Exploit This

Security News, Exploits, and Vulnerabilities.

New activity of The Blue Termite APT

blue_termite_apt_pr

Introduction

In October 2014, Kaspersky Lab started to research “Blue Termite”, an Advanced Persistent Threat (APT) targeting Japan. The oldest sample we’ve seen up to now is from November 2013.

This is not the first time the country has been a victim of an APT. However, the attack is different in two respects: unlike other APTs, the main focus of Blue Termite is to attack Japanese organizations; and most of their C2s are located in Japan. One of the top targets is the Japan Pension Service, but the list of targeted industries includes government and government agencies, local governments, public interest groups, universities, banks, financial services, energy, communication, heavy industry, chemical, automotive, electrical, news media, information services sector, health care, real estate, food, semiconductor, robotics, construction, insurance, transportation and so on. Unfortunately, the attack is still active and the number of victims has been increasing.

New activity of The Blue Termite APT

The following graph shows daily access to some of the known C2s:

New activity of The Blue Termite APT

You will see a significant increase in the middle of July (marked in orange). The spike resulted from new attack methods that the Blue Termite group employed and that Kaspersky Lab detects. This article introduces the new methods and technical details on how they work.

New Method of Initial Infection

Originally, the main infection vector of the APT was spear-phishing emails. Kaspersky Lab has detected a new method of first infection that uses a drive-by-download with a flash exploit (CVE-2015-5119, the one leaked from The Hacking Team incident).

Several Japanese web sites have been compromised with this method.

Example:

New activity of The Blue Termite APT

The malicious code inserted into the compromised site points to “faq.html”.

The source code of “faq.html”:

New activity of The Blue Termite APT

The “faq.html” loads “movie.swf” which contains the exploit. In this way, the malware infects a visitor’s machine when it’s accessed.

The “movie.swf” header is “ZWS”, a flash file compressed using the Lempel-Ziv-Markov chain-Algorithm (LZMA):

New activity of The Blue Termite APT

The file contains a big data section, marked in blue:

New activity of The Blue Termite APT

The data includes 12 bytes of header. The encoded data begins at 0x5dca (“x78x9cxecxb7….”) and is compressed using zlib. After decompression, an executable file (with an “MZ header”) is found.

New activity of The Blue Termite APT

In addition to the above data, the swf file also has a shellcode in ActionScript (AS):

New activity of The Blue Termite APT

The function of this shellcode is quite simple: it saves the extracted executable file as “rdws.exe” in the current temp directory, then executes it with WinExec().

New activity of The Blue Termite APT

The extracted executable file is “emdivi t17″, a new infection vector used by the attackers. We found several kinds of malware that execute as rdws.exe, and emdivi t17 is one of them.

Kaspersky Lab also found some watering hole attacks, including one on a website belonging to a prominent member of the Japanese government. We sent a notification email to the admin and ISP of the affected site but didn’t receive any reply. However, the malicious code was removed after about an hour. The code below filters out any IPs except for the one belonging to the specific Japanese governmental organization.

New activity of The Blue Termite APT

Interestingly, the script includes IP information with the variable name “TEST”. We suspect this is the attackers’ testing IP, located in Shanghai.

Customized Malware According to Target

Kaspersky Lab detected the tailored malware, “emdivi t20″. This malware is basically used after the infection by emdivi t17 that serves as a backdoor. Although the versions emdivi t17 and emdivi t20 are from the same emdivi family, the latter is more sophisticated.. For example, let’s look at the backdoor commands they make use of. emdivi t17 has 9 commands; on the other hand, some of emdivi t20 samples have up to 40 commands.

Commands supported by emdivi t17:

command md5
DOABORT d895d96bc3ae51944b29d53d599a2341
DOWNBG 39cd12d51b236befc5f939a552181d73
GETFILE 74a9d3a81b79eec0aa2f849cbc8a7efb
GOTO 4b8bb3c94a9676b5f34ace4d7102e5b9
LOADDLL 67ca07ecb95c4055d2687815d0c0f8b9
SETCMD 48bb700b80557ee2e5cf06c90ba6698c
SUSPEND ee93a0b023cef18b34ebfee347881c14
UPLOAD 8dff5f89b87ebf91a1ecc1dbed3a6fbb
VERSION 021321e8c168ba3ae39ce3a2e7b3ec87

