Security researchers have discovered rare malware families in attacks that targeted numerous Japanese business, along with a similar modus operandi to attacks previously seen in 2012 against the Taiwanese government.

PlugX and Elirks are two very rare malware families that have been previously linked to cyber-espionage operations, usually attributed to Chinese entities.

Any Elirks backdoor is a rare sighting

While PlugX is a popular Remote Access Trojan (RAT) found in many cyber-espionage operations, security researchers don’t come across the Elirks backdoor very often. Researchers first spotted Elirks in 2010, and only in operations targeting East Asian countries.

The backdoor is easy to spot because it uses popular blogging platforms to host the IP address of the C&C server instead of hardcoding them in its source code. In recent years, the group(s) employing Elirks has been using Japanese blogging services to host their C&C server IP addresses.

Palo Alto Networks says it spotted Elirks as part of recent spear-phishing campaigns. The crooks were sending emails with malicious PDF files to representatives of Japanese businesses.

When the employee would open the file, a malicious routine would take advantage of a Flash object embedded in the PDF, and using the CVE-2012-0611 or CVE-2011-0611 exploits, would download and install the Elirks backdoor on the victim’s machine.

The unidentified cyber-espionage group behind this campaign would then use the backdoor to steal information from the infected computer.

Similarities with attacks seen in 2012

While previously Elirks was used by the Scarlet Mimic APT in targeted attacks against China’s minority groups, Palo Alto researchers noted similarities between the phishing campaign against the Japanese companies and the one that targeted a ministry in Taiwan back in 2012.

Palo Alto says that in both attacks the groups used the same malware, created phishing emails in the same manner, and were interested in domains related to the aviation sector.

“Currently, we have found no reliable evidence to indicate the same adversary attacked a company in Japan in 2016 and multiple organizations in Taiwan in 2012,” Palo Alto’s Kaoru Hayashi notes. “However, we can see some resemblances between the two attacks.”

2012 2016
Email Sender Masquerades as an existing bank in Taiwan Masquerade as an existing aviation company in Japan
Email Recipient Representative email address of a ministry of Taiwan, which is publicly available. Representative email address of a subsidiary company, which is publicly available.
Subject “Bank credit card statement” in Chinese “Airline E-Ticket” in Japanese
Attachment PDF file named “Electronic Billing1015” in Chinese File named “E-TKT” in Japanese with PDF icon

Let’s block ads! (Why?)

Related Posts

Facebook Comments

Return to Top ▲Return to Top ▲