[email protected] +603-2181 3666
New activity of the Blue Termite APT
August 20, 2015
0

Introduction
In October 2014, Kaspersky Lab started to research “Blue Termite”, an Advanced Persistent Threat (APT) targeting Japan. The oldest sample we’ve seen up to now is from November 2013.
This is not the first time the country has been a victim of an APT. However, the attack is different in two respects: unlike other APTs, the main focus of Blue Termite is to attack Japanese organizations; and most of their C2s are located in Japan. One of the top targets is the Japan Pension Service, but the list of targeted industries includes government and government agencies, local governments, public interest groups, universities, banks, financial services, energy, communication, heavy industry, chemical, automotive, electrical, news media, information services sector, health care, real estate, food, semiconductor, robotics, construction, insurance, transportation and so on. Unfortunately, the attack is still active and the number of victims has been increasing.

The following graph shows daily access to some of the known C2s:

You will see a significant increase in the middle of July (marked in orange). The spike resulted from new attack methods that the Blue Termite group employed and that Kaspersky Lab detects. This article introduces the new methods and technical details on how they work.
New method of initial infection
Originally, the main infection vector of the APT was spear-phishing emails. Kaspersky Lab has detected a new method of first infection that uses a drive-by-download with a flash exploit (CVE-2015-5119, the one leaked from The Hacking Team incident).
Several Japanese web sites have been compromised with this method.
Example:

The malicious code inserted into the compromised site points to “faq.html”.
The source code of “faq.html”:

The “faq.html” loads “movie.swf” which contains the exploit. In this way, the malware infects a visitor’s machine when it’s accessed.
The “movie.swf” header is “ZWS”, a flash file compressed using the Lempel-Ziv-Markov chain-Algorithm (LZMA):

The file contains a big data section, marked in blue:

The data includes 12 bytes of header. The encoded data begins at 0x5dca (“x78x9cxecxb7….”) and is compressed using zlib. After decompression, an executable file (with an “MZ header”) is found.

In addition to the above data, the swf file also has a shellcode in ActionScript (AS):

The function of this shellcode is quite simple: it saves the extracted executable file as “rdws.exe” in the current temp directory, then executes it with WinExec().

The extracted executable file is “emdivi t17″, a new infection vector used by the attackers. We found several kinds of malware that execute as rdws.exe, and emdivi t17 is one of them.
Kaspersky Lab also found some watering hole attacks, including one on a website belonging to a prominent member of the Japanese government. We sent a notification email to the admin and ISP of the affected site but didn’t receive any reply. However, the malicious code was removed after about an hour. The code below filters out any IPs except for the one belonging to the specific Japanese governmental organization.

Interestingly, the script includes IP information with the variable name “TEST”. We suspect this is the attackers’ testing IP, located in Shanghai.
Customized malware according to target
Kaspersky Lab detected the tailored malware, “emdivi t20″. This malware is basically used after the infection by emdivi t17 that serves as a backdoor. Although the versions emdivi t17 and emdivi t20 are from the same emdivi family, the latter is more sophisticated.. For example, let’s look at the backdoor commands they make use of. emdivi t17 has 9 commands; on the other hand, some of emdivi t20 samples have up to 40 commands.
Commands supported by emdivi t17:

command
md5
DOABORT
d895d96bc3ae51944b29d53d599a2341
DOWNBG
39cd12d51b236befc5f939a552181d73
GETFILE
74a9d3a81b79eec0aa2f849cbc8a7efb
GOTO
4b8bb3c94a9676b5f34ace4d7102e5b9
LOADDLL
67ca07ecb95c4055d2687815d0c0f8b9
SETCMD
48bb700b80557ee2e5cf06c90ba6698c
SUSPEND
ee93a0b023cef18b34ebfee347881c14
UPLOAD
8dff5f89b87ebf91a1ecc1dbed3a6fbb
VERSION
021321e8c168ba3ae39ce3a2e7b3ec87

Commands supported by emdivi t20:

