Researchers have uncovered a new cyberespionage campaign being waged on a large Philippine oil company, a Taiwanese military organization and a Canadian energy firm, as well as targets in Brazil, Israel, Egypt and Nigeria. Read More ..
The malware being used is called "Mirage" and it leaves a backdoor on the computer that waits for instructions from the attacker, said Silas Cutler, a security researcher at Dell SecureWorks' Counter Threat Unit (CTU).
Victims are carefully targeted with so-called "spear-phishing" e-mails with attachments that are "droppers" designed to look and behave like PDF documents. However, they are actually standalone executable files that open an embedded PDF file and execute the Mirage trojan. The malware disguises its "phone home" communications to resemble Google searches by using Secure Socket Layers (SSL) in order to avoid detection, Cutler wrote in a report this week.
Researchers were able to take over domains being used in the campaign that were no longer registered or had expired and they used them to set up a "sinkhole" designed to receive any communications from infected computers. By pretending to be a command-and-control server they learned that there were about 80 unique IP addresses that appeared to be infected, involving as many as 120 individual computers.