Dell’s SecureWorks Counter Threat Unit™ (CTU) research team is reporting that they have been tracking a cyber espionage campaign dating back to April 2012. The sophisticated ongoing campaign has ties to Chinese origin and has been found to be attacking a high-profile oil company in the Phillipines, a military organization in Taiwan, an energy company in Canada, and several as yet unidentified entities in Brazil, Israel, Egypt and Nigeria. The attack unfolds through a remote access trojan known as Mirage (Mirage RAT). The attack starts with spear-phishing emails that are directed at mid-level to senior-level executives and is disguised as PDF documents.
“..analysis of the phone-home requests and correlation with social networking sites allowed CTU researchers to identify a specific individual infected with Mirage. It was an executive-level finance manager of the Phillipine-based oil company.”
The disguised trojan drops and executes a copy of Mirage onto a target system. Known as “droppers” they look and behave like PDFs, but are actually stand-alone executables and once opened, they open and execute the trojan. Systems infected by Mirage then proceed to “phone home” to command and control servers. Transmitted information includes such system identification as CPU speed, memory, system name and username. In addition to the initial trojan, there have been a couple of variants, one of which notably adds the following in the phone-home payload:
Instead of the word “Mirage” used in earlier variants, later variants use the phrase “Neo, welcome to the desert of the real”, a quote from the movie The Matrix.
Researchers have further identified that certain attack variants were tailored to directly target their victims, as opposed to a widespread scope. The Command and Control servers were also found to be obfuscated behind dynamic DNS and proxied from US based hosting companies. Through corroborating evidence and a trace back of subdomain information, the source of the attacks points to China.
The report advises that companies in the targeted industries should implement strong perimeter security strategy. Additionally:
Using active intrusion detection and prevention systems as well as DNS monitoring for malicious domains is essential to detecting this activity.
The threat of this particular malware represents just one component of an ongoing cyber-espionage and cyber-warfare climate. The distribution of identifying information along with Command and Control facets makes for a serious threat to the targeted industries. I take this point in time to re-iterate that this malware was found to be targeted to specific systems. In recent history we have seen critical, sensitive and valuable information taken from industries – such threats are costly to national security, financial, and even personal information. Following the advice put out by the Dell security team is critical, and further advice to train employees and take all other security measures necessary, particularly in high-value target industries.