IceFog malware still causing trouble with Java backdoor

danger logo
A Malware wolf in Java sheep's clothing

The IceFog APT (advanced persistent threat), discovered in September 2013, continued to cause problems as researchers at Kaspersky reveal the malware is now using a Java backdoor.

Analysts at the Russian security firm have observed three unique victims of "Javafog", all of them in the US. One of the victims is apparently a very large American oil and gas company that operates around the world.

Supply chain operators were the first victims of IceFog, organisations that supplied government institutions, military contractors and maritime and ship building groups. This series of attacks was a hit-and-campaign that didn't siphon off information from victims.

After their campaign was exposed last September the campaigners shut off their servers and went into hiding. It appears they have resurfaced, however, with a new set of attacks using a different Java-based attack vector, which Kaspersky detected in recent weeks.

Java-based malware is less widely used than either Windows or Mac executables, and can be harder to spot, according to Kasperky researchers. This added stealth could explain the switch by attackers to the write-once-run-anywhere programming language.

A long term operation

"The attack commenced by exploiting a Microsoft Office vulnerability, followed by the attackers attempting to deploy and run Javafog, with a different C&C," Kaspersky researchers explain in a blog post on the latest manifestation of the threat.

"We can assume that based on their experience, the attackers found the Java backdoor to be more stealthy and harder to notice, making it more attractive for long term operations."

Dana Tamir, director of enterprise security at Trusteer, said that to prevent Java exploits and malware-based infiltrations, it is important to restrict execution only to known trusted Java files.

Since organisations struggle to manage and maintain a complete list of all known trusted files, they should at least restrict execution to "files that have been signed by trusted vendors, or downloaded from trusted domains," she added.