The Nitro gang strikes again

In October 2011, Symantec documented a particular targeted attack campaign called the The Nitro Attacks. In that instance, the attackers were primarily targeting chemical companies. Despite Symantec’s security team’s work in uncovering and publishing the details behind the attacks, the Nitro gang continued undeterred.

The mysterious gang even used Symantec’s own report in their social engineering campaign.

Well it looks like the attackers have escalated their efforts with a new Java zero-day vulnerability, Symantec confirmed.

Symantec also told the media that the attackers behind this round of attacks are actually the Nitro gang.

The traditional modus operandi of the Nitro attackers is to send an email to victims. That email contains an attachment, which is a password-protected self-extracting zip file. The email claims to be an update for some piece of commonly installed software. The targeted user extracts it, runs it, and is infected with a copy of Backdoor.Darkmoon (also known as Poison Ivy).

In these latest attacks, the attackers have developed a somewhat more sophisticated technique, Symantec said. They are using a Java zero-day, hosted as a .jar file on Web sites, to infect victims. As in the previous documented attacks, the attackers are using Backdoor.Darkmoon, re-using command-and-control infrastructure, and even re-using file names such as “Flash_update.exe”. It is likely that the attackers are sending targeted users emails containing a link to the malicious jar file. The Nitro attackers appear to be continuing with their previous campaign.

The attackers have been using this zero-day for several days since August 22. Symantec has located two compromised Web sites serving up the malware:

ok.XXXX.net/meeting/applet.jar62.152.104.XXX/public/meeting/applet.jar.

One sample of malware downloaded by the exploit has been identified as 4a55bf1448262bf71707eef7fc168f7d – “hi.exe” or “Flash_update.exe”.

This particular sample connects to hello.icon.pk, which resolves to 223.25.233.244. That same IP was used by the Nitro attackers back in 2011.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

CDN Staff
CDN Staffhttps://channeldailynews.com
For over 25 years, CDN has been the voice of the IT channel community in Canada. Today through our digital magazine, e-mail newsletter, video reports, events and social media platforms, we provide channel partners with the information they need to grow their business.

Related Tech News

Featured Tech Jobs

 

CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.