この世界のサイバー関連のニュースを考えてみる。 <Malware SuperRocket used by Japanese Attack Group UnderGround> The Japanese attack group UnderGr0und has been continuously observed in the United States since around 2020. This organization is believed to be in cooperation with the Chinese attack group BlackTech. Although less controversial these days than in the past, the FBI continues to confirm ongoing attack activity that appears to be from this organization. In this issue, we present details on SuperRocket, a malware believed to have been used by the attack group UnderGround. SuperRocket is malware created by customizing the Chinese-made Gh0st RAT, and we have confirmed that it has been used in several attack cases since around 2020. In addition, <CFileManager>, a function that performs file operations, has been found to use the exact same code as that used in the Gh0st RAT. Although the SuperRocket has undergone significant changes from the Gh0st RAT, some of the code seems to be used as is. The following are the features of SuperRocket. ・Communication method ・Commands executed by commands ・C2 server control panel Like Gh0st RAT, SuperRocket uses its own protocol to communicate with the C2 server. However, the format of communication packets differs from that of the Gh0st RAT. First, this RAT sends an authentication ID, the encryption key needed for future encryption, and a random string during the first communication with the C2 server. This random string is combined with the encryption key before being sent, which seems to be a process to make it difficult to analyze the communication. If the authentication ID matches, the C2 server sends the string "Gh0st," and upon receiving the string, SuperRocket sends RC4-encrypted terminal information such as processor name and user name to the C2 server. At this time, the C2 server examines the contents of the attacker's dropbox to see if the information from the previously attacked terminal exists. If not, it adds a new one. At the same time, a zlib-compressed, xor-encoded process list is sent to the C2 server, which is also processed in the same way to make it difficult to analyze the communication. The command and its execution result are then RC4 encrypted, xor encoded, and zlib compressed before being sent and received. During the investigation of SuperRocket, the research team observed the presence of a GUI control panel. This control panel is created by MFC (Microsoft Foundation Library) and can execute the following commands ・Remote Shell ・Remote File Manager ・Reverse proxy ・C2 server redirector ・USB infection ・CD infection ・DDOS attacks In addition, there are multiple dummy codes embedded in both the control panel and SuperRocket, but they are not enough to increase the difficulty of analysis. The attack group UnderGround is still active and requires continued vigilance.