21 Sep 2012

Mirage `Dropper’ Used to Eavesdrop on Energy Firms

Researchers uncovered a cyber-espionage campaign that uses spear-phishing emails containing “droppers” designed to leave a backdoor in compromised systems. Posing as PDF attachments, the malware was named “Mirage” by researchers at Dell SecureWorks' Counter Threat Unit.

Computers belonging to a Philippine oil company, a Taiwanese military organization, a Canadian energy firm, as well as various organizations in Brazil, Israel, Egypt and Nigeria, have been infected. Masking communications with Google searches, Mirage communicated with command-and-control servers via SSL, to avoid detection.

"Deeper analysis of the phone-home requests and correlation with social networking sites allowed CTU researchers to identify a specific individual infected with Mirage. It was an executive-level finance manager of the Phillipine-based oil company," says the report.

Analyzing the proxy connections and IP addresses used by attackers, researchers identified a Chinese hacker group known as "Honker Union of China,” as the creator of the C&C servers. By seizing those domains and establishing "sinkholes" designed to intercept communications from infected computers, CTU found 120 infected individual computers.

"We interrupted their command chain, so we don't know what documents they're looking for," said Joe Stewart, director of malware research at Dell SecureWorks. "Typically it's competitive information."

Three of the IP addresses found appear to have also been used in a previous malware campaign dubbed "Sin Digoo". This being the latest attack on infrastructure firms, researchers believe that it’s unlikely it will be the last.