Monday, September 24, 2012

New malware "Mirage" targeting energy firms

Malware targets individuals via "spear-phishing" e-mails bearing tainted PDF files

Researchers have uncovered a new cyberespionage campaign being waged on a large Philippine oil company, a Taiwanese military organization and a Canadian energy firm, as well as targets in Brazil, Israel, Egypt and Nigeria. 

The malware being used is called "Mirage" and it leaves a backdoor on the computer that waits for instructions from the attacker, said Silas Cutler, a security researcher at Dell SecureWorks' Counter Threat Unit (CTU). Victims are carefully targeted with so-called "spear-phishing" e-mails with attachments that are "droppers" designed to look and behave like PDF documents.

However, they are actually standalone executable files that open an embedded PDF file and execute the Mirage trojan. The malware disguises its "phone home" communications to resemble Google searches by using Secure Socket Layers (SSL) in order to avoid detection, Cutler wrote in a report this week.

Researchers were able to take over domains being used in the campaign that were no longer registered or had expired and they used them to set up a "sinkhole" designed to receive any communications from infected computers. By pretending to be a command-and-control server they learned that there were about 80 unique IP addresses that appeared to be infected, involving as many as 120 individual computers.

"Deeper analysis of the phone-home requests and correlation with social networking sites allowed CTU researchers to identify a specific individual infected with Mirage. It was an executive-level finance manager of the Phillipine-based oil company," the report says.

Researchers couldn't say what data the attackers were aiming for, but it's not difficult to speculate given that countries are vying for oil and gas exploration rights in the South China Sea. It's unclear who is behind the campaign, but whoever sponsored it is "well funded and very active," said Joe Stewart, director of malware research at Dell SecureWorks.

While he declined to speculate who sponsored the campaign, the report said proxy software used on some of the command-and-control servers was created by a member of a Chinese hacker group called the "Honker Union of China." 

"We interrupted their command chain, so we don't know what documents they're looking for," he said. "Typically it's competitive information." The researchers believe that whoever is responsible also played a part an espionage campaign earlier in the year that targeted Vietnamese oil companies and government ministries, an embassy, a nuclear safety agency and others in various countries.

The command-and-control IP addresses used in the Mirage campaign belong to the China Beijing Province Network, as did three of the IP addresses used in the earlier "Sin Digoo" malware campaign, according to the researchers. This is the latest in a number of reports of international cyberespionage that have cropped up in recent years, with energy, defense and critical infrastructure firms increasingly being targeted.


Anonymous said...

I every time used to read post in news papers but now
as I am a user of web thus from now I am using net
for content, thanks to web.
Also visit my weblog - How To Get My Ex Girlfriend Back

Anonymous said...

I love what you guys tend to be up too. This sort of clever work and coverage!
Keep up the excellent works guys I've you guys to my personal blogroll.
Feel free to visit my web-site :: Magic of Making Up Review