The high-profile ‘Icefog’ Advanced Persistent Threat (APT) campaign that went dark after its unmasking last September carried on attacking three US firms using an obscure piece of Java malware, Kaspersky Lab has discovered.
According to Kaspersky’s Lab's analysis, Icefog was a probably Chinese-run APT enterprise set up by professional hackers-for-hire that attacked a wide range of strategic (i.e. foreign state and supply chain) organisations in and around Asia going back to 2011.
After inspecting one of the APTs’ sinkholed domains more closely, the firm’s researchers noticed command and control traffic emanating from an unknown and apparently mysterious Java Trojan.
Eight IP addresses making these connections were then traced to three US firms, one of which Kaspersky describes as “a very large American independent Oil and Gas corporation, with operations in many other countries.”
“One might wonder what is the purpose of something like the Javafog backdoor. The truth is that even at the time of writing, detection for Javafog is extremely poor (3/47 on VirusTotal). Java malware is definitively not as popular as Windows PE malware, and can be harder to spot,” said Kaspersky’s researchers in their analysis.
Java-based malware of this kind is unusual, almost a curiosity but Kaspersky’s conclusion is that it can be harder to spot and therefore better for long-term, highly-targeted attacks that might be difficult to penetrate using more conventional types of malware.
What this small but interesting discovery does indicate is that Icefog might be slightly more significant than first assumed. It is all relative; Hidden Lynx and the infamous Comment Crew/APT1 Chinese gangs remain better known but perhaps Icefog isn’t that far behind them.