Thursday 5 October 14:30 - 15:00, Red room
Minseok (Jacky) Cha, Junseok Kim & Jaejin Lee (AhnLab)
The Shadow Force Group is an alleged Chinese-speaking threat actor that has been active since 2014, primarily in South Korea. This threat actor has been active for 10 years, but is not well known. In 2019, when we came across related malware while tracking the activity of another threat actor, only one public analysis report was available. After AhnLab published an analysis report in early 2020, it seemed to be forgotten as no further activity was identified, but after KRCert disclosed Shadow Force Group's activity in 2022, further investigation revealed consistent activity.
The Shadow Force Group targets Windows server systems and uses a variety of malware and tools after initial infiltration. Some of the files are signed with compromised digital certificates. The group also manipulates PE files to load malicious DLL files. Some malware or tools have had the same file name for years.
In October 2022, DCSO_Cytec and SentinelOne published an analysis of the malware Maggie. High infection rates were found in the APAC region, including South Korea, and they raised the possibility that the Maggie malware is associated with the Shadow Force Group.
In this presentation, we will demonstrate our tracking of the Shadow Force Group, its assumed attack vector, and the malware and tools they have used in recent years. We will also reveal the connection between the Shadow Force Group and Maggie malware, as well as additional malware associated with Maggie.
We hope that this presentation will help researchers learn more about this threat group, and discover whether this threat actor is active only in South Korea or also in other countries.
 |
Minseok (Jacky) Cha Minseok (Jacky) Cha is a senior principal threat intelligence researcher at AhnLab. He joined AhnLab as a malware analyst in 1997. His research mainly focuses on cyber attacks and threat actors in East Asia. He has been appointed as a member of the Private/Public Cooperative Investigation Group and Cyber Expert Group in South Korea. He was a reporter for the WildList Organization International. He was a member of the board of directors of AVAR (Association of Anti-Virus Asia Researches) from 2018 to 2022. He was awarded the ISC2 ISLA Asia-Pacific Information Security Practitioner Award in 2018. He has been a speaker at many security conferences, including AVAR, AVTOKYO, CARO Workshop, CODE BLUE, HITB GSEC Commsec, JSAC, SECUINSIDE and Virus Bulletin. When he has free time, he enjoys old anime and video games.
|
|
|
Junseok Kim Junseok Kim works in the malware analysis team in the AhnLab Security Emergency response Center (ASEC), where he specializes in incident response, malware analysis, and cyber threat intelligence. His passion lies in researching advanced persistent threats (APTs) that target South Korea, and he is committed to becoming an expert in this area. Recently, he has become interested in vulnerability analysis.
|
 |
Jaejin Lee Jaejin Lee has been a malware researcher at AhnLab Security Emergency response Center (ASEC) for six years. Currently he focuses on analysing malware targeting Ssouth Korea. He classifies TTPs used by threat groups, and is conducting research from a detection point of view. Analysing malware is both his job and his hobby. |
Back to VB2023 conference page
