Incident Response, Malware, TDR, Vulnerability Management

Icefog APT returns, at least three victims identified in the U.S.

Although it was initially found to be targeting entities in South Korea and Japan, an advanced persistent threat (APT) known as Icefog recently struck three U.S. targets with a Java backdoor, according to a report by Kaspersky Lab.

One of the companies victimized by the threat – which was referred to as Javafog because researchers indicated this may be a Java version of Icefog – was a very large American independent oil and gas corporation, according to a Kaspersky report.

“One might wonder what is the purpose of something like the Javafog backdoor,” researchers wrote in the report. “The truth is that even at the time of writing, detection for Javafog is extremely poor (3/47 on VirusTotal). Java malware is definitively not as popular as Windows PE malware, and can be harder to spot.”

Kaspersky Lab has notified all compromised parties of the infections and, as of Tuesday, two had eliminated the threats.

Icefog is said to have been active since 2011, but after it was reported on extensively by Kaspersky Lab researchers in September 2013, command-and-control servers quickly went down and the campaign went dark.

The APT is a targeted attack campaign focused on hitting supply chains, manufacturing, government organizations and military contractors, Kurt Baumgartner, principal security researcher with Kaspersky Lab, told SCMagazine.com on Wednesday.

“The Icefog incidents we analyzed showed that they effectively gained a foothold in victim organizations with spearphishing techniques,” Baumgartner said. “They drop more backdoors and other tools to the systems, then hunt for data they are seeking and exfiltrate it from there.”

Taking care when opening email attachments, quickly applying patches to vulnerable software, installing anti-malware with whitelisting and behavioral protections, and properly monitoring network traffic for exfiltration indicators are just some of the measures individuals can take to defend against the APT, Baumgartner said.

“The Icefog attackers effectively shut down their operations immediately following the research and report announcement,” Baumgartner said. “Often, crews like this one just pop up later, and other groups are effectively deploying their techniques elsewhere.”

He added, “The APT continues to be a massive, efficient threat against targeted organizations.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.