Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Java 'Icefog' Malware Variant Infects US Businesses

APT attack campaign uses tough-to-detect Java backdoor to compromise US oil company and two other organizations.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)

Beware Java-based malware that's been used to exploit at least three US-based organizations.

That warning of a new advanced persistent threat (APT) attack campaign came via Kaspersky Lab, which said that it's traced a malicious Java archive (a.k.a. JAR) file to eight infected systems inside three US-based organizations, which it declined to name. "Based on the IP address, one of the victims was identified as a very large American independent oil and gas corporation, with operations in many other countries," Kaspersky Lab researchers Costin Raiu, Vitaly Kamluk, and Igor Soumenkov said in a joint blog post Tuesday. "As of today, all victims have been notified about the infections. Two of the victims have removed it already."

The attacks have been tied to the Icefog APT attack campaign, which historically has used Windows Preinstallation Environment files to infect targets.

What's unusual about the latest attacks is that the "Javafog" malware used by attackers was, as the name implies, written in Java. Furthermore, it includes only basic functionality, such as the ability to upload files to a designated server, as well as change the command-and-control (C&C) server to which it reports. "The backdoor doesn't do much else," according to Kaspersky Lab. "It allows the attackers to control the infected system and download files from it. Simple, yet very effective."

[Will US tech businesses pay a steep price for government surveillance? See NSA Fallout: Why Foreign Firms Won’t Buy American Tech.]

Why bother with a backdoor written in Java? "Malware written in Java code, like the Javafog Trojan, is extremely difficult to detect and therefore can remain stealthy for longer periods of time," says Dana Tamir in an email. Tamir is director of enterprise security at IBM-owned Trusteer, which sells a number of products that employ Java. As of Tuesday, the malware was being spotted by only three out of 47 antivirus engines on VirusTotal.

Blocking Java-based malware isn't difficult, provided businesses can eradicate older versions of the Java browser plug-in. "To prevent Java exploits and malware-based infiltrations, it is important to restrict execution only to known trusted Java files," says Tamir. "Organizations should at least restrict execution to files that have been signed by trusted vendors, or downloaded from trusted domains."

Patching known vulnerabilities is also a must. Indeed, at least one of the Javafog infections resulted from attackers exploiting known vulnerabilities in systems inside targeted organizations. "In one particular case, we observed the attack commencing by exploiting a Microsoft Office vulnerability, followed by the attackers attempting to deploy and run Javafog, with a different C&C," the Kaspersky Lab researchers said. "We can assume that based on their experience, the attackers found the Java backdoor to be more stealthy and harder to notice, making it more attractive for long-term operations."

If so, that would represent a changeup in the tactics being employed by the group behind the normal "smash and grab" Icefog attack campaign, which Kaspersky Lab discovered in September 2013. Kaspersky Lab said it has targeted "government institutions, military contractors, maritime, and ship-building groups." Previously the majority of targets were located in Japan and South Korea.

Whereas most APT campaigns employ "low and slow" attacks to create an undetected, long-term presence inside a targeted network, Icefog attacks differ. Notably, attackers appeared to be grabbing what they wanted and then ceasing their attack. Kaspersky Lab said that modus operandi suggested that the attackers were a "cybermercenary group" intent on stealing only designated bits of information.

If so, who commissioned the Icefog campaign? According to threat intelligence firm CrowdStrike, which refers to the attack campaign as "Dagger Panda," it's being run from China, which suggests that the hackers for hire have the backing of the Chinese government.

Last year, Adam Meyers, CrowdStrike's head of intelligence, said that China's five-year plan to modernize its infrastructure, including adding more deep-sea military capabilities, appeared to tie to a series of cyberattacks against US targets. Those attacks resulted in the theft of information pertaining to satellite technology, torpedoes, naval antennas, radar, and a naval ballistic-missile defense system, amongst other technology, all of which would be useful for improving deep-sea operations.

Icefog-related attacks date to at least 2011. That's when related malware was first discovered, which exfiltrated data from infected systems via email, and which was used to successfully infect systems inside both the Japanese House of Representatives and House of Councillors. Subsequent versions of Icefog added C&C capabilities and script-based proxy servers. A Mac OS X version dubbed "Macfog" also appeared to have been used to successfully infect several hundred Mac systems.

Kaspersky Lab said that although it only recently verified Javafog's existence, the underlying JAR file dates to Nov. 30, 2012, which suggests that it was in use for some time before being discovered, and that it may tie to long-term operations against US targets. "This brings another dimension to the Icefog gang's operations, which appear to be more diverse than initially thought," the Kaspersky Lab researchers said.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

Next-gen intrusion-prevention systems have fuller visibility into applications and data. But do newer firewalls make IPS redundant? Also in the The IPS Makeover issue of Dark Reading Tech Digest: Find out what our 2013 Strategic Security Survey respondents have to say about IPS and firewalls. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BryanB881
50%
50%
BryanB881,
User Rank: Apprentice
1/16/2014 | 8:32:33 PM
Targeted Attacks are the Strongest Attacks
I think this kind of attack is more common than the public knows.  Corporate and Nation State sponsered espionage will continue to rise.  If a company, particulary a manufacturing/processing compnay has valuable trade secrets there are millions to be made by finding those out.  Once it's founds out a company uses antivirus X and Firewall Y high level programmers can buy the same set up and test agaisnt it until they have the perfect worm. 

IT budgets will grow to protect from this.  Security is going to be layered.  White/black lists.  Multi scanning with a variety of AV engines.  Sandboxing.  Of course employeed education has to be there too. 
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.
CVE-2020-7222
PUBLISHED: 2020-01-18
An issue was discovered in Amcrest Web Server 2.520.AC00.18.R 2017-06-29 WEB 3.2.1.453504. The login page responds with JavaScript when one tries to authenticate. An attacker who changes the result parameter (to true) in this JavaScript code can bypass authentication and achieve limited privileges (...