• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Taking over millions of developers exploiting an Open VSX Registry flaw

 | 

OneClik APT campaign targets energy sector with stealthy backdoors

 | 

APT42 impersonates cyber professionals to phish Israeli academics and journalists

 | 

Kai West, aka IntelBroker, indicted for cyberattacks causing $25M in damages

 | 

Cisco fixed critical ISE flaws allowing Root-level remote code execution

 | 

U.S. CISA adds AMI MegaRAC SPx, D-Link DIR-859 routers, and Fortinet FortiOS flaws to its Known Exploited Vulnerabilities catalog

 | 

CitrixBleed 2: The nightmare that echoes the 'CitrixBleed' flaw in Citrix NetScaler devices

 | 

Hackers deploy fake SonicWall VPN App to steal corporate credentials

 | 

Mainline Health Systems data breach impacted over 100,000 individuals

 | 

Disrupting the operations of cryptocurrency mining botnets

 | 

Prometei botnet activity has surged since March 2025

 | 

The U.S. House banned WhatsApp on government devices due to security concerns

 | 

Russia-linked APT28 use Signal chats to target Ukraine official with malware

 | 

China-linked APT Salt Typhoon targets Canadian Telecom companies

 | 

U.S. warns of incoming cyber threats following Iran airstrikes

 | 

McLaren Health Care data breach impacted over 743,000 people

 | 

American steel giant Nucor confirms data breach in May attack

 | 

The financial impact of Marks & Spencer and Co-op cyberattacks could reach £440M

 | 

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 50

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber Crime
  • Intelligence
  • Malware
  • Security
  • Kaspersky discovered Icefog Hit US energy companies with Java Backdoor

Kaspersky discovered Icefog Hit US energy companies with Java Backdoor

Pierluigi Paganini January 15, 2014

Kaspersky experts discovered a java version of icefog espionage campaign that targeted at least 3 us oil, gas companies spreading a backdoor dubbed Javafog.

Kaspersky Lab in September 2013 announced to have discovered Icefog team, an emerging group of cyber-mercenaries available for hire to conduct surgical hit and run operations against strategic targets.  The cyber mercenaries are recruited by governments and private companies and according to Kaspersky experts, the group is composed of high skilled hackers able to conduct sophisticated attacks.

“What we have here is the emergence of small groups of cyber-mercenaries available to perform targeted attacks,”  “We actually believe they have contracts, and they are interested in fulfilling whatever the contract requirements are,” declared Kaspersky’s research director, Costin Raiu, in an interview with Reuters.

The Icefog team is a persistent collector of sensitive information, Kaspersky team detected a series of APT attacks against the defense supply chain (e.g. Military contractors, shipbuilders, satellite operators, high-tech companies ) Japan and South Korea.

The Icefog team attacked victims with an own backdoor set, dubbed “Fucobha”, which included exploits for both Microsoft Windows and Mac OS X.

The “hit and run” nature of the Icefog operations appeared unusual, different from almost APT campaigns in which victims remain infected for a long period, the attackers are processing victims rapidly, stealing only information of interest and showing a deep knowledge of the victims and the information they search for.

Icefog Team went dark after just after the revelation on Kaspersky investigation in September, the experts at Kaspersky Lab continued their analysis digging into domains used in the attack that had been sinkholed by the security company to discover the extension of the infection and localize the victims of the attack through the connection that malicious agents do versus the Command and Control servers.

New revelations appear very interesting, the attackers also used a Java version of the campaign to target three oil and gas companies in the United States. It’s not a surprise that the energy sector is under constant cyber attacks, in the last months numerous alerts were issued by US authorities, including the DHS. The excellent work of the Kaspersky Lab team has confirmed it, the three companies involved were already notified, and to have adopted the necessary measured to sanitize their systems.

The schema of attack appears consolidated, victims within these companies were likely duped by a spear phishing email that contained an Office exploit.

Icefog spear phishing

Once lured the victims, the Icefog group launched the Java backdoor, dubbed Javafog, a malicious code that also referred a new command and control for backdoor communication.

“In one particular case, we observed the attack commencing by exploiting a Microsoft Office vulnerability, followed by the attackers attempting to deploy and run Javafog, with a different C&C. We can assume that based on their experience, the attackers found the Java backdoor to be more stealthy and harder to notice, making it more attractive for long term operations. (Most Icefog operations being very short – the “hit and run” type).” reported Kaspersky in a blog post on SecureList.

According experts at Kaspersky the Javafog backdoor could indicate that the Icefog mercenaries were running a US-specific operation, according the analysis on the backdoor used the team was preparing a long-term cyber espionage campaign.

“The focus on the US targets associated with the only known Javafog C&C could indicate a US-specific operation run by the Icefog attackers; one that was planned to take longer than usual, such as, for instance, long-term collection of intelligence on the target,” “This brings another dimension to the Icefog gang’s operations, which appear to be more diverse than initially thought.” reported the Kaspersky report.

In October when Kaspersky Lab took over an Icefog domain called lingdona[.]com (which expired in September 2013) hosted in Hong Kong, it matched other known Icefog domains and first analysis revealed that it began receiving connections every 10 seconds from a Javafog, a new turn since other variants used IE User-Agent strings.

Icefog Javafog connectios

Security experts unable to find a malware sample connecting to above domain, they were able to find a URL submitted to a public JSUNPACK service that was hosted on “sejonng[dot]org” and “starwars123[dot]net”, two known Icefog domains that referenced a Java applet called policyapplet.jar. The researchers decoded a long hexadecimal string parameter tagged to policyapplet reference and found another Java applet with a main class JavaTool.class that was compiled in 2010.

Once installed on victims the backdoor latches onto the computer’s registry for persistence at start-up and then begins connecting to C&C server lingdona[.]com/news sending system information.

If the attackers consider the infected machine as a target of value, they can then send back any number of commands, ordering to the backdoor to upload local files (upload_*), migrate to a new command and control server URL (cmd_UpdateDomain), or execute a string specified and upload the results(cmd_*).

The US operation was small involving eight IPs belonging to the three U.S. oil and gas companies’ victims of the Icefog attacks and connected to the lingdona domain. The researchers noted as well that two of the victims updated Java from Java 1.7 update 25 to update 45.

No doubts that we will read again in the next future on the Icefog team.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Icefog APT, cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

APT backdoor botnet cyber espionage Cybercrime DDoS Department of Homeland Security Hacking Icefog ICS Intellectual property theft Javafog Kasperky SCADA smart cities smart home SmartTV virus

you might also like

Pierluigi Paganini June 27, 2025
Taking over millions of developers exploiting an Open VSX Registry flaw
Read more
Pierluigi Paganini June 27, 2025
OneClik APT campaign targets energy sector with stealthy backdoors
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Taking over millions of developers exploiting an Open VSX Registry flaw

    Hacking / June 27, 2025

    OneClik APT campaign targets energy sector with stealthy backdoors

    Hacking / June 27, 2025

    APT42 impersonates cyber professionals to phish Israeli academics and journalists

    APT / June 27, 2025

    Kai West, aka IntelBroker, indicted for cyberattacks causing $25M in damages

    Cyber Crime / June 26, 2025

    Cisco fixed critical ISE flaws allowing Root-level remote code execution

    Security / June 26, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT