Hackers have recently been targeting individuals associated with Thailand’s government using a new backdoor known as “Yokai,” which could potentially be named after a type of ghost found in the video game Phasmophobia or after spirits in Japanese folklore. This disturbing trend was uncovered by researchers from Netskope, who stumbled upon two shortcut (LNK) files that were disguised as .pdf and .docx files and suspiciously titled to suggest they pertained to US government business with Thailand.
The attack chain linked to these fake documents ingeniously utilized legitimate Windows binaries to deploy the newly discovered backdoor, which seems to be a hastily developed program designed to execute shell commands. This poses a risk of unintended system crashes, as highlighted by the researchers. The lure documents, when translated from Thai, were named “United States Department of Justice.pdf” and “Urgently, United States authorities ask for international cooperation in criminal matters.docx.” They specifically referenced Woravit “Kim” Mektrakarn, a former California factory owner connected to the disappearance and suspected murder of an employee in 1996, who is believed to have fled to Bangkok and never been caught.
Nikhil Hegde, a senior engineer at Netskope, pointed out that the lures were tailored to appear as if they were addressed to the Thai police, indicating that the attackers’ motive may have been to gain access to the Thai police systems. The malicious documents, when opened, would initiate the download of malware, but the method used by the attackers was far from simple.
The hackers exploited the “esentutl” tool, a legitimate Windows command line utility used to manage Extensible Storage Engine (ESE) databases, in their attack chain. By abusing its capability to access and write to alternate data streams (ADS) within files, they were able to hide malicious payloads within seemingly harmless files. This technique allowed them to evade basic file scanners that only inspect the primary stream of a file, making their attack more elusive.
Upon opening the shortcut files associated with the campaign, a hidden process would be triggered, during which Esentutl would be utilized to extract decoy government documents and a malicious dropper from alternate data streams. The dropper would then carry the Yokai backdoor, which would be sideloaded via a legitimate copy of the iTop Data Recovery tool.
Once inside a system, Yokai establishes communication with its command-and-control (C2) base, sets up an encrypted channel for further instructions, and waits for commands. It can execute various shell commands to carry out tasks such as data theft or downloading additional malware. The backdoor contains both sophisticated and amateur elements, such as its structured C2 communications but also its tendency to create multiple copies of itself when run with administrator privileges.
This behavior, which leads to a noticeable slowdown in system performance, could alert observant users to the presence of the backdoor. Despite its flaws, the juxtaposition of sophistication and amateurism in Yokai’s design suggests ongoing development by potentially multiple individuals. This discovery serves as a stark reminder of the evolving tactics used by cyber attackers and the need for robust cybersecurity measures to counter such threats.