Information about IXESHE rerivative IHEATE that targets users in America

Since 2012, we’ve been keeping an eye on the IXESHE targeted attack campaign. Since its inception in 2009, the campaign has primarily targeted governments and companies in East Asia and Germany. However, the campaign appears to have shifted tactics and is once again targeting users in the United States.
We also noticed that there were some changes to the underlying behavior of the malware used. While there were some incremental improvements in the observed behavior of the new sample, the underlying pattern of behavior is similar to what we observed earlier from IXESHE.
These attacks targeting users in the United States used a variant of IXESHE which has been seen in Taiwan since 2009 named IHEATE. These showed some differences from known IXESHE variants: they had a different command-and-control (C&C) communication model and encryption methods.
One IHEATE sample we found contains the string “EMC112” as part of the C&C traffic. Such strings are frequently used to identify different campaigns. In this particular case, the 112 part of the string matched the malware sample’s compilation date of January 12.
The sample we acquired connects to a C&C server whose domain was first registered in 2004, but whose information was modified in December 2015. This suggests that threat actors were able to pose as the original registrant and modify the information for their own needs.