<— Back

Rebrand to X?: SteelClover Cornucopia

Since 2019, SteelClover have been cunningly attacking under the radar. Their main concern has been money from the beginning and they keep on changing attacking tools and techniques. While there are reports of their activities, they are only snapshots. This session will first review their attack campaigns to identify their motivation to attack, tools, techniques, and their trend.

Next, we will introduce attack cases of MSIX file abuse which SteelClover has been actively using from 2023. While they had been abusing MSI file to conduct attack campaign since 2020, they started to take advantage of MSIX file from 2023. However, many are unaware of MSIX file existence and ignorant of its abuse cases. Needless to say, how to detect and defend oneself from MSIX files exploitation is almost unknown to the public. In this section, we will share defensive knowledge helpful for Blue Team.

Finally, we will present research methods that we have developed and believe still effective even in today to pursue SteelClover including queries available on various tools such as VirusTotal, URLScan, Censys, and Shodan. We have been tracking their activities for more than three years. Despite frequent changes of attacking tools and techniques, there are always some characteristics in every moment. In addition, we will show their mistakes from our continuous research, and some implications of them.

The campaign details, toolset, TTPs, infrastructure, and threat actor information introduced in this session will enable SOC analysts, IR team members, CSIRT personnel, and others to gain a deep understanding of SteelClover’s activities. This information will help them to defend their organizations from attacks conducted by SteelClover.