In 2020, we observed that TA428, which might belong to China, had used a new unknown malware. We named it "Tmanger". Then we analysed it in detail, and we found that there have been other examples of Tmanger-like malware. These are called ‘Allbaniiutas’ or ‘Smanager’ and they have been reported to be used in two supply chain attacks.

In this presentation we describe the detailed analysis result for each member of the Tmanger malware family. In particular, we focus on the unclear things such as the relationships among the Tmanger family and the generation timeline of the malware. Furthermore, we introduce how supply chain attacks using the Tmanger family occurred by sharing the concrete intrusion cases.

Next, we share how to find Tmanger malware and how to research it. In this section, you will learn how to detect the Tmanger-related malware effectively.

At the end of the presentation, we consider the relationship between TA428 and other APT groups by showing relationships of malware builders and infrastructures and by comparing shared cases such as Royal Road RTF Weaponizer and ShadowPad. The Tmanger family was used by TA428 at first, but other APT groups such as Lucky Mouse also started using it later. This can be considered as the malware being shared between TA428 and the other APT groups.

Through this presentation, we will share various information (details about the campaign, the toolsets, the TTPs, the infrastructure, and the actor's information). SOC analysts, CSIRTs, and security researchers who research APT groups which might belong to China will gain a deeper understanding of the attacks and how to take countermeasure against them.

Got a question about this presentation? To get in touch with the speakers, contact Hajime Takai on Twitter at @ich11chi.