Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Nitro Malware Targeted Chemical Companies

Symantec finds Trojan launched industrial espionage attacks against chemical compound and advanced material manufacturers.

Multiple Fortune 100 companies have recently been targeted by malware as part of a campaign designed to steal proprietary information. In particular, at least 50 different waves of attacks were launched against businesses involved in the research, development, and manufacture of both chemical compounds and advanced materials.

That revelation comes from a study, "The Nitro Attacks: Stealing Secrets from the Chemical Industry," released Monday by Symantec. According to the study's authors, Eric Chien, technical director of Symantec Security Response, and Symantec threat intelligence officer Gavin O'Gorman, the attack campaign against the chemical industry--which led to their codenaming it "Nitro"--ran from July to mid-September 2011.

But they've found evidence that part of the attack infrastructure was put to use before then. Notably, they said that the command-and-control servers communicating with the remote-access tools used in the attacks first appeared in April 2011, and targeted human-rights-related nonprofit groups. The next month, meanwhile, the infrastructure was employed to attack the motor manufacturing industry. Then, after being dormant for part of June and July, the command-and-control servers were reactivated for the recent chemical industry attack campaign, which lasted for about 10 weeks.

[End users aren't the only people who may be compromising your security. Are Your IT Pros Abusing Admin Passwords?]

So far, Symantec has confirmed that 29 chemical companies and 19 organizations in other industries were targeted by the malware. But it warned that the actual number of businesses targeted--or exploited--by the malware may be much higher. "In a recent two-week period, 101 unique IP addresses contacted a command and control server with traffic consistent with an infected machine. These IPs represented 52 different unique Internet service providers or organizations in 20 countries," said Chien and O'Gorman.

In the case of the chemical industry attacks, the attackers targeted businesses that manufacture chemical compounds or advanced materials used for manufacturing military vehicles, as well as businesses that design and build manufacturing systems for the chemical and advanced material industries. "The purpose of the attacks appears to be industrial espionage, collecting intellectual property for competitive advantage," they said. In particular, the attackers were hunting for "sensitive documents such as proprietary designs, formulas, and manufacturing processes."

Targeted attacks involving remote access tools aren't new. Earlier this year, for example, McAfee published its findings into a series of attacks it dubbed Shady RAT, for remote access tool. But McAfee's report was criticized by some for being unnecessarily alarmist after outside experts studied the malware and found it to be relatively unsophisticated, and far less dangerous than many other botnets currently at large. In contrast to the McAfee study, Symantec's report paints a picture of malware that's only as sophisticated as it needs to be.

In particular, the Nitro malware was emailed to a select--and apparently prescreened group--of recipients, numbering anywhere from just a handful of employees to almost 500 in any given business. The emails, however, really constituted a phishing attack, sent under the pretext of either a meeting invitation from a known business partner or a necessary security update for either Flash Player or an antivirus product.

The email's attachment--a self-extracting executable included in a zipped file, with the password pasted into the email body--was actually a common Trojan malware known as Poison Ivy. But just because the remote administration tool might be common--and free to download--doesn't mean it isn't dangerous or effective. Indeed, the malware, which security researchers say was developed by a Chinese-language speaker, was used both to exploit RSA's SecurID, as well as in the Operation Aurora attack against Google.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20733
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
CVE-2021-20734
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
CVE-2021-20735
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
CVE-2021-20736
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
CVE-2021-20737
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.