Researchers discover a US-specific operation run by the attackers using a Java backdoor allowing longer, yet more covert attacks.
Kaspersky Lab’s security research team recently today published a new research paper on the discovery of “Icefog”, a small yet energetic APT group that focuses on targets in South Korea and Japan, hitting the supply chain for Western companies. The operation started in 2011 and has increased in size and scope over the last few years.
Icefog, also known as the “Dagger Panda” by Crowdstrike’s naming convention, infected targets mainly in South Korea and Japan. At the time, Kaspersky Lab researchers described the attacks as being of a hit and run’ nature, where in the attack usually lasts for a few days or weeks and once the attackers have what they are looking for, they clean up and leave. According to the team, the attack indicated an emerging trend in cybersecurity where smaller hit-and-run gangs go after information with surgical precision.
Since the publication of the report in September 2013, the Icefog attackers were reported to have gone completely dark, shutting down all known command-and-control servers. Yet consistent monitoring of the operation pointed researchers to an interesting connection that seemed to indicate a Java version of Icefog, further to be referenced as “Javafog”, discovering another generation of backdoors used by the attackers.
Researchers said that while the Java malware is definitively not as popular as Windows PE malware, it can be harder to spot. In fact, during the sinkholing operation for the “lingdona[dot]com” domain, researchers observed 8 IPs for three unique victims of Javafog, all based in the United States. One of the victims was identified as a very large American independent Oil and Gas corporation, with operations in many other countries.
In another case, the team observed an attack commencing by exploiting a Microsoft Office vulnerability, followed by the attackers attempting to deploy and run Javafog.
“One can only assume that based on their experience, the attackers found the Java backdoor to be more stealthy and harder to notice, making it more attractive for long term operations while previous Icefog operations were described as being very short , of the “hit and run” nature. The focus on the US targets associated with the only known Javafog could indicate a US-specific operation run by the Icefog attackers; that was planned to take longer than usual, to allow, for instance, long term collection of intelligence on the target indicating another dimension to the Icefog gang’s operations, which appear to be more diverse than initially thought,” said Vitaly Kamlyuk, Chief Malware Expert at Kaspersky Lab.
In their earlier report, researchers stated that based on the list of IPs used to monitor and control the infrastructure, some of the players behind this threat operation could be based in at least three countries: China, South Korea and Japan.
Kaspersky Lab’s products detect and eliminate all variants of Icefog malware.
To read the full report with a detailed description of the backdoors, other malicious tools and stats, together with indicators of compromise, see Securelist. A complete Icefog FAQ is also available.