Home Malware Programs Malware ICEFOG

ICEFOG

Posted: June 11, 2019

ICEFOG is a family of backdoor Trojans that can upload collected files from your computer, download other threats, and give hackers control over your system. There are multiple, significant variants of this threat, the latest of which uses a non-file-based persistence method. Users can monitor network security protocols for possible breaches and use anti-malware services for finding and removing ICEFOG as it's relevant.

The Fog Dispersed – but Came Back Later

Much like seasonal weather can create recurring spates of rain and thunder that's interspersed with sunny days, Trojans will, sometimes, come to a dead halt before reviving themselves after weeks, months or years. ICEFOG is an extreme example of such a pattern, and its apparent resurrection may be due to shared resources among different hacking groups. In its earliest stages, ICEFOG attacks go back to 2011, but malware experts are re-verifying its active presence in today's world.

ICEFOG is the sole tool of China-based threat actors, and its 2011 releases, such as ICEFOG Type 1 and Type 2, implied a single organization behind its concentrated attacks. They appeared concerned about being publicity since they stopped all use of ICEFOG after the cyber-security industry's publication of an initial analysis of the backdoor Trojan. However, it's recurrences in 2014 and 2018 point to its being a tool of new criminals with more flexible motives that encompass political espionage and IP theft.

All variants of ICEFOG Trojans that malware experts survey have some points in kind, such as the main capabilities of the payload. These attacks include:

  • Downloading and uploading files.
  • Performing other file operations, such as deletion or renaming.
  • Closing program processes automatically.
  • Operating screen-grabbing and keylogging features for collecting information.
  • Monitoring specified directories.

While ICEFOG's accepted commands are small in number, they're invasive enough that a remote attacker gains incisive control over the computer and can drop other threats as he requires their services.

Some Warmer Weather for Your Hard Drive

A 2018 version of ICEFOG requires more emphasis than old builds of the Trojan, due to an overhaul of its structure. This version, ICEFOG M, no longer creates files on disk for its payload and hijacks the Windows Registry for its 'host' file. It also takes advantage of a more secure C&C protocol that uses HTTPS over port 443. These facts show that whoever is using ICEFOG, still, has some considerations for avoiding analysis and detection by AV programs.

Most builds of ICEFOG that malware experts see, including the 2018 campaigns, target Windows x86 and 64-bit environments. There is, however, a port of ICEFOG to Mac OSes with all of its payload's functionality intact. Victims of its various campaigns include, mostly, business sector entities, such as Russian news media, European agricultural companies, and multiple Turkish and Kazakh organizations.

Users should disable RDP, use secure password protocols, and scan e-mail attachments and links before interactions with them. Most anti-malware programs should delete ICEFOG in all of its versions before the installation, which is much less troublesome than complete disinfection and re-securing of a network.

Innovation in hacking knows no bounds, and malware researchers don't often see old Trojans with as substantial an overhaul as ICEFOG. This backdoor Trojan is proving that even old software can learn new tricks, which is unhappy news for anyone outside of China.

Loading...