Why BlueTermite should draw a lot of attention

The BlueTermite APT campaign is rather new and extremely persistent. Here’s why.

Well, ladies and gentlemen, you’ve heard it: a new APT BlueTermite is being publicized. The Securelist’s Targeted Attacks Logbook will soon receive a new entry. BlueTermite APT campaign is rather new, and “persistent in more senses than one,” Denis Legezo wrote for Kaspersky Business earlier today.

In that post our readers can also learn how to protect themselves from the new APT, which seems to target all imaginable entities within Japan – government agencies, local governments, public interest groups, universities, banks, financial services, energy, communication, heavy industry, chemical, automotive, electrical, news media, information services sector, health care, real estate, food, semiconductor, robotics, construction, insurance, transportation, and more. Interestingly, the C2 servers of BlueTermite are also located in Japan.

The number of victims is increasing, as the attack is active.

Circa 2013

The attack was actually discovered in 2014, and the oldest samples associated with it are from November 2013. However, there was a powerful activity spike in mid-Summer 2015.

There’s a bit of intrigue here: at the same time the now-famous (even fabulous) Adobe Flash 0day exploit used by Hacking Team slipped out to make its way into quite a few hacking groups’ arsenal. BlueTermite is not an exclusion.

But the initial attack method was different: Attackers used the malware customized for every specific target. Customization is going as far as making every sample work only on its target PC.

Highly customized

According to Suguru Ishimaru at Securelist, “Without knowing the victim’s SID, the decryption key will not be generated successfully, making it difficult to decrypt important data. This means it’s not possible to analyze the malware in detail.”

Fortunately, Kaspersky Lab’s researchers were able to analyze those samples by successfully brute-forcing the decryption keys from several samples without SIDs. Apparently the encryption algorithm wasn’t strong enough to prevent brute-force, but this may well change in future.

And what about that zeroday?

The CVE-2015-5119 exploit is, arguably, one of the more worrisome parts of the story, and indicative of how attack tools are quickly making their way from one APT group to others.

We mentioned earlier that cybercriminals are “lowering the profile”, searching for smaller and softer targets. Cyberspies aren’t an exclusion here, but this also means that the “just criminals” may adopt APT-style techniques as well. So far, we have witnessed Grabit, an espionage campaign targeting specifically SMB companies. Also, we have seen Carbanak, the first ever purely criminal APT.

BlueTermite may be a geographically limited campaign, but its tools are not. Businesses across the world are advised to watch out and stand ready for the attack methods used by the APT groups, because even if their targets are currently mostly larger entities, at any moment a business of any size can be attacked in the same manner.

As Mr. Legezo wrote, businesses need to acknowledge the possibility of such attacks and, at the very least, should immediately install critical patches, as soon as they are provided. This won’t nullify the probability of a targeted attack, but it greatly reduces the risk. A further necessary action is to deploy a security solution capable of preventing zeroday threats and block exploitation of software vulnerabilities, as well as reducing the “patching gap”.

For more detailed technical review of BlueTermite APT, please visit Securelist.