On September 2013, Kaspersky Security researchers are uncovered details on an attack campaign targeting several industrial and high tech organizations in South Korea and Japan.
Kaspersky identified the cyber-espionage campaign as "Icefog”, with researchers previously describing the tactics used as “hit and run” attacks against very specific targets with “surgical precision”.
The name "Icefog" was used because of a string used in the command-and-control server name of one of the malware samples they analyzed.
After that cyber mercenaries shut down their operations. While monitoring sinkholed domains and victim connections, experts came across a domain hosted in Hong Kong called lingdona.com.
Kurt Baumgartner, Principal Security Researcher, Kaspersky Lab, told SecurityWeek. “The sharpest drop-off in activity appeared to be in the Dec – January timeframe, where check-ins declined approximately 75 percent.”
While offensive activity may have ended, during their ongoing monitoring, researchers saw what they describe as an "interesting type of connection" indicating the existance of a Java version of Icefog, which researchers are calling “Javafog”.
Kaspersky researchers previously had discovered 6 different variations of the malware targeting Windows PCs, along with a native Mac OS X version of Icefog.
Now, according to the Russian security firm, it has been determined that the Mac-based version infected several hundred victims across the globe. While one US-based energy firm was identified as a victim, itcertainly was not the only target Icefog/Javafog has gone after, and it’s not surprising that attackers continue to target critical infrastructure companies.
According to a report from Symantec released this month, between July 2012 to June 2013, Symantec saw an average of 74 targeted attacks per day across the globe. Of these, nine attacks per day targeted the energy sector.
“The focus on the US targets associated with the only known Javafog CC could indicate a US-specific operation run by the Icefog attackers; one that was planned to take longer than usual, such as, for instance, long term collection of intelligence on the target,” Kaspersky researchers noted on the company’s Securelist blog.
“This brings another dimensions to the Icefog gang’s operations, which appear to be more diverse than initially thought.” Through their efforts, Kaspersky Lab’s experts were able to identify 72 different command-and-control servers, and managed to sinkhole 27 of them. “The truth is that even at the time of writing, detection for Javafog is extremely poor (3/47 on VirusTotal),” the researchers said.
According to Kaspersky Lab, the domain was originally hosted in Hong Kong, at IP 206.161.216.214 and 103.20.195.140, and appeared suspicious because of the registration data, which were similar to other known Icefog domains.
When Kaspersky’s team sinkholed the domain, researchers witnessed suspicious connections happening almost every 10 seconds, with the User-Agent string indicating the client could be a Java application—something unusual as all other Icefog variants used IE User-Agent strings.
Previous analysis by Kaspersky Lab of the code and the IP addresses used to monitor and control the infrastructure helped researchers make the assumption that some of the players behind the threat operation are based in at least three countries: China, South Korea and Japan, with the largest number stemming from China.
Kaspersky Lab said all victims have been notified about the infections, and that two have removed it already. Additional details on the Icefog/Javafog attacks can found on Kaspersky Lab’s Securelist.
Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter
Kaspersky identified the cyber-espionage campaign as "Icefog”, with researchers previously describing the tactics used as “hit and run” attacks against very specific targets with “surgical precision”.
The name "Icefog" was used because of a string used in the command-and-control server name of one of the malware samples they analyzed.
After that cyber mercenaries shut down their operations. While monitoring sinkholed domains and victim connections, experts came across a domain hosted in Hong Kong called lingdona.com.
Kurt Baumgartner, Principal Security Researcher, Kaspersky Lab, told SecurityWeek. “The sharpest drop-off in activity appeared to be in the Dec – January timeframe, where check-ins declined approximately 75 percent.”
While offensive activity may have ended, during their ongoing monitoring, researchers saw what they describe as an "interesting type of connection" indicating the existance of a Java version of Icefog, which researchers are calling “Javafog”.
Kaspersky researchers previously had discovered 6 different variations of the malware targeting Windows PCs, along with a native Mac OS X version of Icefog.
Now, according to the Russian security firm, it has been determined that the Mac-based version infected several hundred victims across the globe. While one US-based energy firm was identified as a victim, itcertainly was not the only target Icefog/Javafog has gone after, and it’s not surprising that attackers continue to target critical infrastructure companies.
According to a report from Symantec released this month, between July 2012 to June 2013, Symantec saw an average of 74 targeted attacks per day across the globe. Of these, nine attacks per day targeted the energy sector.
“The focus on the US targets associated with the only known Javafog CC could indicate a US-specific operation run by the Icefog attackers; one that was planned to take longer than usual, such as, for instance, long term collection of intelligence on the target,” Kaspersky researchers noted on the company’s Securelist blog.
“This brings another dimensions to the Icefog gang’s operations, which appear to be more diverse than initially thought.” Through their efforts, Kaspersky Lab’s experts were able to identify 72 different command-and-control servers, and managed to sinkhole 27 of them. “The truth is that even at the time of writing, detection for Javafog is extremely poor (3/47 on VirusTotal),” the researchers said.
According to Kaspersky Lab, the domain was originally hosted in Hong Kong, at IP 206.161.216.214 and 103.20.195.140, and appeared suspicious because of the registration data, which were similar to other known Icefog domains.
When Kaspersky’s team sinkholed the domain, researchers witnessed suspicious connections happening almost every 10 seconds, with the User-Agent string indicating the client could be a Java application—something unusual as all other Icefog variants used IE User-Agent strings.
Previous analysis by Kaspersky Lab of the code and the IP addresses used to monitor and control the infrastructure helped researchers make the assumption that some of the players behind the threat operation are based in at least three countries: China, South Korea and Japan, with the largest number stemming from China.
Kaspersky Lab said all victims have been notified about the infections, and that two have removed it already. Additional details on the Icefog/Javafog attacks can found on Kaspersky Lab’s Securelist.
Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter
No comments:
Post a Comment