Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Blue Termite APT Targets Japanese Organizations

Kaspersky Lab has analyzed the activities of Blue Termite, an advanced persistent threat (APT) group focusing its efforts on Japanese organizations.

Kaspersky Lab has analyzed the activities of Blue Termite, an advanced persistent threat (APT) group focusing its efforts on Japanese organizations.

According to the security firm, Blue Termite has been active since at least November 2013. The campaign not only focuses on Japan, but most of the command and control (C&C) servers it uses are located in the country.

Experts say hundreds of organizations have been targeted in this operation over the past two years, including government agencies, universities, public interest groups, financial services firms, banks, news companies, and various organizations from sectors such as automotive, chemical, healthcare, electrical, real estate, food, construction, insurance, transportation, robotics, semiconductors, and information services.

The group is also believed to be responsible for the recently disclosed breach suffered by the Japan Pension Service. The personal details of 1.25 million people were compromised in this attack.

Blue Termite is still active and the number of computers infected by the APT has increased considerably since July, when it started leveraging a Flash Player exploit leaked following the Hacking Team breach. Before the Flash Player exploit (CVE-2015-5119) was published, the cybergang leveraged spear-phishing emails to infect victims.

In July, Blue Termite planted the Hacking Team exploit on several compromised Japanese websites and started delivering its malware via drive-by-download attacks. This change in tactics led to a significant spike in infection rates.

In some cases, the attackers took steps to ensure that only the computers of certain users would get infected with their malware. One of the hacked sites used in the watering hole attacks belonged to a prominent member of the Japanese government. In another case, the group used a script to ensure that only users who visited the compromised website from the IP addresses of a certain Japanese organization would be served the malware.

Blue Termite has been leveraging customized malware of the Emdivi family to steal valuable data from victims. Trend Micro has also analyzed attacks involving Emdivi malware and the Hacking Team Flash Player exploit aimed at organizations in Japan (report from Trend Micro Japan).

Advertisement. Scroll to continue reading.

“One of the most interesting things about the malware used by the Blue Termite actor is that each victim is supplied with a unique malware sample that is made in a way that it could only be launched on a specific PC, targeted by the Blue Termite actor,” Kaspersky said.

As far as attribution is concerned, Kaspersky Lab has determined that the attackers are likely Chinese speakers.

Symantec has also been monitoring this threat group’s activities. In November 2014, the security firm published a report detailing a campaign dubbed “CloudyOmega.” At the time, the attackers had been leveraging a zero-day vulnerability in Ichitaro, a Japanese word processor made by JustSystems, to deliver Emdivi backdoors and other pieces of malware such as PlugX (also known as Korplug and Sogu) and Zxshell.

Symantec reported that the group behind the CloudyOmega attacks had communication channels with the Hidden Lynx gang and the actor behind the 2013 attacks dubbed “LadyBoyle.”

It’s unclear if they are related, but last month FireEye also observed attacks launched by a Chinese APT actor against Japanese organizations. The attackers used a different Hacking Team Flash Player exploit to infect users with a version of the PlugX RAT.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.