ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool Emdivi

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Emdivi

NamesEmdivi
Newsripper
CategoryMalware
TypeBackdoor
Description(Kaspersky) The emdivi family stores important data about itself, including C2, API name, strings for anti-analysis, value of mutexes, as well as the md5 checksum of backdoor commands and the internal proxy information. They are stored in encrypted form, and are decrypted when necessary. Therefore, to analyze an emdivi sample in detail, we need to locate which hex codes are encrypted, and how to decrypt them. In the process of decryption, a unique decryption key is required for each sample.
Information<https://securelist.com/new-activity-of-the-blue-termite-apt/71876/>
<https://blogs.jpcert.or.jp/en/2015/11/emdivi-and-the-rise-of-targeted-attacks-in-japan.html>
<http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/>
<http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.emdivi>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:emdivi>

Last change to this tool card: 13 May 2020

Download this tool card in JSON format

Previous: EMASTEAL
Next: Emissary

All groups using tool Emdivi

ChangedNameCountryObserved

APT groups

 Blue Termite, Cloudy OmegaChina2013 
XStone Panda, APT 10, menuPassChina2006-Jul 2020X

2 groups listed (2 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key