Blue Termite APT

Your consent is required to display this content from youtube - Privacy Settings

The Blue Termite malware campaign also name by the names Cloudy Omega/ Emdivi  has targeted hundreds of Japanese organizations since its inception in 2011. According to Kaspersky, the malware is Chinese in origin. The C&C infrastructure is located in Japan, the primary target of the campaign. In a November 2014 report, Symantec indicated that the group might share communication channels or attack infrastructure with the Hidden Lynx APT group.

Click to Share This Post

Over four years, the malware has stolen confidential information from government agencies, universities, public interest groups. financial institutions, media organizations, automotive companies, chemical organizations, healthcare firms, electrical companies, real estate firms, technology firms, and other critical infrastructure organizations. The majority of the targets were based or located in Japan. Blue Termite is also allegedly responsible for compromising the personal data of 1.25 million Japanese citizens in a breach of the Japan Pension Service.

Initially, like most malware groups, Blue Termite relied on phishing campaigns to spread its malware. For instance, in 2013, it spread malicious emails relating to the Ichitaro product line. The content of the emails varied according to the target organization; however, many focused on political events. Opening the email attachment deployed a malicious payload. Usually, the attachment was an executable with a fake icon. Occasionally, the attachment would contain code to exploit a vulnerability in specific target software instead. A notable characteristic of the payload is that often the lure document would open and then the document reader would crash before reopening a clean document. The malware would be delivered at the time of the crash and the reopened document would no longer carry the malware.

Like Sofacy and many other threat actors, the activity of the group increased in July 2015 in response to the breach of the Hacking Team servers and the public disclosure of a number of valuable 0-day exploits and system vulnerabilities. In particular, the group began to use a Flash player exploit (CVE-2015-5119) to conduct drive by download malware attacks from compromised Japanese malware sites. The group altered its behavior to target individuals as well as organizations. The group also conducted watering hole attacks intent on infecting systems belonging to prominent members of the Japanese government. In other attacks, infected sites were configured to only infect visitors whose IP addresses belonged to target organizations.

Blue Termite’s attack kit relies on the Emdivi family of malware. The group uses Backdoor.Emdivi, Backdoor.Korplug, and Backdoor.ZXshell to compromise a system and establish a persistence presence. The backdoor enables a remote adversary to execute commands from a C&C server via HTTP. The malware contains components to search files, delete files, upload files to C2 servers, execute code, acquire a list of running processes, steal auto-complete information and saved credential information from Internet Explorer, and steal the proxy settings of browsers such as Mozilla Firefox. Kaspersky noted that “One of the most interesting things about the malware used by the Blue Termite actor is that each victim is supplied with a unique malware sample that is made in a way that it could only be launched on a specific PC, targeted by the Blue Termite actor.” Each variant has a unique version number and a type (Type S or Type T). The version number indicates that the group systematically deploys the malware as part of an organized campaign. The version and extra words are also used to generate a hash, which is used as an encryption key. Both types allow the adversary to remotely execute code and to steal credentials stored in Internet Explorer. Both variants also share the same hardcoded C&C infrastructure. Type T, the more prevalent variant, is written in C++. Type T encrypts its C&C address and detection protection mechanisms as an anti-analysis technique to prevent debugging and analysis in virtual machines or sandbox environments. Type S is a .NET application that is based on Type T. Type S lacks the encryption and anti-analysis mechanisms. Type S also changes its file hash between versions by relying on Japanese sentences taken from the internet.

Click to Share This Post

Type: Cyber-espionage

Blue termite APT Status: Believed Active

Blue termite APT Other Names: Cloudy Omega/ Emdivi

Blue termite APT Active Since/Discovered: 2011/2013

Blue termite APT Last Report: August 20, 2015

Blue termite APT Targets: Japanese organizations

Blue termite APT Target Sectors:  government agencies, universities, public interest groups. financial institutions, media organizations, automotive companies, chemical organizations, healthcare firms, electrical companies, real estate firms, technology firms, and other critical infrastructure organizations

Malware:

  • Emdivi malware family
    • Backdoor.Win32.Emdivi
    • Backdoor.Win64.Agent
    • Exploit.SWF.Agent
    • HEUR:Backdoor.Win32.Generic
    • HEUR:Exploit.SWF.Agent.gen
    • HEUR:Trojan.Win32.Generic
    • Trojan-Downloader.Win32.Agent
    • Trojan-Dropper.Win32.Agent
  • Up to 40 different commands. Example commands from emdivi t20 – abort, cd, copy, dir, diskls, doabort, downbg, downbg2, download, download2, execute, exhide, exit, exuser, get, getfile, getlink, goto, hash, head,hjink, loaddll, md, mkink, move, post, postfile, postfile2, rd, runas, screen, setcmd, setlen, suspend, tasklist, type, unzip, upload, version, zip
  • executes commands from a C&C server via HTTP, searches files, deletes files, uploads files to C2 servers, executes code, acquires a list of running processes, steals auto-complete information and saved credential information from Internet Explorer, and steals the proxy settings of browsers such as Mozilla Firefox

Preferred Attack Vector: Phishing emails with malicious attachments, drive-by-download, watering-hole attacks

TTP:

  • C2 infrastructure is located in Japan
  • Payload is delivered when attachment of phishing email crashes the application
  • Began to use Flash player exploit (CVE-2015-5119)
  • Generates a decryption key with Salt1, Salt2, and Salt3 (the security identifier (SID) from a compromised PC)

Unique:

  • May share communication channels or attack infrastructure with the Hidden Lynx APT group
  • Allegedly responsible for compromising the personal data of 1.25 million Japanese citizens in a breach of the Japan Pension Service
  • Each malware sample personalized to target and target-specific PC
  • Each variant has a unique version number and a type (Type S or Type T)
    • Type T- the more prevalent variant, written in C++, and encrypts its C&C address and detection protection mechanisms as an anti-analysis technique to prevent debugging and analysis in virtual machines or sandbox environments
    • Type S – .NET application based on Type T,  lacks the encryption and anti-analysis mechanisms
    • Type S also changes its file hash between versions by relying on Japanese sentences taken from the internet
Click Here to share this post
© 2020 ArtOfTheHak.All Rights Reserved
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from Youtube
Vimeo
Consent to display content from Vimeo
Google Maps
Consent to display content from Google
Save