Cyberspying effort drops 'Mirage' on energy firms

Malware targets individuals at organizations in Philippines, Taiwan, Canada and elsewhere via "spear-phishing" e-mails bearing tainted PDF files.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

Researchers have uncovered a new cyberespionage campaign being waged on a large Philippine oil company, a Taiwanese military organization and a Canadian energy firm, as well as targets in Brazil, Israel, Egypt and Nigeria.

The malware being used is called "Mirage" and it leaves a backdoor on the computer that waits for instructions from the attacker, said Silas Cutler, a security researcher at Dell SecureWorks' Counter Threat Unit (CTU).

Victims are carefully targeted with so-called "spear-phishing" e-mails with attachments that are "droppers" designed to look and behave like PDF documents. However, they are actually standalone executable files that open an embedded PDF file and execute the Mirage trojan. The malware disguises its "phone home" communications to resemble Google searches by using Secure Socket Layers (SSL) in order to avoid detection, Cutler wrote in a report this week.

Researchers were able to take over domains being used in the campaign that were no longer registered or had expired and they used them to set up a "sinkhole" designed to receive any communications from infected computers. By pretending to be a command-and-control server they learned that there were about 80 unique IP addresses that appeared to be infected, involving as many as 120 individual computers.

"Deeper analysis of the phone-home requests and correlation with social networking sites allowed CTU researchers to identify a specific individual infected with Mirage. It was an executive-level finance manager of the Phillipine-based oil company," the report says.

Researchers couldn't say what data the attackers were aiming for, but it's not difficult to speculate given that countries are vying for oil and gas exploration rights in the South China Sea.

It's unclear who is behind the campaign, but whoever sponsored it is "well funded and very active," said Joe Stewart, director of malware research at Dell SecureWorks. While he declined to speculate who sponsored the campaign, the report said proxy software used on some of the command-and-control servers was created by a member of a Chinese hacker group called the "Honker Union of China."

"We interrupted their command chain, so we don't know what documents they're looking for," he said. "Typically it's competitive information."

The researchers believe that whoever is responsible also played a part an espionage campaign earlier in the year that targeted Vietnamese oil companies and government ministries, an embassy, a nuclear safety agency and others in various countries.

The command-and-control IP addresses used in the Mirage campaign belong to the China Beijing Province Network, as did three of the IP addresses used in the earlier "Sin Digoo" malware campaign, according to the researchers.

This is the latest in a number of reports of international cyberespionage that have cropped up in recent years, with energy, defense and critical infrastructure firms increasingly being targeted.