PowerPoint Presentation


D TREND

Ambiguously
Black

The Current State of Earth Hundun's
Arsenal

Trend Micro Inc.
Hiroaki Hara




© 2022 Trend Micro Inc.2

✓

✓ 実践ガイド



© 2022 Trend Micro Inc.3



© 2022 Trend Micro Inc.4



© 2022 Trend Micro Inc.5

混沌



© 2022 Trend Micro Inc.6

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•



© 2022 Trend Micro Inc.7



© 2022 Trend Micro Inc.8

•

•

•

•
•

•

•

•

•

•

•

•

•

•



© 2022 Trend Micro Inc.9



© 2022 Trend Micro Inc.10



© 2022 Trend Micro Inc.11



© 2022 Trend Micro Inc.12

•

–

•

–

•

–

https://vblocalhost.com/uploads/VB2021-50.pdf
https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech
https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html


© 2022 Trend Micro Inc.13

•

•

0x4D 0x5A => MZ



© 2022 Trend Micro Inc.14

• •



© 2022 Trend Micro Inc.15



© 2022 Trend Micro Inc.16

•

•

…



© 2022 Trend Micro Inc.17



© 2022 Trend Micro Inc.18

•

www[.]microsoft[.]com[.]msonlinemicrosoft[.]com
TSCookie

103.30.41[.]91

103.30.41[.]91:80

www[.]microsoft[.]com[.]mso
nlinemicrosoft[.]com:443

103.30.41[.]91:443

103.30.41[.]91

103.30.41[.]91:80



© 2022 Trend Micro Inc.19

•

–

•

–

https://vblocalhost.com/uploads/VB2021-50.pdf


© 2022 Trend Micro Inc.20

•

BTSDOOR C&C Server



© 2022 Trend Micro Inc.21

0x20

0x22

0x30

0x31

0x33

0x39

0x40

0x41

0x50

0x51

0x52

0x53

0xA1

else



© 2022 Trend Micro Inc.22



© 2022 Trend Micro Inc.23

•

–

•

汉奸

hanjian is 

https://github.com/LimerBoy/ToxicEye


© 2022 Trend Micro Inc.24



© 2022 Trend Micro Inc.25



© 2022 Trend Micro Inc.26

•

•

•

> C:\Windows\System32\rundll32.exe %temp%\spoolsv.dll,func <AES_KEY>



© 2022 Trend Micro Inc.27

•

–

–

–

–

–



© 2022 Trend Micro Inc.28

•

0xDEADBEEF

•

•



© 2022 Trend Micro Inc.29

•



© 2022 Trend Micro Inc.30

•

–

–

–

–

–

–

–

–

•

02 00 04 00

0x00040002

0 1 2 3



© 2022 Trend Micro Inc.31

•

•

–

Try to decrypt master password 
from Chrome’s Local State file

CHROMEPASSDUMP shows the result in stdout

Target URL username password last login creation date

https://github.com/AlessandroZ/LaZagne


© 2022 Trend Micro Inc.32

•



© 2022 Trend Micro Inc.33

•

•

•



© 2022 Trend Micro Inc.34



© 2022 Trend Micro Inc.35

•

–

–

https://medium.com/deep-learning-for-cybersecurity/blue-hexagon-security-advisory-microsoft-exchange-server-0-days-83f49d528d34
https://www.seqrite.com/blog/4898-2/


