Blue Termite: All that you need to know (by Kaspersky)

Aug 21, 2015:

Kaspersky Lab’s Global Research and Analysis Team has discovered Blue Termite – a cyberespionage campaign that has been targeting hundreds of organizations in Japan for at least two years. The attackers hunt for confidential information and utilize a zero-day Flash player exploit and a sophisticated backdoor, which is customized for each victim. This is the first campaign known to Kaspersky Lab that is strictly focused on Japanese targets - and it is still active.

Health insurance services and the Japan Pension Service are top targets, but the list of targeted industries includes governmental organizations, heavy industries, financial, chemical, satellite, media, educational organizations, medical, the food industry and others. According to results of the investigation, the campaign has been active for about two years.

To infect their victims, Blue Termite operators utilize several techniques. Before July 2015 they mostly used spear-phishing emails – sending malicious software as an attachment to an email message with content, which would be likely to attract a victim. However in July the operators changed their tactics and have started to spread the malware via a zero-day Flash exploit (CVE-2015-5119, the exploit which was leaked by The Hacking Team incident earlier this summer). The attackers have compromised several Japanese websites so that visitors of the sites would automatically download an exploit once they are on the website and become infected. This is referred to as a drive-by-downloads technique.

The implementation of a zero-day exploit led to a significant spike in the infection rate registered by Kaspersky Lab detection systems in the middle of July.

After a successful infection, a sophisticated backdoor is deployed on a targeted machine. The backdoor is capable of stealing passwords, downloading and executing additional payload, retrieving files etc.