DeepSec 2022 Talk: Vanquish: Analysis Everywhere with Smartphones – Hiroyuki Kakara
I couldn’t sleep well until I developed the “Vanquish.” I couldn’t fully enjoy Disneyland until I developed the “Vanquish.” I was always thinking about 2nd and subsequent payloads of malware of my interest. I was always hoping that C2 servers are available until I reached my malware analysis desktop. But the Vanquish changed my life. He tries to collect all the samples that appear in twitter accounts of your interests. He analyzes those samples and tries to get the next stage samples when I am in bed. And I can ask him to analyze malware from your iPhone even while I’m in Disneyland.
The core of the Vanquish is the system which crawls specified twitter accounts every specified minute, parses hashes from the tweet bodies or web sites tweeted, downloads the sample from malware sharing sites, and puts it in a sandbox. The results are posted to the Slack workspace. Also, I can order ad hoc analysis to the Vanquish by specifying hashes.
The Vanquish uses Slack for its I/O interface. Not only does he output results to the Slack workspace, but he also accepts commands from Slack to adjust crawl parameters, start ad hoc query, etc. With this, I don’t need to be in front of my desktop but only need an iPhone to communicate with Vanquish.
The presentation at DeepSec 2022 will introduce the concept of the Vanquish as well as additional features like malware parsing, which can be implemented into your in-house research infrastructure.
Hiroyuki Kakara answers a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- This talk introduces the “Vanquish”, a simple but efficient cyber threat intelligence research system, which crawls IoCs, submits to a sandbox, with using Slack as I/O interface.
- The system will help malware researchers to get second and subsequent payloads ASAP with smartphones.
- The system can be developed in combination with free public services.
- I will also talk about the use of Slack bot in extension of a cyber threat intelligence research system.
- The core module of “Vanquish” is also published at GitHub.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
We often see multi-stage malware where second and later stage payloads are downloaded from C2. But those C2s often become inaccessible before we notice them. Then my colleague once said that “I cannot sleep well because I’m always worried that interesting malware C2s disappear while I’m in bed.” And I had the same issue. So I decided to solve it by automating IoC crawling and the acquisition of payloads.
Why do you think this is an important topic?
Malware research starts with obtaining samples. And this talk is important because the introduced system helps to get a complete samples chain. In addition, the system can be developed in combination with free public services (of course, commercial versions can be used), and it doesn’t require rich hardware resources. Therefore, it will be valuable not only for employed researchers but also for individual researchers.
Is there something you want everybody to know – some good advice for our readers maybe?
Even if you are not a programmer (neither am I), learning programming skills and automating your tasks are precious for your life. It will not only save you time, but widen the possibilities of your core activities (like obtaining additional payloads from C2s before they become unavailable).
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
My field is APT [Advanced Persistent Threat] research. We’re seeing Multi-Domain attacks against Ukraine where physical attacks, influence operation, disruption of infrastructures, and espionage in cyber space are involved. To analyze them in a timely manner, many experts from different fields (cyber, diplomats, military, intelligence, programmers, etc.) should work together more tightly.
Hiroyuki Kakara is working as a Cyber Threat Researcher for Threat Intelligence Center of Trend Micro Incorporated in Japan. He is engaged in research on APTs and delivers threat intelligence to Japanese government organizations.
Technically, his research activity comprises incident response, malware analysis, forensics, OSINT, and the utilization of his company’s internal telemetry. He is also an instructor of Trend Micro internal security expert training. Hiroyuki co-works with some of the Japanese parliament members to have a better national security against cyber threats. He presented at DeepINTEL 2019, 2020 and 2021.