Nitro Malware Targeted Chemical Companies

Symantec finds Trojan launched industrial espionage attacks against chemical compound and advanced material manufacturers.
In the case of the Nitro attacks, Symantec traced the command-and-control servers back to a virtual private server (VPS) located in the United States that was rented for about $32 per month. "However, the system was owned by a 20-something male located in the Hebei region in China," said Chien and O'Gorman. "We internally have given him the pseudonym of Covert Grove based on a literal translation of his name. He attended a vocational school for a short period of time specializing in network security and has limited work experience, most recently maintaining multiple network domains of the vocational school."

But they were unable to verify whether the person they contacted was actually employed by the school, using an alias, or working for someone else, and said his cover story--using the VPS and its static IP address as a way to access a favorite instant messaging system from within China--would have been technological overkill. "The scenario seems suspicious," they said. "We were unable to recover any evidence the VPS was used by any other authorized or unauthorized users. Further, when prompted regarding hacking skills, Covert Grove immediately provided a contact that would perform 'hacking for hire.'"

Whoever the Nitro campaign's handler, there are multiple information security lessons to be gleaned from how the attacks were executed, and thus how they can be stopped. "Blocking suspicious attachments, using proactive detection technologies and educating users could all stop this type of attack from succeeding. If you weren't one of the victims, this is a great lesson on what you should be doing to protect against the next attack," said Chester Wisniewski, a senior security advisor at Sophos Canada, in his analysis of Symantec's report.

Notably, he said, the attack proves--once again--that end users shouldn't have administrative-level access rights to their Windows PCs. "Malware cannot access the Windows cache of passwords, which almost always has admin credentials included, if it does not have administrative rights," he said. "Simply restricting permissions would be enough to stunt the spread of an attack like this. Additionally, the behavior of this malware is quite easy for [host intrusion prevention systems] or behavioral antivirus to detect and block. With the multitude of techniques being used by the bad guys, analyzing the behavior of applications is critical."