June 24, 2016
Security researchers have discovered rare malware families in attacks that targeted numerous Japanese businesses and that show a modus operandi similar to that adopted in actions against the Taiwanese government, in 2012.
PlugX and Elirks are two very rare malware families that were previously linked to cyber-espionage operations, usually attributed to Chinese entities.
Any Elirks backdoor is a rare sighting
While PlugX is a popular Remote Access Trojan (RAT) found in many cyber-espionage operations, security researchers don’t come across the Elirks backdoor very often. Researchers first spotted Elirks in 2010, and only in operations targeting East Asian countries.
The backdoor is easy to spot because it uses popular blogging platforms to host the IP address of the C&C server instead of hardcoding them in its source code. In recent years, the group(s) employing Elirks has been using Japanese blogging services to host their C&C server IP addresses.
Palo Alto Networks says it spotted Elirks as part of recent spear-phishing campaigns. The crooks were sending emails with malicious PDF files to representatives of Japanese businesses.
When the employee would open the file, a malicious routine would take advantage of a Flash object embedded in the PDF, and using the CVE-2012-0611 or CVE-2011-0611 exploits, it would download and install the Elirks backdoor on the victim’s machine.
The unidentified cyber-espionage group behind this campaign would then use the backdoor to steal information from the infected computer.