Rintaro Koike
Rintaro Koike is a security researcher at NTT Security (Japan) KK. He is engaged in threat research and malware analysis. In addition, he is the founder of "nao_sec" and is in charge of threat research. He focuses on APT attacks targeting East Asia and web-based attacks. He has given over 30 presentations at over 10 international conferences, such as VB, Botconf, FIRST, AVAR and others.
Session
VShell is a backdoor written in Golang that is shared across multiple threat actors. It is used widely by intrusion groups, particularly China-nexus actors such as UNC5174. We carried out an in-depth investigation of VShell C2 servers and found that a broad range of information can be obtained from them at scale. For example, by sending a specific magic packet to a VShell C2 server, it is possible to retrieve the raw stageless binary in unobfuscated form. This stageless binary contains hard-coded config data, including the "vkey". We performed an internet-wide scan for publicly exposed VShell C2 servers, collected stageless binaries, analysed their config data, and explored clustering and attribution.
In this presentation, we first explain what kind of malware VShell is, including its relationship with SNOWLIGHT, and present the results of our detailed malware analysis together with representative cases of abuse. We then describe the structure of the VShell C2 server and show how it communicates with VShell. We also share the contents of the magic packet used to obtain the stageless binary, the results of our detailed analysis of the binary itself, the configuration data embedded in it, and the findings from our analysis of the large volume of config data we collected. In addition, we present deeper analytical results based on information obtained from C2 servers that were operated with default settings. Finally, we propose detection logic for network and endpoint security products to help defend against compromises involving VShell. This logic reflects the detailed internal behaviour of VShell C2 infrastructure revealed by our research.
Through this talk, attendees will gain a detailed understanding of VShell’s capabilities and the characteristics of its C2 servers. They will also learn a research method for uncovering new information useful for attribution. In addition, these findings can be applied directly to defensive practice, including the development of more effective detection logic.