Blue Termite – a cyber espionage campaign that has been <a data-cke-saved-href=”https://apt.securelist.com/” href=”https://apt.securelist.com/” \l=”” “secondpage=”” countriesdata=”39"” title=”Blue Termite” target=”_blank”>targeting hundreds of organisations in Japan for at least two years – has been discovered by Kaspersky Lab’s Global Research and Analysis Team.
The attackers hunt for confidential information and utilise a zero-day Flash player exploit and a sophisticated backdoor, which is customised for each victim. This is the first campaign known to Kaspersky Lab that is strictly focused on Japanese targets – and it is still active.
In October 2014, Kaspersky Lab researchers encountered a never before seen malware sample, which stood out from others because of its complexity. Further analysis has shown that this sample is only a small part of a large and sophisticated cyber espionage campaign.
Health insurance services and the Japan Pension Service are top targets, but the list of targeted industries include governmental organisations, heavy industries, financial, chemical, satellite, media, educational organisations, medical, the food industry and others. According to results of the investigation, the campaign has been active for about two years.
Various infection techniques
To infect their victims, Blue Termite operators utilise several techniques. Before July 2015, they mostly used spear-phishing emails – sending malicious software as an attachment to an email message with content, which would be likely to attract a victim. However in July, the operators changed their tactics and have started to spread the malware via a zero-day Flash exploit (CVE-2015-5119, the exploit which was leaked by The Hacking Team incident earlier this summer).
The attackers have compromised several Japanese websites so that visitors of the sites would automatically download an exploit once they are on the website and would become infected. This is referred to as a drive-by-downloads technique.
Blue Termite infection rate in 2014-2015
The implementation of a zero-day exploit led to a significant spike in the infection rate registered by Kaspersky Lab detection systems in the middle of July.
There were also attempts to profile the victims registered. One of the compromised websites belonged to a prominent member of the Japanese government and another one contained a malicious script that would filter out visitors from all IPs, except one belonging to a specific Japanese organisation. In other words, only chosen users would get the malicious payload.