Threat Management, Threat Intelligence, Incident Response, TDR

New espionage campaign tied to RSA breach, GhostNet attacks

A cyber espionage campaign, now linked to attacks on the energy and oil sector in various countries and a military organization, was likely launched by the same attackers behind an RSA breach and the GhostNet spy network.

Recent targets in the Mirage campaign – which is named after the remote access trojan Mirage spread through spear phishing emails – include an energy company in Canada, a high-profile oil company in the Philippines and a military organization in Taiwan.

Researchers at Dell SecureWorks Counter Threat Unit discovered Mirage, which is usually embedded in executable files designed to look and behave like PDFs, and began tracking the cyber espionage campaign in April.

Silas Cutler, a security researcher for SecureWorks CTU, said that Mirage wasn't particularly sophisticated, but that it was effective in that it usually reached mid- to senior-level executives – who are targeted by the spear phishing emails.

“It deletes its original copy to have the user hopefully forget about it,” Cutler said of the malware. “It can receive and delete files, but it's a very simple piece of malware.”

Researchers have discovered two main variants of the trojan, one which communicates to command-and-control servers using a standard HTTP request, and another strain which uses HTTP POST requests to send system information of infected machines to its servers.

“It's a continuing campaign against these natural resource companies, and there's definitely an indication that they are becoming bigger targets given the occurrences this year,” Culter said.

He estimated that up to 120 machines were infected by Mirage, primarily at the organizations in Canada, the Philippines and Taiwan. Researchers are still analyzing whether attacks on entities in Brazil, Egypt, Nigeria and Israel may be related to the Mirage campaign.

SecureWorks also discovered that the command-and-control IP addresses used by the Mirage actors belonged to a specific internet network also used by custom malware involved in the RSA breach revealed in 2011, in which hackers stole information related to the organization's two-factor authentication products. IP addresses in that same network have also been used as command-and-control servers for malware associated with the GhostNet campaign made public in 2009, which also spread through phishing emails. That campaign targeted government computers in more than 100 countries.

Researchers at SecureWorks believe that Mirage attackers are operating out of China, since three IP addresses detected were found to be from a subnet of the Beijing Province Network.

In a SecureWorks report on the Mirage campaign, researchers advised companies to use active intrusion detection tools, as well as domain name system (DNS) monitoring, to detect malicious activity.

“Traditionally, the success of botnets created by threat actor groups has been measured by the quantity of infected systems and the difficulty to defend against [them] in the long term,” the report said. “These targeted attacks show that a successful campaign requires only a small quantity of infected systems to accomplish the attackers' objectives and to yield extremely powerful results.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.