Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Blue Termite APT Targets Japanese Organizations

Kaspersky Lab has analyzed the activities of Blue Termite, an advanced persistent threat (APT) group focusing its efforts on Japanese organizations.

Kaspersky Lab has analyzed the activities of Blue Termite, an advanced persistent threat (APT) group focusing its efforts on Japanese organizations.

According to the security firm, Blue Termite has been active since at least November 2013. The campaign not only focuses on Japan, but most of the command and control (C&C) servers it uses are located in the country.

Experts say hundreds of organizations have been targeted in this operation over the past two years, including government agencies, universities, public interest groups, financial services firms, banks, news companies, and various organizations from sectors such as automotive, chemical, healthcare, electrical, real estate, food, construction, insurance, transportation, robotics, semiconductors, and information services.

The group is also believed to be responsible for the recently disclosed breach suffered by the Japan Pension Service. The personal details of 1.25 million people were compromised in this attack.

Blue Termite is still active and the number of computers infected by the APT has increased considerably since July, when it started leveraging a Flash Player exploit leaked following the Hacking Team breach. Before the Flash Player exploit (CVE-2015-5119) was published, the cybergang leveraged spear-phishing emails to infect victims.

In July, Blue Termite planted the Hacking Team exploit on several compromised Japanese websites and started delivering its malware via drive-by-download attacks. This change in tactics led to a significant spike in infection rates.

In some cases, the attackers took steps to ensure that only the computers of certain users would get infected with their malware. One of the hacked sites used in the watering hole attacks belonged to a prominent member of the Japanese government. In another case, the group used a script to ensure that only users who visited the compromised website from the IP addresses of a certain Japanese organization would be served the malware.

Blue Termite has been leveraging customized malware of the Emdivi family to steal valuable data from victims. Trend Micro has also analyzed attacks involving Emdivi malware and the Hacking Team Flash Player exploit aimed at organizations in Japan (report from Trend Micro Japan).

Advertisement. Scroll to continue reading.

“One of the most interesting things about the malware used by the Blue Termite actor is that each victim is supplied with a unique malware sample that is made in a way that it could only be launched on a specific PC, targeted by the Blue Termite actor,” Kaspersky said.

As far as attribution is concerned, Kaspersky Lab has determined that the attackers are likely Chinese speakers.

Symantec has also been monitoring this threat group’s activities. In November 2014, the security firm published a report detailing a campaign dubbed “CloudyOmega.” At the time, the attackers had been leveraging a zero-day vulnerability in Ichitaro, a Japanese word processor made by JustSystems, to deliver Emdivi backdoors and other pieces of malware such as PlugX (also known as Korplug and Sogu) and Zxshell.

Symantec reported that the group behind the CloudyOmega attacks had communication channels with the Hidden Lynx gang and the actor behind the 2013 attacks dubbed “LadyBoyle.”

It’s unclear if they are related, but last month FireEye also observed attacks launched by a Chinese APT actor against Japanese organizations. The attackers used a different Hacking Team Flash Player exploit to infect users with a version of the PlugX RAT.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.