跳到主体内容

Blue Termite: A Sophisticated Cyber Espionage Campaign is After High-Profile Japanese Targets

2015年8月20日

Kaspersky Lab’s Global Research and Analysis Team has discovered Blue Termite – a cyberespionage campaign that has been targeting hundreds of organizations in Japan for at least two years

Kaspersky Lab’s Global Research and Analysis Team has discovered Blue Termite – a cyberespionage campaign that has been targeting hundreds of organizations in Japan for at least two years. The attackers hunt for confidential information and utilize a zero-day Flash player exploit and a sophisticated backdoor, which is customized for each victim. This is the first campaign known to Kaspersky Lab that is strictly focused on Japanese targets - and it is still active.

In October 2014 Kaspersky Lab researchers encountered a never before seen malware sample, which stood out from others because of its complexity. Further analysis has shown, that this sample is only a small part of a large and sophisticated cyberespionage campaign.

blue-termit.jpg

The list of targeted industries includes governmental organizations, heavy industries, financial, chemical, satellite, media, educational organizations, medical, the food industry and others. According to results of the investigation, the campaign has been active for about two years.

Various infection techniques

To infect their victims, Blue Termite operators utilize several techniques. Before July 2015 they mostly used spear-phishing emails – sending malicious software as an attachment to an email message with content, which would be likely to attract a victim. However in July the operators changed their tactics and have started to spread the malware via a zero-day Flash exploit (CVE-2015-5119, the exploit which was leaked by The Hacking Team incident earlier this summer). The attackers have compromised several Japanese websites so that visitors of the sites would automatically download an exploit once they are on the website and become infected. This is referred to as a drive-by-downloads technique.

blue-termit-2-s.jpg 
Blue Termite infection rate in 2014-2015

The implementation of a zero-day exploit led to a significant spike in the infection rate registered by Kaspersky Lab detection systems in the middle of July.

There were also attempts to profile the victims registered. One of the compromised websites belonged to a prominent member of Japanese government and another one contained a malicious script that would filter out visitors from all IPs except one belonging to a specific Japanese organization. In other words, only chosen users would get the malicious payload.

Exclusive malware and language artefacts

After a successful infection, a sophisticated backdoor is deployed on a targeted machine. The backdoor is capable of stealing passwords, downloading and executing additional payload, retrieving files etc. One of the most interesting things about the malware used by the Blue Termite actor is that each victim is supplied with a unique malware sample that is made in a way that it could only be launched on a specific PC, targeted by the Blue Termite actor. According to Kaspersky Lab researchers, this has been done in order to make it difficult for security researchers to analyze the malware and detect it.

The question of who is behind this attack remains unanswered. As usual, attribution is a very complicated task when it comes to sophisticated cyberattacks. However, Kaspersky Lab researchers were able to collect some language artefacts. In particular, the graphic user interface of the Command and Control server as well as some technical documents related to the malware used in the Blue Termite operation are written in Chinese. This could mean that actors behind the operation speak this language.

As soon as Kaspersky Lab researchers had gathered enough information to confirm that Blue Termite is a cyberespionage campaign targeting Japanese organizations, company representatives informed local law enforcement agencies about these findings. As the Blue Termite operation is still ongoing, Kaspersky Lab’s investigation is also continuing.

“Although Blue Termite is not the first cyber espionage campaign to target Japan, it is the first campaign known to Kaspersky Lab, to be strictly focused on Japan targets. In Japan it is still a problem. Since early June, when the cyberattack on the Japan Pension Service started to be widely reported, various Japanese organizations would have started to deploy protection measures. However, the attackers from Blue Termite, who might have kept a close eye on them, started to employ new attack methods and successfully expanded their impact,” said Suguru Ishimaru, Junior Researcher at Kaspersky Lab.

In order to reduce the risk of being infected by the Blue Termite cyberespionage campaign Kaspersky Lab experts recommend the following measures:

  • Keep software updated, especially software that is widely used and often exploited by cyber criminals;
  • If you are aware of any vulnerabilities in the software on your device but there is no patch for it yet, avoid using this software;
  • Be suspicious of emails with attachments;
  • Use a proven anti-malware solution.

Kaspersky Lab products successfully detect and block the malware with the following detection names:

  • Backdoor.Win32.Emdivi.*
  • Backdoor.Win64.Agent.*
  • Exploit.SWF.Agent.*
  • HEUR:Backdoor.Win32.Generic
  • HEUR:Exploit.SWF.Agent.gen
  • HEUR:Trojan.Win32.Generic
  • Trojan-Downloader.Win32.Agent.*
  • Trojan-Dropper.Win32.Agent.*

More information about the Blue Termite targeted attacks is available to Kaspersky Security Intelligence Services customers. Contact: intelreports@kaspersky.com

Learn more about Blue Termite cyber espionage campaign on Securelist.com

Learn how Kaspersky Lab products can help protect against the Blue Termite operation here: https://business.kaspersky.com/bluetermite-apt/4409

Learn more about other cyber espionage operations that target or have targeted Japan previously here: https://apt.securelist.com/#secondPage/countriesdata=39

Learn how sophisticated targeted attacks are investigated: http://www.youtube.com/watch?v=FzPYGRO9LsA

Blue Termite: A Sophisticated Cyber Espionage Campaign is After High-Profile Japanese Targets

Kaspersky Lab’s Global Research and Analysis Team has discovered Blue Termite – a cyberespionage campaign that has been targeting hundreds of organizations in Japan for at least two years
Kaspersky logo

关于卡巴斯基

卡巴斯基是一家成立于1997年的全球网络安全和数字隐私公司。卡巴斯基不断将深度威胁情报和安全技术转化成创新的安全解决方案和服务,为全球的企业、关键基础设施、政府和消费者提供安全保护。公司提供全面的安全产品组合,包括领先的端点保护解决方案以及多种针对性的安全解决方案和服务,以及用于应对复杂和不断变化的数字威胁的网络免疫解决方案。全球有超过4亿用户使用卡巴斯基技术保护自己,我们还帮助全球200,000家企业客户保护最重要的东西。要了解更多详情,请访问www.kaspersky.com.cn.

相关文章 企业新闻