IceFog cyber-espionage group targets US companies (Jan 31, 2014)


The Dell Sonicwall Threats Research team received a Java exploit sample that is now part of the long running IceFog APT (Advanced Persistent Threat) campaign. This sample communicates with one of the IceFog command & control servers and sends information about the victim system while waiting for commands from the server.

IceFog APT campaign started in year 2011 and was seen actively targeting supply chain organizations to government institutions, defense industry contractors, telecom operators, etc mainly in South Korea and Japan. This cyber-espionage group went inactive after the campaign was exposed in September last year only to resurface with recent attacks against three major U.S. based Oil companies using a new Java based IceFog variant

Infection Cycle
The Trojan adds the following key to the Windows registry to enable start-up after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun JavaUpdate “%TEMP%update.jar” [ copy of itself ]

Majority of the malicious code resides in the function ToolFun within JavaTool class of the jar file

The Malware contacts the server and sends the victim machine’s information to the server, information includes the list of running tasks on the victim machine at that point as shown below:

The Malware creates a hash for uniquely identifying every victim based on the hostname. It appends this hash to the POST URL parameter title when sending the information back to the server

The Malware has the capabilities to listen and execute the following commands from the server:

IceFog Campaign has been active since 2011, over the years there have been a number of changes in terms of how the Malware communicates with the server. The current IceFog Java variant is being dubbed as JavaFog in Security Circles. This JavaFog variant is more of a backdoor with certain capabilities to supply victim machine information to the attacker. It remains to be seen if there will be further enhancements to this variant.

As of this writing, the domain has been sink-holed and is being monitored by Kaspersky to further track activity pertaining to this campaign.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Java.IceFog (Exploit)
  • IPS: Java IceFog Infection Activity
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.