command
md5
abort
5bb94a1c12413a2e5d14deabab29f2aa
cd
6865aeb3a9ed28f9a79ec454b259e5d0
copy
12cba3ee81cf4a793796a51b6327c678
dir
736007832d2167baaae763fd3a3f3cf1
diskls
e120a254f254978fc265354a4e79d1d6
doabort
1f6dcc1149b2eef63f6dd4833d5ef0d3
downbg
1e04875a872812e1f431283244b180d2
downbg2
7f3e982a0d9b4aa5303332aaf414d457
download
fd456406745d816a45cae554c788e754
download2
b5a4000c99977ce512052d4e8bf737f8
execute
ec0cd3cb91fe82b9501f62a528eb07a9
exhide
fc236c4ddd3414cee8bd3cbd937461c0
exit
f24f62eeb789199b9b2e467df3b1876b
exuser
0b5396d6bd0867485ff63067ad9363e7
get
b5eda0a74558a342cf659187f06f746f
getfile
b24ba6d783f2aa471b9472109a5ec0ee
getlnk
71574cf393bf901effa0cbc6c37e4ce2
goto
de94e676c0358eefea4794f03d6bda4f
hash
0800fc577294c34e0b28ad2839435945
head
96e89a298e0a9f469b9ae458d6afae9f
hjlnk
ebb0149209e008e3f87e26659aa9b173
loaddll
0340b5e3f0d0ea71eeef6ab890270fc0
md
793914c9c583d9d86d0f4ed8c521b0c1
mklnk
a3bb50704b87da1858a46455dfb5e470
move
3734a903022249b3010be1897042568e
post
42b90196b487c54069097a68fe98ab6f
postfile
316713cb9f82ff9ade53712ab1cbf92c
postfile2
f15ae485061a10adead43d7f5d5a9889
rd
eeec033a2c4d56d7ba16b69358779091
runas
d88f585460839dd14ad3354bb0d5353b
screen
599eba19aa93a929cb8589f148b8a6c4
setcmd
27dc2525548f8ab10a2532037a9657e0
setlen
846a44d63b02c23bcfee5b4ccaa89d54
suspend
497927fb538c4a1572d3b3a98313cab1
tasklist
6e0ad8e44cff1b5d2901e1c7d166a2a4
type
599dcce2998a6b40b1e38e8c6006cb0a
unzip
0a342b59ecdcede0571340b9ed11633f
upload
76ee3de97a1b8b903319b7c013d8c877
version
2af72f100c356273d46284f6fd1dfc08
zip
adcdbd79a8d84175c229b192aadc02f2

They both store the md5 checksums of backdoor commands.
When analyzing emdivi t20 samples, we found that it is highly targeted in two respects.
Firstly, an emdivi t20 sample contains hardcoded internal proxy information, being encrypted at 0x44e79c:

The decrypted code is “proxy.??????????.co.jp:8080″:

This trick is not new, but it is not widely used. This is because it may reveal its targets, or it is not a generic method and only works in a specific organization. However, similar cases have been observed sometimes in other APTs.
The second aspect is quite interesting. The emdivi family stores important data about itself, including C2, API name, strings for anti-analysis, value of mutexes, as well as the md5 checksum of backdoor commands and the internal proxy information. They are stored in encrypted form, and are decrypted when necessary. Therefore, to analyze an emdivi sample in detail, we need to locate which hex codes are encrypted, and how to decrypt them. In the process of decryption, a unique decryption key is required for each sample.
emdivi t20 has a function to generate a decryption key using Salt1 and Salt2. Salt1 is generated from a magic string (suspected to be a version of emdivi) with certain four digits (suspected to be an ID of the C2).
Example of a magic string:

Part of the emdivi name (“t17″ and “t20″) is taken from this hardcoded magic string.
Salt2 is generated with a large amount of data that is hardcoded:

In most cases, the emdivi family generates a decryption key using Salt1 and Salt2.
In early July 2015, however, Kaspersky Lab found a sample that creates a decryption key with Salt1, Salt2, and Salt3. Salt3 is the security identifier (SID) from a compromised PC.
The flow of decryption key generation (with additional Salt3):

In other words, the sample works only on its target PCs. Without knowing the victim’s SID, the decryption key will not be generated successfully, making it difficult to decrypt important data. This means it’s not possible to analyze the malware in detail.
Fortunately, we were able to analyze those samples. We were able to successfully brute-force the decryption keys from several samples without SIDs.
Summary
From early June, when the cyber-attack on the Japan Pension Service started to be reported widely, various Japanese organizations would have started to deploy protection measures. However, the attackers from Blue Termite, who it seems kept a close eye on them, started to employ new attack methods and successfully expanded their operation. While writing this article, another sample of emdivi t20 has been found. It employs AES in addition to SID tricks, making it difficult to decrypt sensitive data. In order to fight back against this cyber-espionage, Kaspersky Lab will continue its research.
Kaspersky products detect emdivi t17, emdivi t20, and the flash exploits using the verdicts below:
Backdoor.Win32.Emdivi.*
Backdoor.Win64.Agent.*
Exploit.SWF.Agent.*
HEUR:Backdoor.Win32.Generic
HEUR:Exploit.SWF.Agent.gen
HEUR:Trojan.Win32.Generic
Trojan-Downloader.Win32.Agent.*
Trojan-Dropper.Win32.Agent.*
Kaspersky Lab products already successfully mitigates this APT modules.
More information about the Blue Termite targeted attacks is available to Kaspersky Security Intelligence Services customers. Contact: [email protected]
Source: Kaspersky