tanabe is a SOC analyst at NTT Security (Japan) KK. Currently, his main duty is responding to EDR detection, but he also works as a malware analysis researcher. Now his interest is malware families related to APT attacks targeting East Asia. Previously he worked as a web programmer, but he changed his career to become a SOC engineer in 2012. Since then, he has specialized in SOC related works.

Hajime Takai
NTT Security (Japan) KK

Hajime Takai currently works as a SOC analyst and a malware researcher at NTT Security (Japan) KK. He joined NTT Security in 2016, before which he worked for five years as a software engineer. He contributes to the NTT Security blog about malware research. He has written a white paper about Taidoor (in Japanese) and Tmanger. In addition, he has presented at VB2020 and Japan Security Analyst Conference 2020/2021. He loves mahjong.

Rintaro Koike
NTT Security (Japan) KK

Rintaro Koike is a security analyst at NTT Security (Japan) KK. He is engaged in SOC and malware analysis. In addition, he is the founder of "nao_sec" and is in charge of threat research. He focuses on APT attacks targeting East Asia and web-based attacks. He has been a speaker at VB, JSAC, Black Hat USA Arsenal and others.