There is a Java Icefog backdoor used to target entities in the United States, researchers said.
Icefog, uncovered by Kaspersky Lab this past September, was a cybercriminal campaign that mainly targeted organizations in Japan and South Korea.
After Kaspersky published its report, the attackers shut down their operations. While monitoring sinkholed domains and victim connections, experts came across a domain hosted in Hong Kong called lingdona[dot]com.
It was later determined this particular domain saw use by a piece of malware connected to Icefog. The threat in question is actually a Java backdoor Kaspersky is calling Javafog.
Javafog, which only three antivirus engines detect on VirusTotal, has been a part of attacks against three targets located in the United States, including a major independent oil and gas company with operations in several countries. Two of the organizations cleaned up their systems after receiving notification from the security firm.
Kaspersky said since Java malware is not as popular as Windows malware, it’s more difficult to spot.
“In one particular case, we observed the attack commencing by exploiting a Microsoft Office vulnerability, followed by the attackers attempting to deploy and run Javafog, with a different C&C,” Kaspersky researchers said.
The discovery of Javafog has led researchers to believe the attackers could have used the backdoor to collect intelligence for a longer period than usual. This also shows the bad guys’ scope is much wider than initially thought.
Click here for more Javafog details.