Icefog APT returns, at least three victims identified in the U.S.

Share this article:

Although it was initially found to be targeting entities in South Korea and Japan, an advanced persistent threat (APT) known as Icefog recently struck three U.S. targets with a Java backdoor, according to a report by Kaspersky Lab.

One of the companies victimized by the threat – which was referred to as Javafog because researchers indicated this may be a Java version of Icefog – was a very large American independent oil and gas corporation, according to a Kaspersky report.

“One might wonder what is the purpose of something like the Javafog backdoor,” researchers wrote in the report. “The truth is that even at the time of writing, detection for Javafog is extremely poor (3/47 on VirusTotal). Java malware is definitively not as popular as Windows PE malware, and can be harder to spot.”

Kaspersky Lab has notified all compromised parties of the infections and, as of Tuesday, two had eliminated the threats.

Icefog is said to have been active since 2011, but after it was reported on extensively by Kaspersky Lab researchers in September 2013, command-and-control servers quickly went down and the campaign went dark.

The APT is a targeted attack campaign focused on hitting supply chains, manufacturing, government organizations and military contractors, Kurt Baumgartner, principal security researcher with Kaspersky Lab, told SCMagazine.com on Wednesday.

“The Icefog incidents we analyzed showed that they effectively gained a foothold in victim organizations with spearphishing techniques,” Baumgartner said. “They drop more backdoors and other tools to the systems, then hunt for data they are seeking and exfiltrate it from there.”

Taking care when opening email attachments, quickly applying patches to vulnerable software, installing anti-malware with whitelisting and behavioral protections, and properly monitoring network traffic for exfiltration indicators are just some of the measures individuals can take to defend against the APT, Baumgartner said.

“The Icefog attackers effectively shut down their operations immediately following the research and report announcement,” Baumgartner said. “Often, crews like this one just pop up later, and other groups are effectively deploying their techniques elsewhere.”

He added, “The APT continues to be a massive, efficient threat against targeted organizations.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Company news: New hires at Accuvant, ZeroFox and ThreatStream

New hires at Accuvant, ZeroFOX and ThreatStream, while a divestiture at Juniper and an acquisition for BlackBerry.

News briefs: The latest on Sony, Android, Backoff malware and more.

News briefs: The latest on Sony, Android, Backoff ...

This month's news briefs cover a preliminary settlement Sony will bear for the exposure of 77 million customers, and more.

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.