Attackers Target Organizations in Japan; Transform Local Sites into C&C Servers for EMDIVI Backdoor

We found that attackers in an active campaign have compromised a number of Japanese websites to serve as command and control (C&C) servers for the EMDIVI backdoor they’re using and are currently targeting companies not only in Japan but also in the US.

EMDIVI, which first appeared in 2014, is notoriously used in targeted attacks against Japanese companies. It allows machines to be remotely controlled by attackers for malicious commands and other activities. We looked into this malware and found that it uses “magic numbers” in its routines.

We observed the campaign to target Japanese government agencies and private companies in the manufacturing, technology, and media industry. Its target companies in the US, one of which falls under the technology industry, are merely offices of Japanese companies, showing that it is still Japanese targets that the attackers are after.

We first reported of the campaign in November 2014, where it used email as an arrival vector. The campaign usually has low infection counts but has recently been gaining ground, no thanks to a watering hole attack that used a Hacking Team Flash zero-day exploit in July 2015.

Attack Phases Revealed

Further investigation into the inner workings of this campaign revealed three attack phases, as follows:

Cloud service compromise
Our researchers found that not only are the IP addresses of the C&C servers located mostly in Japan, attackers may have penetrated a cloud service provider to compromise legitimate sites to infect targets with the EMDIVI backdoor. They then placed PHP code to communicate with the EMDIVI malware. An automotive dealer, a merchandiser, a real estate listing, and a restaurant were only a few in a long list of legitimate websites attackers compromised.

Figure 1. Country distribution of C&C endpoints in this campaign, 1H 2015

EMDIVI malware creation
Attackers created an EMDIVI malware that points to the previously compromised sites.
EMDIVI malware distribution
Attackers then distributed the EMDIVI malware via email or watering hole attacks, which used a recent Flash zero-day exploit found in the Hacking Team leak.

EMDIVI Point-of-Entry and Analysis

As explained above, one way for attackers to infiltrate target systems is by sending phishing emails using accounts made in Yahoo! Mail or Excite. These emails each have a compressed file (usually .LZH and rarely .ZIP or .RAR) attachment that contains a self-extracting archive file (RAR SFX), which drops two documents: a decoy (Microsoft Word, Microsoft Excel, or PDF) and the EMDIVI malware.

Note that the EMDIVI malware has been observed to use file names that start with “VM,” such as VMat.exe, VMMat.exe, VMater.exe, VMtap.exe, and VMwere.exe.

Targets may suffer from one of two variants of the malware, which are t17 and t20 (detected as BKDR_EMDIVI.ZJCH-A).

t20 was previously used as the initial payload by Ichitaro exploits. The difference between t17 and t20 lies in their command sets. t17 can only send a basic set of commands like the system shell as well as download/upload files. It is entirely reliant on other files for other commands.

t20 contains integrated commands as well. In addition to the commands already seen in t17, t20 can carry out commands like compressing/decompressing (.ZIP) files and taking screenshots.

As of this writing, “t17.08.34” is the latest version for t17. The t20 version was initially thought obsolete after Ichitaro released an update in 2014, but was however revived by a change strategy: It started using DLL side-loading technique instead of a single executable malware. This move is similar to the DLL hijacking technique used by PlugX.

We examined the recent T17 version and found its backdoor capabilities to mimic its past versions in that it still contains 9 commands, as follows: UPLOAD, GETFILE, GOTO, DOWNBG, DOABORT, VERSION, SETCMD, SUSPEND, and LOADDLL. However, one major change in this version is how it can load strings and APIs (application programming interface) for later use, instead of calling them directly. The malware will decrypt strings that will be needed to load the said API, before actually calling it. For instance, it will decrypt the string “RegQueryValueExA” and “Advapi32.dll” and load the said DLL before using the API.

Figure 2. Sample API calling routine for later T17 versions of EMDIVI

EMDIVI Backdoor “Magic,” Unveiled

We looked at a more recent sample (acquired in May 17) and discovered that it was encrypted before it was compiled in an .EXE file to prevent heuristic detection. It can be decrypted using “magic numbers” hardcoded in a string in the malware’s body. This string is made of four parts: version, target, release date, and some random looking numbers. For instance, the malware will decrypt the sample string “t17.08.30.[name of target]0520.1200.4444,” as follows:

Version: t17.08.30
Target: [name of target]
Release date: 0520
Random number: 1200.4444

We looked at a number of these codes and found that the random-looking numbers are not so random after all. Two numbers keep showing up as part of the pattern, namely “4444” and “2716.”

Figure 3. EMDIVI t17 versions and magic numbers

One probable way to interpret this is that these two numbers are employee IDs that are being abused by attackers in the campaign. Note that the random numbers for strings that used the Hacking Team exploit, those that contain the word “flash” in the table, used different employee ID numbers.

Moreover, the versions that did not specify a target name are most likely to be targeting government agencies, given that two out of the six of them are verified to be government-related.

Recommendations

Since this campaign uses emails as an arrival vector, target users in Japan should be careful when clicking links and downloading attachments from the said source. IT managers need to educate employees to look out for suspicious emails from unexpected senders.

For enterprises, email reputation services used by products like the Trend Micro Deep Discovery Email Inspector can provide maximum security from these risks.

Trend Micro products blocks and detects all threats related to this campaign, as follows: