Back in September 2013, researchers from Kaspersky published a report on Icefog, a cybercriminal campaign that mainly targeted organizations in Japan and South Korea. After further analyzing the operation, experts have found a Java backdoor used to target entities in the United States.
After Kaspersky published its report, the cyber mercenaries shut down their operations. While monitoring sinkholed domains and victim connections, experts came across a domain hosted in Hong Kong called lingdona[dot]com
It was later determined that this particular domain was used by a piece of malware connected to Icefog. The threat in question is actually a Java backdoor that Kaspersky has dubbed Javafog.
Javafog, which is currently detected by only 3 antivirus engines on VirusTotal, has been utilized in attacks against three targets located in the United States, including a major independent oil and gas company with operations in several countries. Two of the organizations have cleaned up their systems after being notified by the security firm.
Kaspersky notes that since Java malware is not as popular as Windows malware, it’s more difficult to spot.
“In one particular case, we observed the attack commencing by exploiting a Microsoft Office vulnerability, followed by the attackers attempting to deploy and run Javafog, with a different C&C,” Kaspersky experts noted in their report.
“We can assume that based on their experience, the attackers found the Java backdoor to be more stealthy and harder to notice, making it more attractive for long term operations.”
The discovery of Javafog has led researchers to believe that the backdoor might have been used for the collection of intelligence for a longer period than usual. This also shows that the malicious actors’ scope is much wider than initially thought.
For additional technical details on Javafog, check out Kaspersky’s report.