An Advanced Persistent Threat termed Blue Termite has targeted several Japanese companies since November 2013. Antivirus major Kaspersky Lab started working on the APT in the month of October 2014. Although the instance is not unprecedented, it is the first time that an APT has targeted Japanese companies that have their Client to Server (C2S) infrastructure based in Japan.
Blue Termite has targeted several Japanese government sector institutions including those of the local government bodies, universities, public interest organizations, banks, communication services, financial institutions, automobile and electrical industries and other prominent industries which are important elements of the Japanese economy. Japan Pension Service has affected severely due to these attacks. The attack has been quite persistent and continues to target various Japanese organizations.
(Image courtesy: Kaspersky.com)
APTs have traditionally been using spear phishing emails as their mode for infecting computers. However, Blue Termite uses a new method which exploits a vulnerability in Flash and uses the drive-by download method for gaining an access to the unsuspecting computer of a user. The Flash exploit used by Blue Termite is CVE-2015-5119 that was one of the leaks from ‘The Hacking Team’ incident. It has affected various Japanese websites and has resulted in insertion of malicious codes to the source codes of faq.html. The shockwave file movie.swf is executed from the faq.html file when it is accessed by the visitors of the website and infects the computer of those users.
The header of the movie.swf file is a Flash file named ZWS which is compressed by the LZMA or the Lempel-Ziv-Markov chain Algorithm. The header of the data is of 12 bytes and is in a compressed format. It is compressed using zlib and once decompressed, an executable file with MZ header is created. Additionally, the movie.swf file includes a shellcode developed in ActionScript. The SWF file saves the executable file in the temp directory and is named rdws.exe. The file is then executed through WinExec().
The file that is extracted as the executable file after decompression is ‘emdivi t17’. There have been several watering hole attacks that have taken place and one of the attacks was on the website that belongs to a Japanese government’s important member. It was also found by Kaspersky Lab that more customized versions of malware are being used. On of it is ‘emdivi t20’ which is much more efficient than emdivi t17. For the sake of comparison, emdivi t20 has around 40 backdoor commands while emdivi t17 has merely 9 commands.
The attacks from Blue Termite were widely detected, the various Japanese websites started implementing measures to counter the threats posed by these attacks. However, there are evidences that the attackers are more dangerous than expected since it has been detected that they are closely monitoring the activities of the websites to upgrade their security measures and accordingly releasing more customized versions of the malware.
