HQ/EMEAFind out how we can help your business
A new and unusual strain of malware, dubbed “Yokai,” is currently being used by hackers to target Thailand’s law enforcement agencies.
Researchers have discovered that the malware is a combination of both advanced techniques and amateurish coding, which makes it stand out dangerously. The hackers behind the campaign have been exploiting legitimate Windows utilities to deliver the malware, which seems to have been hastily developed but with notable sophistication in certain areas.
The malware is being distributed through phishing emails containing fake documents that appear to be related to official US government business. These documents are disguised as PDF and Word files and carry names that suggest urgent legal matters involving Thailand.
One of the documents, for example, translates to “United States Department of Justice.pdf,” while another mentions international cooperation in criminal matters. The lures in these phishing emails are specifically designed to target individuals connected to the Thai police, with the aim of gaining access to sensitive systems.
Once a victim opens the malicious files, the malware is activated using a clever method. The attackers abuse the Windows tool “esentutl,” which is typically used to manage Extensible Storage Engine (ESE) databases. This tool is manipulated to hide the malware in alternate data streams (ADS) of seemingly harmless files, such as fake government documents. This method allows the malware to remain hidden, bypassing basic file-scanning systems and avoiding detection for longer periods.
When the Yokai backdoor is activated on a system, it first communicates with its command-and-control (C2) server and sets up an encrypted communication channel.
From there, the malware waits for further instructions, which could include stealing data or downloading additional malicious payloads. One of the more concerning aspects of Yokai is its ability to self-replicate.
When executed with administrator privileges, it creates multiple copies of itself, leading to rapid and excessive use of system resources. However, the malware does check for the presence of a mutex file to prevent multiple copies from running simultaneously, which leads to noticeable performance slowdowns as the system tries to handle the replication process.
Despite its sophisticated command-and-control communications, Yokai also shows signs of rough and underdeveloped coding. Its self-replication behaviour, in particular, is poorly managed and often results in rapid process execution that is easily noticeable by endpoint detection and response (EDR) systems. These repeated executions can cause significant strain on the affected machine, especially if the system is already under heavy load, making it more likely for a user to detect the malware.
This combination of professional and sub-standard traits in Yokai suggests that it is still under active development. The researchers believe the backdoor is continuously evolving, which raises concerns about its future capabilities and potential for further attacks. As such, law enforcement and security teams must remain vigilant and continue to develop methods for detecting and neutralising this emerging threat.
