Nearly 50 (and quite possibly more) companies in the chemical, defense, and other sectors have been hit with a spear phishing campaign carrying a backdoor Trojan with the ultimate goal of exfiltrating R&D and manufacturing information, revealed Symantec in a newly released report.
The attacks against these companies started in late July 2011 and lasted until the middle of September 2011, but the attackers are though to be the same ones who targeted human rights related NGOs and companies in the motor industry in May.
The campaign was code-named Nitro by the researchers because of the attackers’ focus on information about chemical compounds and various advanced materials used by the military. All in all, nearly 100 computers – mostly located in the U.S., Bangladesh and the U.K. – have been infected, belonging to mostly to U.S. and U.K. companies.
The attacks predictably started with specially crafted emails sent to employees of these companies. In some companies only a few of them were targeted, in others almost 500. When the recipients were many, the email usually purported to be a security update; when the recipients were few, emails took the form of meeting invitations from business partners.
“The emails then contained an attachment that was either an executable that appeared to be a text file based on the file name and icon, or a password-protected archive containing an executable file with the password provided in the email,” say the researchers. “In both cases, the executable file was a self-extracting executable containing PoisonIvy, a common backdoor Trojan developed by a Chinese speaker.”
Once the attackers gained access to the targets’ computer, they used it to leverage their way into the company network and infect others. The backdoor also contacted a C&C server from which it received further instructions. When the attackers finally managed to find the needed information – sensitive materials regarding the company’s operation – it would be copied on internal staging servers and ultimately uploaded on remote ones operated by the attackers.
The researchers have discovered the IP addresses of several C&C domains which the backdoor was instructed to connect to and, in one case, the IP address to which some of the Trojan samples connected directly.
On that particular address, a computer system with a virtual private server (VPS) located in the United States but owned by a 20-something male from the Chinese region of Hebei was discovered.
The researchers have even managed to contact the guy – whom they dubbed Covert Grove – who claimed to have established the U.S.-based VPS in order to log into a popular Chinese instant messaging system, since it would provide him with a static IP address needed to use a feature of the system.
Even though the explanation sounded suspicious to the researchers, they haven’t managed to prove that the VPS was used by any other user. “We are unable to determine if Covert Grove is the sole attacker or if he has a direct or only indirect role,” they say. “Nor are we able to definitively determine if he is hacking these targets on behalf of another party or multiple parties.”
Also, the researchers have also revealed that the Nitro attackers weren’t the only ones who targeted these companies during this two-and-a-half month period. Other attackers, using booby-trapped PDF and DOC files and the custom-developed Sogu backdoor, have also tried to infiltrate the companies’ systems. The researchers don’t mention whether these attackers have succeeded in their efforts, but have confirmed that they are keeping their eyes on them.
For further details about the attacks and to check out the MD5s of the files used in them, download the report.