Welcome to the VB2021 conference!

arrow left Back

Where is the cuckoo egg?

Ryuichi Tanabe (NTT Security (Japan) KK), Hajime Takai (NTT Security (Japan) KK) & Rintaro Koike (NTT Security (Japan) KK)
In 2020, we observed that TA428, which might belong to China, had used a new unknown malware. We named it "Tmanger". Then we analysed it in detail, and we found that there have been other examples of Tmanger-like malware. These are called ‘Allbaniiutas’ or ‘Smanager’ and they have been reported to be used in two supply chain attacks.

In this presentation we describe the detailed analysis result for each member of the Tmanger malware family. In particular, we focus on the unclear things such as the relationships among the Tmanger family and the generation timeline of the malware. Furthermore, we introduce how supply chain attacks using the Tmanger family occurred by sharing the concrete intrusion cases.

Next, we share how to find Tmanger malware and how to research it. In this section, you will learn how to detect the Tmanger-related malware effectively.

At the end of the presentation, we consider the relationship between TA428 and other APT groups by showing relationships of malware builders and infrastructures and by comparing shared cases such as Royal Road RTF Weaponizer and ShadowPad. The Tmanger family was used by TA428 at first, but other APT groups such as Lucky Mouse also started using it later. This can be considered as the malware being shared between TA428 and the other APT groups.

Through this presentation, we will share various information (details about the campaign, the toolsets, the TTPs, the infrastructure, and the actor's information). SOC analysts, CSIRTs, and security researchers who research APT groups which might belong to China will gain a deeper understanding of the attacks and how to take countermeasure against them.
Ryuichi Tanabe
NTT Security (Japan) KK

Ryuichi Tanabe is a SOC analyst at NTT Security (Japan) KK. Currently, his main duty is responding to EDR detection, but he also works as a malware analysis researcher. Now his interest is malware families related to APT attacks targeting East Asia. Previously he worked as a web programmer, but he changed his career to become a SOC engineer in 2012. Since then, he has specialized in SOC related works.

Hajime Takai
NTT Security (Japan) KK

Hajime Takai currently works as a SOC analyst and a malware researcher at NTT Security (Japan) KK. He joined NTT Security in 2016, before which he worked for five years as a software engineer. He contributes to the NTT Security blog about malware research. He has written a white paper about Taidoor (in Japanese) and Tmanger. In addition, he has presented at VB2020 and Japan Security Analyst Conference 2020/2021. He loves mahjong.

Rintaro Koike
NTT Security (Japan) KK

Rintaro Koike is a security analyst at NTT Security (Japan) KK. He is engaged in SOC and malware analysis. In addition, he is the founder of "nao_sec" and is in charge of threat research. He focuses on APT attacks targeting East Asia and web-based attacks. He has been a speaker at VB, JSAC, Black Hat USA Arsenal and others.