Icefog APT returns, at least three victims identified in the U.S.

Share this article:

Although it was initially found to be targeting entities in South Korea and Japan, an advanced persistent threat (APT) known as Icefog recently struck three U.S. targets with a Java backdoor, according to a report by Kaspersky Lab.

One of the companies victimized by the threat – which was referred to as Javafog because researchers indicated this may be a Java version of Icefog – was a very large American independent oil and gas corporation, according to a Kaspersky report.

“One might wonder what is the purpose of something like the Javafog backdoor,” researchers wrote in the report. “The truth is that even at the time of writing, detection for Javafog is extremely poor (3/47 on VirusTotal). Java malware is definitively not as popular as Windows PE malware, and can be harder to spot.”

Kaspersky Lab has notified all compromised parties of the infections and, as of Tuesday, two had eliminated the threats.

Icefog is said to have been active since 2011, but after it was reported on extensively by Kaspersky Lab researchers in September 2013, command-and-control servers quickly went down and the campaign went dark.

The APT is a targeted attack campaign focused on hitting supply chains, manufacturing, government organizations and military contractors, Kurt Baumgartner, principal security researcher with Kaspersky Lab, told on Wednesday.

“The Icefog incidents we analyzed showed that they effectively gained a foothold in victim organizations with spearphishing techniques,” Baumgartner said. “They drop more backdoors and other tools to the systems, then hunt for data they are seeking and exfiltrate it from there.”

Taking care when opening email attachments, quickly applying patches to vulnerable software, installing anti-malware with whitelisting and behavioral protections, and properly monitoring network traffic for exfiltration indicators are just some of the measures individuals can take to defend against the APT, Baumgartner said.

“The Icefog attackers effectively shut down their operations immediately following the research and report announcement,” Baumgartner said. “Often, crews like this one just pop up later, and other groups are effectively deploying their techniques elsewhere.”

He added, “The APT continues to be a massive, efficient threat against targeted organizations.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.