Commands supported by emdivi t20:

command md5
abort 5bb94a1c12413a2e5d14deabab29f2aa
cd 6865aeb3a9ed28f9a79ec454b259e5d0
copy 12cba3ee81cf4a793796a51b6327c678
dir 736007832d2167baaae763fd3a3f3cf1
diskls e120a254f254978fc265354a4e79d1d6
doabort 1f6dcc1149b2eef63f6dd4833d5ef0d3
downbg 1e04875a872812e1f431283244b180d2
downbg2 7f3e982a0d9b4aa5303332aaf414d457
download fd456406745d816a45cae554c788e754
download2 b5a4000c99977ce512052d4e8bf737f8
execute ec0cd3cb91fe82b9501f62a528eb07a9
exhide fc236c4ddd3414cee8bd3cbd937461c0
exit f24f62eeb789199b9b2e467df3b1876b
exuser 0b5396d6bd0867485ff63067ad9363e7
get b5eda0a74558a342cf659187f06f746f
getfile b24ba6d783f2aa471b9472109a5ec0ee
getlnk 71574cf393bf901effa0cbc6c37e4ce2
goto de94e676c0358eefea4794f03d6bda4f
hash 0800fc577294c34e0b28ad2839435945
head 96e89a298e0a9f469b9ae458d6afae9f
hjlnk ebb0149209e008e3f87e26659aa9b173
loaddll 0340b5e3f0d0ea71eeef6ab890270fc0
md 793914c9c583d9d86d0f4ed8c521b0c1
mklnk a3bb50704b87da1858a46455dfb5e470
move 3734a903022249b3010be1897042568e
post 42b90196b487c54069097a68fe98ab6f
postfile 316713cb9f82ff9ade53712ab1cbf92c
postfile2 f15ae485061a10adead43d7f5d5a9889
rd eeec033a2c4d56d7ba16b69358779091
runas d88f585460839dd14ad3354bb0d5353b
screen 599eba19aa93a929cb8589f148b8a6c4
setcmd 27dc2525548f8ab10a2532037a9657e0
setlen 846a44d63b02c23bcfee5b4ccaa89d54
suspend 497927fb538c4a1572d3b3a98313cab1
tasklist 6e0ad8e44cff1b5d2901e1c7d166a2a4
type 599dcce2998a6b40b1e38e8c6006cb0a
unzip 0a342b59ecdcede0571340b9ed11633f
upload 76ee3de97a1b8b903319b7c013d8c877
version 2af72f100c356273d46284f6fd1dfc08
zip adcdbd79a8d84175c229b192aadc02f2

They both store the md5 checksums of backdoor commands.

When analyzing emdivi t20 samples, we found that it is highly targeted in two respects.

Firstly, an emdivi t20 sample contains hardcoded internal proxy information, being encrypted at 0x44e79c:

New activity of The Blue Termite APT

The decrypted code is “proxy.??????????.co.jp:8080″:

New activity of The Blue Termite APT

This trick is not new, but it is not widely used. This is because it may reveal its targets, or it is not a generic method and only works in a specific organization. However, similar cases have been observed sometimes in other APTs.

The second aspect is quite interesting. The emdivi family stores important data about itself, including C2, API name, strings for anti-analysis, value of mutexes, as well as the md5 checksum of backdoor commands and the internal proxy information. They are stored in encrypted form, and are decrypted when necessary. Therefore, to analyze an emdivi sample in detail, we need to locate which hex codes are encrypted, and how to decrypt them. In the process of decryption, a unique decryption key is required for each sample.

emdivi t20 has a function to generate a decryption key using Salt1 and Salt2. Salt1 is generated from a magic string (suspected to be a version of emdivi) with certain four digits (suspected to be an ID of the C2).

Example of a magic string:

New activity of The Blue Termite APT

Part of the emdivi name (“t17″ and “t20″) is taken from this hardcoded magic string.

Salt2 is generated with a large amount of data that is hardcoded:

New activity of The Blue Termite APT

In most cases, the emdivi family generates a decryption key using Salt1 and Salt2.

In early July 2015, however, Kaspersky Lab found a sample that creates a decryption key with Salt1, Salt2, and Salt3. Salt3 is the security identifier (SID) from a compromised PC.

The flow of decryption key generation (with additional Salt3):

New activity of The Blue Termite APT

In other words, the sample works only on its target PCs. Without knowing the victim’s SID, the decryption key will not be generated successfully, making it difficult to decrypt important data. This means it’s not possible to analyze the malware in detail.

Fortunately, we were able to analyze those samples. We were able to successfully brute-force the decryption keys from several samples without SIDs.

Summary

From early June, when the cyber-attack on the Japan Pension Service started to be reported widely, various Japanese organizations would have started to deploy protection measures. However, the attackers from Blue Termite, who it seems kept a close eye on them, started to employ new attack methods and successfully expanded their operation. While writing this article, another sample of emdivi t20 has been found. It employs AES in addition to SID tricks, making it difficult to decrypt sensitive data. In order to fight back against this cyber-espionage, Kaspersky Lab will continue its research.

Kaspersky products detect emdivi t17, emdivi t20, and the flash exploits using the verdicts below:

  • Backdoor.Win32.Emdivi.*
  • Backdoor.Win64.Agent.*
  • Exploit.SWF.Agent.*
  • HEUR:Backdoor.Win32.Generic
  • HEUR:Exploit.SWF.Agent.gen
  • HEUR:Trojan.Win32.Generic
  • Trojan-Downloader.Win32.Agent.*
  • Trojan-Dropper.Win32.Agent.*

More information about the Blue Termite targeted attacks is available to Kaspersky Security Intelligence Services customers. Contact: [email protected]

Leave a Reply

%d bloggers like this: