Security researchers have discovered rare malware families in attacks that targeted numerous Japanese business, along with a similar modus operandi to attacks previously seen in 2012 against the Taiwanese government.
PlugX and Elirks are two very rare malware families that have been previously linked to cyber-espionage operations, usually attributed to Chinese entities.
Any Elirks backdoor is a rare sighting
While PlugX is a popular Remote Access Trojan (RAT) found in many cyber-espionage operations, security researchers don’t come across the Elirks backdoor very often. Researchers first spotted Elirks in 2010, and only in operations targeting East Asian countries.
The backdoor is easy to spot because it uses popular blogging platforms to host the IP address of the C&C server instead of hardcoding them in its source code. In recent years, the group(s) employing Elirks has been using Japanese blogging services to host their C&C server IP addresses.
Palo Alto Networks says it spotted Elirks as part of recent spear-phishing campaigns. The crooks were sending emails with malicious PDF files to representatives of Japanese businesses.
When the employee would open the file, a malicious routine would take advantage of a Flash object embedded in the PDF, and using the CVE-2012-0611 or CVE-2011-0611 exploits, would download and install the Elirks backdoor on the victim’s machine.
The unidentified cyber-espionage group behind this campaign would then use the backdoor to steal information from the infected computer.
Similarities with attacks seen in 2012
While previously Elirks was used by the Scarlet Mimic APT in targeted attacks against, Palo Alto researchers noted similarities between the phishing campaign against the Japanese companies and the one that targeted a ministry in Taiwan back in 2012.
Palo Alto says that in both attacks the groups used the same malware, created phishing emails in the same manner, and were interested in domains related to the aviation sector.
“Currently, we have found no reliable evidence to indicate the same adversary attacked a company in Japan in 2016 and multiple organizations in Taiwan in 2012,” Palo Alto’s Kaoru. “However, we can see some resemblances between the two attacks.”
|Email Sender||Masquerades as an existing bank in Taiwan||Masquerade as an existing aviation company in Japan|
|Email Recipient||Representative email address of a ministry of Taiwan, which is publicly available.||Representative email address of a subsidiary company, which is publicly available.|
|Subject||“Bank credit card statement” in Chinese||“Airline E-Ticket” in Japanese|
|Attachment||PDF file named “Electronic Billing1015” in Chinese||File named “E-TKT” in Japanese with PDF icon|