Posted on June 9, 2019 at 8:27 AM
Cybersecurity specialists have spotted ICEFOG malware in multiple attacks performed by Chinese cyber-espionage groups. According to the specialists, the malware developed by Chinese state-sponsored hackers has resurrected now in an updated and even more dangerous form.
Back in the days, the malware was initially used by a Chinese APT also named ICEFOG whose operations were first revealed and detailed in September 2013 in a Kaspersky report.
New versions of ICEFOG were discovered
The first one to make the discovery of the resurrection of the ICEFOG malware was Chi-en Shen, FireEye’s senior researcher. In her presentation at a cyber-security conference in Poland, Shen revealed that she has discovered a new and upgraded version of the ICEFOG malware that everybody considered to be dead.
The malware has been spotted in multiple attacks starting with 2014 and 2018 in two strains named ICEFOG-P and ICEFOG-M. Both of the ICEFOG strains that have been recently discovered are far more superior to the original malware. The original ICEFOG malware was used in hacking campaigns in the early 2010s. Thus, all those years when specialist believed that the malware is dead, Chinese hackers were, in fact, making additional development to bolster its capabilities.
What was even more surprising for Shen was that she has discovered a Mac version of the ICEFOG malware that has never been seen before.
Multiple Chinese APTS are now using ICEFOG malware
It seems that Shen had made one more concerning discovery regarding the ICEFOG malware. The new versions of the ICEFOG malware were not used in the attacks by hackers that could have been associated with the original ICEFOG group. It seems that they have been spotted in a large number of hacking campaigns that have been performed by many different groups of attackers.
Shen claimed that after analyzing the operations that took place between 2011 and 2013, she noticed that they were pretty consistent and suggested one group and an exclusive use of malware. However, the new versions of the ICEFOG malware have been spotted to be used by multiple groups after 2013.
In this context of discoveries, Shen has come to the conclusion that the new versions of the malware have been shared by the original ICEFOG group that used it in the hacking campaigns from 2013. Cybersecurity specialists already know that many Chinese APTs may have a shared supply chain. Yet, Shen claimed that it is impossible to determine how the ICEFOG samples have been shared but it isn’t the first time for the specialists to see tools shared among the Chinese APTs. Shen added that one good example is the shared document template of other malware like SOGU that is a tool often shared among hackers.
Shen made some extremely concerning reveals regarding the main targets of the ICEFOG malware including an unnamed agriculture company from Europe in 2015 and the government, media, and finance organizations from Russia and Mongolia in 2015. Other targets were the government of multiple Soviet states in 2015, Kazach officials in 2016, an unknown entity in the Philippines in 2018 and multiple organizations in Turkey and Kazakhstan in 2018 and 2019.
ICEFOG malware was mainly used for cyber-espionage
Shen also added that her observation made her conclude that most ICEFOG malware samples were used for political espionage and intelligence gathering. Other hacking campaigns were targeting telecommunication, energy, media, transportation, and suspected financial sectors. However, Shen added that the previous cases were extremely rare compared with the ones targeting political espionage.
What is indeed intriguing is how come the attacks have not been detected and reported until Shen’s discovery. She explains that her theory is that because of its rare use, ICEFOG malware was not even taken into consideration by their targets.
Shen concluded in claiming that she believes that ICEFOG malware is here to stay after the many updates that have been made to it over the past few years and helped hackers perform attacks without being detected.