IceFog cyber-espionage group targets US companies

January 31, 2014

The Dell Sonicwall Threats Research team received a Java exploit sample that is now part of the long running IceFog APT (Advanced Persistent Threat) campaign. This sample communicates with one of the IceFog command & control servers and sends information about the victim system while waiting for commands from the server.

IceFog APT campaign started in year 2011 and was seen actively targeting supply chain organizations to government institutions, defense industry contractors, telecom operators, etc mainly in South Korea and Japan. This cyber-espionage group went inactive after the campaign was exposed in September last year only to resurface with recent attacks against three major U.S. based Oil companies using a new Java based IceFog variant

Infection Cycle
The Trojan adds the following key to the Windows registry to enable start-up after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun JavaUpdate "%TEMP%update.jar" [ copy of itself ]

Majority of the malicious code resides in the function ToolFun within JavaTool class of the jar file

The Malware contacts the server and sends the victim machine's information to the server, information includes the list of running tasks on the victim machine at that point as shown below:

The Malware creates a hash for uniquely identifying every victim based on the hostname. It appends this hash to the POST URL parameter title when sending the information back to the server

The Malware has the capabilities to listen and execute the following commands from the server:

IceFog Campaign has been active since 2011, over the years there have been a number of changes in terms of how the Malware communicates with the server. The current IceFog Java variant is being dubbed as JavaFog in Security Circles. This JavaFog variant is more of a backdoor with certain capabilities to supply victim machine information to the attacker. It remains to be seen if there will be further enhancements to this variant.

As of this writing, the domain has been sink-holed and is being monitored by Kaspersky to further track activity pertaining to this campaign.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Java.IceFog (Exploit)
  • IPS: Java IceFog Infection Activity