'Icefog' APT campaign attacked US firms using mysterious Java backdoor

Suspected Chinese attackers snuck under radar

The high-profile 'Icefog' Advanced Persistent Threat (APT) campaign that went dark after its unmasking last September carried on attacking three US firms using an obscure piece of Java malware, Kaspersky Lab has discovered.

According to Kaspersky's Lab's analysis, Icefog was a probably Chinese-run APT enterprise set up by professional hackers-for-hire that attacked a wide range of strategic (i.e. foreign state and supply chain) organisations in and around Asia going back to 2011.

After inspecting one of the APTs' sinkholed domains more closely, the firm's researchers noticed command and control traffic emanating from an unknown and apparently mysterious Java Trojan.

Eight IP addresses making these connections were then traced to three US firms, one of which Kaspersky describes as "a very large American independent Oil and Gas corporation, with operations in many other countries."

"One might wonder what is the purpose of something like the Javafog backdoor. The truth is that even at the time of writing, detection for Javafog is extremely poor (3/47 on VirusTotal). Java malware is definitively not as popular as Windows PE malware, and can be harder to spot," said Kaspersky's researchers in their analysis.

Java-based malware of this kind is unusual, almost a curiosity but Kaspersky's conclusion is that it can be harder to spot and therefore better for long-term, highly-targeted attacks that might be difficult to penetrate using more conventional types of malware.

What this small but interesting discovery does indicate is that Icefog might be slightly more significant than first assumed. It is all relative; Hidden Lynx and the infamous Comment Crew/APT1 Chinese gangs remain better known but perhaps Icefog isn't that far behind them.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags kaspersky labTarget

More about APTKasperskyKasperskyLynx Corporation

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by John E Dunn

Latest Videos

More videos

Blog Posts