{"id":428,"date":"2021-05-11T08:23:26","date_gmt":"2021-05-10T23:23:26","guid":{"rendered":"https:\/\/mal-eats.net\/?p=428"},"modified":"2021-05-11T12:08:02","modified_gmt":"2021-05-11T03:08:02","slug":"campo_new_attack_campaign_targeting_japan","status":"publish","type":"post","link":"https:\/\/mal-eats.net\/en\/2021\/05\/11\/campo_new_attack_campaign_targeting_japan\/","title":{"rendered":"Campo, a New Attack Campaign Targeting Japan"},"content":{"rendered":"

Since around March 2021, campaigns in Japan using an infrastructure called campo\/openfield have been observed. This campaign has the potential to deliver subsequent malware depending on the infected organization, and some cases eventually could result in ransomware incidents overseas.<\/span><\/p>\n

We keep tracking this attack campaign, and it started to be observed at least around October 2020 as far as we are aware. We anticipate that attackers will continue to be active in the future, and we are concerned that this could lead to serious impacts including ransomware encryption in the worst case. Therefore, in order to prepare for such threats, we will share in this blog the characteristics of campaigns for Japan and how to check for malware execution traces based on our research.<\/span><\/p>\n

 <\/p>\n

Update history<\/b><\/h2>\n\n\n\n\n
Date<\/span><\/td>\nDetails<\/span><\/td>\n<\/tr>\n
2021\/5\/11<\/span><\/td>\nPublished this blog<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Observation cases of this campaign in Japan<\/b><\/h2>\n

Reports of suspicious emails in Japan have been shared on social networking sites.\u00a0<\/span><\/p>\n

The reports are shown below in chronological order.<\/span><\/p>\n

2020\/10\/14
\n<\/span>https:\/\/twitter.com\/bomccss\/status\/1316163808319041536<\/span><\/a><\/p>\n

2021\/3\/10
\n<\/span>https:\/\/twitter.com\/bomccss\/status\/1369612781209591813<\/span><\/a><\/p>\n

2021\/3\/24
\n<\/span>https:\/\/twitter.com\/bomccss\/status\/1374526482890944515<\/span><\/a><\/p>\n

2021\/3\/31
\n<\/span>https:\/\/twitter.com\/bomccss\/status\/1377280535710494729<\/span><\/a><\/p>\n

2021\/4\/6
\n<\/span>https:\/\/twitter.com\/bomccss\/status\/1379240664362143744<\/span><\/a><\/p>\n

2021\/4\/7
\n<\/span>https:\/\/twitter.com\/bomccss\/status\/1379602541495738371<\/span><\/a><\/p>\n

2021\/4\/8
\n<\/span>https:\/\/twitter.com\/bomccss\/status\/1379970130642235392<\/span><\/a><\/p>\n

2021\/4\/9
\nhttps:\/\/twitter.com\/bomccss\/status\/1380327966765314050<\/a><\/p>\n

Big picture of attack campaign<\/b><\/h2>\n

The big picture of the attack campaign is as shown in Figure1. The attack begins with incoming Japanese emails. The body of the email contains a URL link and a password, and when the user accesses the URL link, they can download a ZIP file with the password. After extracting this zip file and opening the document file to enable the content, a downloader called Campo Loader is dropped and executed, then starts communication. In addition, it infects DFDownloader as a follow-up malware which can download and execute additional payloads by communicating with the C2 server.<\/span><\/p>\n

\"\"
Figure1. The big picture of the attack campaign<\/figcaption><\/figure>\n

We believe that the attacker is using an anti-bot service called “BlackTDS” to communicate with the both host of the URL link and the host of the Campo Loader. This service enables communications for research activities to redirect to unintentionally legitimate sites. Details of how this service works are described later.<\/span><\/p>\n

The DFDownloader used in this campaign against Japan has the ability to download and execute additional malware, but at this time we have not observed any following payloads yet. The DFDownloader has not yet been reported overseas. Hence, the final payload via DFDownloader is not known.<\/span><\/p>\n

On the other hand, similar cases of infection with the follow-up malware via Campo Loader have been reported overseas.<\/span><\/p>\n