Threat Research

Automating Malware Analysis Operations (MAOps) – JPCERT/CC Eyes

admin

JPCERT/CC describes cloud-based malware analysis operations (MAOps) that automate C2 monitoring, malware hunting, YARA rule generation, surface analysis, and memory forensics using AWS serverless services and GitHub workflows. The article showcases several case studies and GitHub repositories that enable scalable, repeatable investigations and IoC collection, including the Lucky Visitor Scam and Cobalt Strike beacons. Hashtags: #LuckyVisitorScam #CobaltStrike #HUILoader #JPCERTCC #SurfaceAnalysisOnCloud #MemoryForensicOnCloud

Keypoints

  • Cloud MAOps leverage AWS serverless services (e.g., Lambda, S3, Batch) and GitHub Actions to automate malware analysis workflows.
  • C2 monitoring is performed in the cloud to observe attacker activity and avoid blocking when attackers restrict access, enabling discovery of new redirect URLs.
  • The Lucky Visitor Scam IoCs and related analysis are publicly available in a dedicated GitHub repository.
  • A system automatically collects and analyzes Cobalt Strike Beacons from the Internet, leveraging open platform data for automated malware analysis.
  • YARA rules are automatically generated for specific patterns (e.g., HUI Loader) and applied to VirusTotal to uncover encoded malware.
  • A Surface Analysis on Cloud flow uses a web plug‑in, API Gateway, Docker with Batch, and S3 to analyze malware hashes from vendor reports and display results.
  • Memory forensics can be scaled on the cloud by running Volatility analyses on multiple memory images in parallel via Batch.

MITRE Techniques

  • [T1071.001] Web Protocols – Attackers send commands from their C2 servers to the defaced sites to redirect visitors to the scam site. (‘Attackers send commands from their C2 servers to the defaced sites to redirect visitors to the scam site.’)
  • [T1027] Obfuscated/Compressed Files and Information – The HUI Loader loads the encoded malware that serves as the main body, decodes it, and executes it on the memory. (‘The HUI Loader loads the encoded malware that serves as the main body, decodes it, and executes it on the memory.’)

Indicators of Compromise

  • [URL] IoCs and analysis resources – https://github.com/JPCERTCC/Lucky-Visitor-Scam-IoC, https://github.com/JPCERTCC/CobaltStrike-Config

Read more: https://blogs.jpcert.or.jp/en/2023/01/cloud_malware_analysis.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint