Tuesday, 14 January 2014

Icefog hackers hit ‘large US oil company' with evolved Java attack

Security padlock image
Kaspersky Labs has uncovered a new Java-focused variant of the notorious Icefog malware targeting several high-profile companies and government agencies, including "a very large American independent oil and gas corporation".
Kaspersky Lab experts Costin Raiu, VitalyK and Igor Soumenkov reported uncovering the new variant while monitoring previously shut down Icefog command and control (C&C) servers in a blog post.
"In September 2013, we published our extensive analysis of Icefog, an APT campaign that focused on the supply chain – targeting government institutions, military contractors, maritime and shipbuilding groups," read the post.
"Since the publication of our report, the Icefog attackers went completely dark, shutting down all known C&C servers. Nevertheless, we continued to monitor the operation by sinkholing domains and analysing victim connections. During this monitoring, we observed an interesting type of connection, which seemed to indicate a Java version of Icefog."
The researchers confirmed that the malware has the same espionage focus as the original Icefog campaign and once in a victim's system installs malware designed to let it communicate with Icefog C&C servers.
"The module writes a registry value to ensure it is automatically started by Windows. It is worth noting that the module does not copy itself to that location," read the post.
"Next, it enters a loop where it keeps calling its main C&C function, with a delay of 1,000 milliseconds. The main loop contacts [a] well-known Icefog C&C server and interacts with it."
The Kaspersky experts confirmed that evidence suggests a number of major US corporations involved in critical infrastructure may have fallen victim to the new Javafog variant during the sinkhole operation.
"By correlating registration information for the different domains used by the malware samples, we were able to identify 72 different C&C servers, of which we managed to sinkhole 27," read the post.
"During the sinkholing operation, we observed eight IPs for three unique victims of Javafog, all of them in the United States. Based on the IP address, one of the victims was identified as a very large American independent oil and gas corporation, with operations in many other countries."
The Kaspersky researchers said the Javafog malware is far harder to track than the original IceFog attacks.
"The truth is that even at the time of writing, detection for Javafog is extremely poor (three out of 47 on VirusTotal). Java malware is not as popular as Windows Preinstallation Environment (PE) malware, and can be harder to spot," read the post.
Attacks targeting businesses involved in critical infrastructure have been a growing problem facing governments. Security experts have predicted that the threat facing critical infrastructure will grow in 2014.
The warnings were given credence at the end of 2013 when reports broke that the Israeli and Saudi Arabian governments are working to create a new, even more destructive variant of the notorious Stuxnet malware.

No comments:

Post a Comment