Cyberspies blast Icefog into US targets’ backdoors
Miscreants behind a cyberespionage campaign have changed their methods to take advantage of Java-based malware.
The Icefog APT (advanced persistent threat), discovered in September 2013, continues to be a problem, this time utilising a Java backdoor, according to the latest analysis of the threat by security researchers at Kaspersky Labs.
Analysts at the Russian security firm have observed three unique victims of “Javafog”, all of them in the US. One of the victims is a very large American independent oil and gas corporation, with operations in many other countries.
The threat first arose in 2011 with attacks against supply chain organisations to government institutions, military contractors, maritime and ship-building groups mainly in Japan and South Korea. This run of attacks featured spear phishing and malware targeting Mac and Windows machines as part of a hit-and-run campaign that didn’t rely on siphoning off information from victims over an extended period.
The attackers behind the campaign went dark, shutting down all known command-and-control servers, after their campaign was exposed last September, only to resurface with a new run of attacks using a different Java-based attack vector, detected by Kaspersky analysts over recent weeks.
Java-based malware is less widely used than either Windows or Mac executables, and can be harder to spot, according to Kasperky researchers. This added stealth could explain the switch by attackers to the write-once-run-anywhere programming language.
“We observed the attack commencing by exploiting a Microsoft Office vulnerability, followed by the attackers attempting to deploy and run Javafog, with a different CC,” Kaspersky researchers explain in a blog post on the latest manifestation of the threat. “We can assume that based on their experience, the attackers found the Java backdoor to be more stealthy and harder to notice, making it more attractive for long term operations.”
A detailed rundown of the Icefog use of a Java backdoor against US targets can be found in a blog post, complete with code snippets and samples, by Kaspersky Labs here.
All generations of the threat bear the hallmarks of state-manufactured malware rather than something geared towards conventional cybercrime but Kasperky Labs researchers are not speculating on its possible origins.
Dana Tamir, director of enterprise security at IBM-owned Trusteer, an IBM company, said Java has numerous vulnerabilities that can be exploited to deliver malware and compromise users’ machines.
“Because organisations can’t eliminate Java from their environments, it is not surprising that adversaries and cyber-criminals are using malicious Java code to infiltrate them.”
To prevent Java exploits and malware-based infiltrations, it is important to restrict execution only to known trusted Java files. Since organisations struggle to manage and maintain a complete list of all known trusted files, they should at least restrict execution to “files that have been signed by trusted vendors, or downloaded from trusted domains,” she added. ®