EMDIVI, which first appeared in 2014, is notoriously used in targeted attacks against Japanese companies. It allows machines to be remotely controlled by attackers for malicious commands and other activities. We looked into this malware and found that it uses “magic numbers” in its routines.
We observed the campaign to target Japanese government agencies and private companies in the manufacturing, technology, and media industry. Its target companies in the US, one of which falls under the technology industry, are merely offices of Japanese companies, showing that it is still Japanese targets that the attackers are after.
We first reported of the campaign in November 2014, where it used email as an arrival vector. The campaign usually has low infection counts but has recently been gaining ground, no thanks to a watering hole attack that used a Hacking Team Flash zero-day exploit in July 2015.