A recent cyber-espionage attack that targeted Japanese aviation businesses bears a strong resemblance to a 2012 attack in Taiwan. Two types of malware have been identified in both cases; PlugX, a fairly common remote-access Trojan (RAT), and Elirks, a less-widely known backdoor Trojan used almost exclusively on attacks in East Asia.
The current cybersecurity threat targets Japanese business people primarily in the aviation sector in a phishing campaign. Employees receive an email with the subject ‘Airline E-Ticket’ and an attachment entitled ‘E-TKT’. When the attachment is opened, the malware uses a Flash object embedded in the PDF to download and install the Elirks backdoor on the employee’s machine. This backdoor can then be exploited to steal information from the employee’s computer.
The Elirks backdoor uses blogging platforms to host the IP address for the command and control (C&C) server, rather than hardcoding the IP address into its source code. This makes Elirks easier to spot than traditional remote-access Trojans with hardcoded IP addresses.
Researchers at Palo Alto networks noted similarities between the current rash of phishing campaigns in Japan and the ones that occurred in the Taiwanese governmental attacks in 2012. Both used a combination of PlugX and Elirks, both targeted representatives whose email information was publicly available, and both used similarly-named senders and files to draw the target into opening the infected file.
Additionally, in both cases, when the employee opened the file and released the malware to their system, the exact same message was displayed: “Document corrupted. Please contact the author.”
Also, while the Taiwan 2012 phishing campaign was directed at government employees, there were some PDF files named “Airline Reservation Files”, which is similar to the current “Airline E-Ticket” file being used in Japan.
This Elirks variant is similar to Scarlet Mimic, which was found in China as part of a years-long cyber espionage campaign targeting minority rights activists and associated government agencies. While the researchers noted that there are several similarities between the 2016 aviation attacks in Japan and the 2012 government attacks in Taiwan, they say that they have yet to find reliable evidence that the same person is responsible for both.