Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.

Kaspersky Security: Evolved APT Targets US Operations

By - Source: Toms IT Pro

A Java version of Icefog, an advanced persistent threat (APT) first written about in September 2013, has surfaced, collecting information on U.S. targets, Kaspersky Lab experts report.

The original Icefog campaign targeted government institutions, military contractors, telecom operators, maritime and ship-building groups, satellite operators and high tech companies, primarily in South Korea and Japan.

Now it appears that the Icefog operation has evolved since 2011, back when the campaign used email to send stolen data. Other variants of Icefog interacted with command and control (C&C) servers using various .asp and .aspx scripts. A more recent version dubbed Icefog-NG communicates by direct TCP connection through port 5600. Kaspersky Lab has also identified a Mac OS X version.

The security experts at Kaspersky Lab were able to impersonate, or "sinkhole," 27 of 72 known C&C servers. Kaspersky researchers observed suspicious connections from a domain,, with known links to Icefog domains.

According to a Kaspersky Lab FAQ, "The 'hit and run' nature of this operation is one of the things that makes it unusual. While in other cases, victims remain infected for months or even years, and data is continuously exfiltrated, the Icefog attackers appear to know very well what they need from the victims. Once the information is obtained, the victim is abandoned."

In addition, the researchers found information on another Icefog-related domain, dubbed Javafog, at the JSUNPACK service, a JavaScript unpacker used by security researchers. This led the researchers to find a .jar file that exploits a vulnerability in Java. Once a device is infected, the malware tries to contact the C&C center, sends a full system information profile, and responds to commands received from the C&C center.

"The focus on the US targets associated with the only known Javafog C&C could indicate a US-specific operation run by the Icefog attackers; one that was planned to take longer than usual, such as, for instance, long term collection of intelligence on the target," explain Kaspersky Lab experts Costin Raiu, VitalyK and Igor Soumenkov. "This brings another dimensions to the Icefog gang's operations, which appear to be more diverse than initially thought." The researchers from Kaspersky Lab admit the Javafog detection rate is quite low at this time.

[ Get IT news updates right in your inbox -- Sign up for Tom's IT Pro's Weekly Newsletter ]



James Sullivan is a freelance technology writer whose concentrations include cloud computing and video game development. He is based in Portland, Oregon.

More by James Sullivan