AN EVOLVED VARIENT of the infamous Icefog malware, an advanced persistant threat (APT) campaign uncovered last September, has been found by security firm Kaspersky.
Dubbed "Javafog", the malware uses Oracle's Java software and is targeting several high profile companies and government agencies, according to the Russian security firm, including "a very large American independent oil and gas corporation".
The new variant was uncovered by Kaspersky Lab experts Costin Raiu, VitalyK and Igor Soumenkov, who came across the threat while monitoring previously shut down Icefog command and control (C&C) servers.
"In September 2013, we published our extensive analysis of Icefog, an APT campaign that focused on the supply chain - targeting government institutions, military contractors, maritime and shipbuilding groups," the security firm said in a blog post.
"Since the publication of our report, the Icefog attackers went completely dark, shutting down all known C&C servers.
"Nevertheless, we continued to monitor the operation by sinkholing domains and analysing victim connections. During this monitoring, we observed an interesting type of connection, which seemed to indicate a Java version of Icefog."
The malware is just as nasty as its older brother, it seems, retaining the same espionage focus as the original Icefog campaign in that once in a victim's system installs the malware, it is designed to communicate with Icefog C&C servers.
"The module writes a registry value to ensure [that] it is automatically started by Windows. It is worth noting that the module does not copy itself to that location," continued the post.
"Next, it enters a loop where it keeps calling its main C&C function, with a delay of 1,000 milliseconds. The main loop contacts [a] well-known Icefog C&C server and interacts with it."
The Kaspersky security experts said that evidence suggests a number of major US corporations involved in critical infrastructure might have fallen victim to the new Javafog variant during the sinkhole operation, and listed 72 different C&C servers, "of which we managed to sinkhole 27," Kaspersky added.
This was achieved by correlating registration information for the different domains used by the malware samples.
"During the sinkholing operation, we observed eight IPs for three unique victims of Javafog, all of them in the United States. Based on the IP address, one of the victims was identified as a very large American independent oil and gas corporation, with operations in many other countries," Kaspersky said.
The team said that the Javafog malware is far harder to track than the original Icefog attacks.
"The truth is that even at the time of writing, detection for Javafog is extremely poor (three out of 47 on Virustotal). Java malware is not as popular as Windows Preinstallation Environment (PE) malware, and can be harder to spot," read the post.
Security firm Trusteer advised that to prevent Java exploits and malware-based infiltrations, it is important to restrict execution to only known trusted Java files.
"Since organisations struggle to manage and maintain a complete list of all known trusted files, they should at least restrict execution to files that have been signed by trusted vendors, or downloaded from trusted domains," Trusteer warned. µ