© 2022 Trend Micro Inc.36

•

–



© 2022 Trend Micro Inc.37

•

•

–

https://github.com/abhisek/Pe-Loader-Sample/blob/master/src/PeLdr.cpp


© 2022 Trend Micro Inc.38

•

815676aa74cdb09bf3863d7d5de258afc9f9b21c 2021-03-11 07:27:40

beca13ef212bca6924032f46640f27aa1b8d8cae 2021-03-11 07:27:40

28fda3fe4c87a6b9fd9fb92b7494fbfd2545f2c0 2021-03-12 08:45:39

48a5836e51519f0521c26936a928650fa7f03362 2021-03-12 08:45:39

3c46394e7b321b894b7665b6b4839c5aa16e9fa9 2021-03-23 06:46:46

7c984ca2a41abe52c6fa718bd8f600379ccb93ab 2021-06-23 07:37:17

53eb6040b0c1e1977f4c4c18aae2e42400281456 2021-06-23 07:39:13

4c7a6d2b048ee87743018479cd5868771beba1ab 2021-07-10 07:32:54

ec68aae442d75d5bccaeae2729f9c4e6b893774a 2021-07-21 14:12:17



© 2022 Trend Micro Inc.39

•

C:\Program Files 

(x86)\Common File

EE D8 FF E0



© 2022 Trend Micro Inc.40

•

D0 D9 FE E1

fixmeconfig



© 2022 Trend Micro Inc.41

•

–

–



© 2022 Trend Micro Inc.42

98578e79eeb7020e81a72bbb0b40398fbf69f3e3 2021-03-05 01:54:45

b7a97e9ed1660af79e7aca677704ef4928bc6c21 2021-03-19 08:23:25

c9406cc0e157eddadcb7bd74e29240307090e9ba 2021-03-20 04:56:16

abef8e4980cae30bf215c70f877fd74cff6cdb2c 2021-07-10 13:35:43

37669d065275fc622b8736eb38198c99ebfd18a0 2021-11-02 02:03:21

ab5748b85849306a8096677e7a80b0f973c979c1 2021-11-02 02:04:53

Autorun types

Type 1: Run / RunOnce / UserInitMprLogonScript

Type 2: Run / OnecDrive / UserInitMprLogonScript

Backdoor types

Type 1 (=x86):
• Reverse shell using powershell.exe
• Disk manipulation (Enum drives / Upload / Download / Rename)

Type 2 (=x64):
• Reverse shell using cmd.exe
• Download EXE and execute



© 2022 Trend Micro Inc.43

•

IP1|PORT1|IP2|PORT2|IP3|PORT4|PROXY_NAME|PROXY_USERNAME|PROXY_PASS|?|INTERVAL|PERSISTENCE



© 2022 Trend Micro Inc.44

•

– %APPDATA%\Local\Microsoft\OneDrive\FileSyncFalwb.dll



© 2022 Trend Micro Inc.45

•

–

–

•



© 2022 Trend Micro Inc.46

•

–

–
•

–
•

BUSYICE

SPIDERPIG

SPIDERPIG BUSYICE



© 2022 Trend Micro Inc.47

•

–



© 2022 Trend Micro Inc.48

•



© 2022 Trend Micro Inc.49



© 2022 Trend Micro Inc.50

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓



© 2022 Trend Micro Inc.51

•



© 2022 Trend Micro Inc.52



© 2022 Trend Micro Inc.53

•

•

•

•

–

–

•

–

–



2018 年にトレンドマイクロによって世界中で検
出およびブロックされた脅威
実際のデータを使用し、 アーティストのDaniel 
Beauchampによって作成されました。



© 2022 Trend Micro Inc.55



© 2022 Trend Micro Inc.56



© 2022 Trend Micro Inc.57

daffda49cb3390bd9290949abbea6f7bb875ac0076767380e73d041c88ebbaba

4932f5d13eff299d4c35f2a0de46da3631f02a30419bf166125ce0b861bb896a

5660b6d93ba29473cd1438e3863e2184501414cecfa914946db917311bef7621

655ca39beb2413803af099879401e6d634942a169d2f57eb30f96154a78b2ad5

e197c583f57e6c560b576278233e3ab050e38aa9424a5d95b172de66f9cfe970

54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b

ba27ae12e6f3c2c87fd2478072dfa2747d368a507c69cd90b653c9e707254a1d

0911e5d1ec48430ff9a863f5c4a38f0c71872d8bd6c89f07d6ae16d78eca162f



© 2022 Trend Micro Inc.58

2657ca121a3df198635fcc53efb573eb069ff2535dcf3ba899f68430caa2ffce

2321690bb6cab49c9eb828c4b65182ceb05653479fe900b9e6dbd93a0b9a672f

7da969010a55919aa66ed97a2d2d6d6a0be3d8dc6151eeb6cebc15e4f06d4553

3891fb7b3d1e5fc2d028ed3d0debe868189971b20eb8edb295e2b8d2d0c1a02a

5a57c9d19c7fb42832085f88d92f9f57d64b1bca8f2a19b0533a4caee1a792cc

90406d0fc975f342f0e20b49e7946e891392eb06bfc8cc5f3b9b8c86b7c1b17a

be5dc0d38251a54350c462a7f4a6c70028ee05c01bde5c1974342893bf12ba5e

1e25116f33f7248e4549cb15fb20bd5d9f87cc7424e6592e565d66095ec2b647

8bdfc1ed5bfec964050a42a0f1ddd8709fcf14fab1ede151c5a7161be904cd96

92c75df382218e7743359aa83b403e443550e766c8474a59c9dcbd4903a4bf02

8c3df0e4d7ff0578d143785342a8033fb6e76ce9f61c2ea14c402f45a76ab118

c2b23689ca1c57f7b7b0c2fd95bfef326d6a22c15089d35d31119b104978038b

dced553a6f835162f0515a41a330404466f3ca44bc43a2f8b5675ca28609c905

d196969b35966462fa03ef857e375e9d6172b34053b115df04cefa3d673b9d85

733b4d5174669caab2bbcc9bfe51606a13346b70af59fccea4f479d1fde7b5d7

c604f7be88bff6fb3d88e53121fb0e247be1e6297eb43cf3bf731c2cdee90594

be5dc0d38251a54350c462a7f4a6c70028ee05c01bde5c1974342893bf12ba5e



© 2022 Trend Micro Inc.59

org.misecure[.]com

139.162.87[.]180

update.centosupdates[.]com

windefend-update.loginto[.]me

chrome-update.serveblog[.]net

macfee-update.serveftp[.]com

wwww.uinvest-europe[.]com

45.117.102[.]243

45.77.227[.]248

exmail.sytes[.]net

centos.onthewifi[.]com

104.168.213[.]95

client.dnsiskinky[.]com

103.30.41[.]91



© 2022 Trend Micro Inc.60

HELP

ABOUT

WHOIS

COMPUTERINFO

ACTIVEWINDOW

SHELL

PROCESSLIST

PROCESSKILL

PROCESSSTART

DOWNLOADFILE

UPLOADFILE

LISTFILES

REMOVEFILE

REMOVEDIR

RUNFILE

RUNFILEADMIN

MOVEFILE

COPYFILE

MOVEDIR



© 2022 Trend Micro Inc.61

0xFFFD0000

0xFFFE0001

0xFFFE0002

0xFFFE0005

0x00000000

0x00000002

0x00000006

0x00000007 0x6

0x00000008 0x6

0x00000009 0x8

0x0000000A

0x0000000F

0x00000010

0x00000013

0x00010000

0x00010002

0x00010005

0x00010008

0x0001000A

0x0001000C

0x00020000

0x00020004

0x00020007

0x00030000

0x00030003

0x00030005



© 2022 Trend Micro Inc.62

0x00040000

0x00040002

0x00040006

0x0004000A

0x0004000D 0x40002

0x0004000F

0x00050000

0x00050003

0x00050006

0x0005000A

0x0005000D

0x00050013

0x00050019

0x00060000

0x00060005

0x00060008

0x0006000B 0x60008

0x00070000

0x00070004

0x00080000

0x00090020

0x00090027 0x90020

0x00090029

0x0009002A