Feeds

Cyberspies blast Icefog into US targets' backdoors

You dirty RATs

Protecting against web application threats using SSL

Miscreants behind a cyberespionage campaign have changed their methods to take advantage of Java-based malware.

The Icefog APT (advanced persistent threat), discovered in September 2013, continues to be a problem, this time utilising a Java backdoor, according to the latest analysis of the threat by security researchers at Kaspersky Labs.

Analysts at the Russian security firm have observed three unique victims of “Javafog”, all of them in the US. One of the victims is a very large American independent oil and gas corporation, with operations in many other countries.

The threat first arose in 2011 with attacks against supply chain organisations to government institutions, military contractors, maritime and ship-building groups mainly in Japan and South Korea. This run of attacks featured spear phishing and malware targeting Mac and Windows machines as part of a hit-and-run campaign that didn't rely on siphoning off information from victims over an extended period.

The attackers behind the campaign went dark, shutting down all known command-and-control servers, after their campaign was exposed last September, only to resurface with a new run of attacks using a different Java-based attack vector, detected by Kaspersky analysts over recent weeks.

Java-based malware is less widely used than either Windows or Mac executables, and can be harder to spot, according to Kasperky researchers. This added stealth could explain the switch by attackers to the write-once-run-anywhere programming language.

"We observed the attack commencing by exploiting a Microsoft Office vulnerability, followed by the attackers attempting to deploy and run Javafog, with a different C&C," Kaspersky researchers explain in a blog post on the latest manifestation of the threat. "We can assume that based on their experience, the attackers found the Java backdoor to be more stealthy and harder to notice, making it more attractive for long term operations."

A detailed rundown of the Icefog use of a Java backdoor against US targets can be found in a blog post, complete with code snippets and samples, by Kaspersky Labs here.

All generations of the threat bear the hallmarks of state-manufactured malware rather than something geared towards conventional cybercrime but Kasperky Labs researchers are not speculating on its possible origins.

Dana Tamir, director of enterprise security at IBM-owned Trusteer, an IBM company, said Java has numerous vulnerabilities that can be exploited to deliver malware and compromise users' machines.

"Because organisations can't eliminate Java from their environments, it is not surprising that adversaries and cyber-criminals are using malicious Java code to infiltrate them."

To prevent Java exploits and malware-based infiltrations, it is important to restrict execution only to known trusted Java files. Since organisations struggle to manage and maintain a complete list of all known trusted files, they should at least restrict execution to "files that have been signed by trusted vendors, or downloaded from trusted domains," she added. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.