Blue Termite APT group focuses on Japanese organizations

Security experts at Kaspersky Lab have analyzed the cyber attacks run by the Blue Termite APT, a hacking crew group focused on Japanese organizations.

According to the experts at Kaspersky security firm, an ATP group dubbed Blue Termite has been active since at least November 2013 focusing its attacks on Japanese organizations. The Blue Termite APT crew hit also other organizations worldwide, but most of its control infrastructure (C&C servers) are located in Japan.

The list of targets is long and includes government agencies, financial services firms, banks, universities, public interest groups, news companies, and various organizations from sectors such as automotive, healthcare, chemical, electrical, real estate, food, construction, insurance, transportation, robotics, semiconductors, and information services.

According to the experts the Blue Termite APT is responsible for the recently data breach suffered by the Japan Pension Service that exposed personal details of 1.25 million people.

The researcher noticed a spike in the number of infection related the Blue Termite since July, the APT is still active. In July the group start leveraging a Flash Player exploit (CVE-2015-5119) leaked following the Hacking Team hack, the APT used the Flash Player exploit in spear-phishing emails to infect victims before its public disclosure.

In July, the Blue Termite hackers deployed the Hacking Team exploit on several compromised Japanese websites in order to deliver the malware for its campaign via drive-by-download attacks.

In some cases, the APT conducted surgical operation infecting only the computers of certain users, they adopted the watering hole attack against a prominent member of the Japanese government.

In another case the Blue Termite hackers used a script to ensure that only users who visited the compromised website from the IP addresses of a certain Japanese organization would be infected.

Blue Termite has been leveraging customized data stealer belonging the Emdivi family.

“Kaspersky Lab detected the tailored malware, “emdivi t20″. This malware is basically used after the infection by emdivi t17 that serves as a backdoor. Although the versions emdivi t17 and emdivi t20 are from the same emdivi family, the latter is more sophisticated.” states the post published on SecureList.

“One of the most interesting things about the malware used by the Blue Termite actor is that each victim is supplied with a unique malware sample that is made in a way that it could only be launched on a specific PC, targeted by the Blue Termite actor,” Kaspersky said.

The attribution is not simple dealing with APT, but experts at Kaspersky speculate the attackers are likely Chinese speakers.

Kaspersky isn’t the unique firm that analyzed the Blue Termite APT, Symantec has also been monitoring it, in November 2014 the company published a report on a cyber espionage campaign dubbed “CloudyOmega.”

Symantec reported that the APT group behind the CloudyOmega operation is linked with the Hidden Lynx APT and the threat actor responsible for the “LadyBoyle” attacks.

Trend Micro also published a report on the APT.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Blue Termite, APT)