Thai Police Systems Under Fire From 'Yokai' Backdoor

Source: CPA Media Pte Ltd via Alamy Stock Photo

Unknown hackers are targeting individuals associated with Thailand’s government, using a new and unwieldy backdoor dubbed “Yokai,” potentially named after a type of ghost found in the video game Phasmophobia, or after spirits in Japanese folklore.

Researchers from Netskope recently came across two shortcut (LNK) files disguised as .pdf and .docx files, unsubtly named as if they pertained to official US government business with Thailand. The attack chain tied to these fake documents cleverly used legitimate Windows binaries to deliver the previously unknown backdoor, which appears to be a hastily developed program designed to run shell commands. It carries a risk of unintended system crashes, the researchers noted.

Ghost in the Machine: US-Themed Lures in Phishing Attack

From Thai, the lure documents translate to “United States Department of Justice.pdf” and “Urgently, United States authorities ask for international cooperation in criminal matters.docx." Specifically, they made reference to Woravit “Kim” Mektrakarn, a former factory owner in California tied to the disappearance and suspected murder of an employee in 1996. Mektrakarn was never apprehended and is believed to have fled to Bangkok.

“The lures also suggest they are addressed to the Thai police,” notes Nikhil Hegde, senior engineer for Netskope. “Considering the capabilities of the backdoor, we can speculate that the attacker’s motive was to get access to the systems of the Thai police.”

Related:Russian FSB Hackers Breach Pakistani APT Storm-0156

Like any other phishing attack, opening either of these documents would cause a victim to download malware. But the path from A to B wasn’t so jejune as that might suggest.

Abusing Legitimate Windows Utilities

To begin their attack chain, the attackers made use of “esentutl,” a legitimate Windows command line tool used to manage Extensible Storage Engine (ESE) databases. Specifically, they abused its ability to access and write to alternate data streams (ADS).

In Windows’ New Technology File System (NTFS), files commonly contain more than just their primary content — their main “stream.” An image or text document, for example, will also come packed with metadata — even hidden data — which won’t be visible in the normal listing of the file, because it is not so pertinent to users. An unscrutinized channel for appending hidden data to a seemingly harmless file, however, is a luxury to a cyberattacker.

“ADS is often used by attackers to conceal malicious payloads within seemingly benign files,” Hegde explains. “When data is hidden in an ADS, it does not alter the visible size or properties of the primary file. This allows attackers to evade basic file scanners that only inspect the primary stream of a file.”

Related:Hamas Hackers Spy on Mideast Gov’ts, Disrupt Israel

Opening the shortcut files associated with this campaign would trigger a hidden process, during which Esentutl would be used to pull decoy government documents, and a malicious dropper, from two alternate data streams. The dropper would carry with it a legitimate copy of the iTop Data Recovery tool, used as a gateway for sideloading the Yokai backdoor.

Inside the Yokai Backdoor Malware

Upon entering a new system, Yokai checks in with its command-and-control (C2) base, arranges an encrypted channel for communication, then waits for its orders. It can run any ordinary shell commands in order to steal data, download additional malware, etc.

“There are some sophisticated elements in Yokai," Hegde says. For example, “Its C2 communications, when decrypted, are very structured.” In other ways, though, it proves rough around the edges.

If run using administrator privileges, Yokai creates a second copy of itself, and its copy creates a third copy, ad infinitum. On the other hand, to prevent itself from running multiple times on the same machine, it checks for the presence of a mutex file — if the file exists, it terminates itself, and if it doesn’t, it creates it. This check occurs after the self-replication step, however, only after the malware has begun spawning out of control. “This leads to repetitive, rapid duplicate executions that immediately terminate upon finding the mutex. This behavior would be clearly visible to an EDR, diminishing the stealth aspect of the backdoor,” Hegde says.

Related:China’s Elite Cyber Corps Hone Skills on Virtual Battlefields

Even a regular user might notice the strange effects to their machine. “The rapid spawning creates a noticeable slowdown. If the system is already under heavy load, process creation and execution might already be slower due to resource contention, further exacerbating the system’s performance issues,” he says.

In all, Hegde adds, “This juxtaposition of sophistication and amateurism stands out the most to me, almost as if two different individuals were involved in its development. Given the version strings found in the backdoor and its variants, it is likely still being continuously developed.”

About the Author

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes “Malicious Life” – an award-winning Top 20 tech podcast on Apple and Spotify – and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts “The Industrial Security Podcast,” the most popular show in its field.