Identification of Attack Group using Malware and Packer Detection

Heaeun Moon, Joonyoung Sung, Hyunsik Lee, Gyeongik Jang, Kiyong Kwak, Sangtae Woo

http://doi.org/10.5626/JOK.2018.45.2.106

Recently, the number of cyber attacks using malicious code has increased. Various types of malicious code detection techniques have been researched for several years as the damage has increased. In recent years, profiling techniques have been used to identify attack groups. This paper focuses on the identification of attack groups using a detection technique that does not involve malicious code detection. The attacker is identified by using a string or a code signature of the malicious code. In addition, the detection rate is increased by adding a technique to confirm the packing file. We use Yara as a detection technique. We have research about RAT (remote access tool) that is mainly used in attack groups. Further, this paper develops a ruleset using malicious code and packer main feature signatures for RAT which is mainly used by the attack groups. It is possible to detect the attacker by detecting RAT based on the newly created ruleset.