Sign in Subscribe
By Zach Hilbert

Etumbot

What is Etumbot?

Etumbot is a malware family that ASERT Threat Intelligence wrote about in June 2014. ASERT attributed Etumbot to Chinese actor APT12 and compared it with IXESHE "based on similar system and network artifacts that are common between the malware families." [1]

The Technical Review written below demonstrates the methods used to hide the actual file type and intention. The combination of clever or complex techniques is characteristic of Chinese APT actors. "Most of the documents dropped with Etumbot are written in traditional Chinese. Traditional Chinese (versus simplified Chinese used in mainland China) is most widely used in Taiwan. While other areas do make use of traditional Chinese (Hong Kong, Macau), the topics of the decoy documents strongly suggest that Taiwanese entities are the targets for many Etumbot samples." [1]

Shadowserver considers these techniques to be complex and clever for 2 reasons. First, the majority of actors do not spend the time necessary to hide file types, filenames, or intentions of their malware. An example includes ransomware named payload.exe or the blatant use of typo domains in phishing emails and links. This is not to say that Chinese APTs don't use trivial obfuscation and exploitation methods, but they are more likely to perform targeted research before conducting attacks. This research and preparation allows the attack groups to appear as legitimate business or personal communications. Other actors are frequently more opportunistic as opposed to targeted.

The second reason we consider these techniques complex and clever is the amount of time invested into discovering the exploits or vulnerabilities. Not all methods are first discovered by Chinese APTs, but the methods are more likely to require in-depth technical experience. In addition, the IXESHE malware attacks 2 different zero-day exploits which requires advanced technical knowledge to discover or significant resources to purchase from other actors. [2] In either case, Etumbot uses methods unique to actors with significant backing.

Aliases

  • Exploz
  • Specfix

Associated Individuals

  • APT12

Notable Attacks

None revealed in public source references.

Technical Review

Etumbot and IXESHE share indicators such as both families using ka4281x3.log and kb71271.log files, "calling back to the same Command & Control servers and have been used to target similar victim populations with similar attack methodologies."

Etumbot makes use of a dropper and a decoy file. The dropper contains the backdoor binary, which is the true intent of the Etumbot malware. The decoy file is used to present a more legitimate appearance when a user opens the attachment expecting to see an opened document.

The dropper uses Unicode Right to Left Override to hide the actual file extension. This vulnerability makes the filename appear to contain an extension of a benign file type such as PDF, DOC, etc., while file is in fact an executable. This obfuscation is used along with file type icons to present the executable dropper as the expected PDF or Office document, further hiding the intention of the malware.

Targets

  • Taiwan
  • Japan

References

[1] - ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf

[2] - https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf

Subscribe to Gambitsec

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe