Delaware, USA – June 10, 2019 – ICEFOG APT disappeared from the radar of researchers in 2013 after Kaspersky Lab experts revealed the activities of the group, but their custom malware is still used by multiple Chinese APT groups in highly targeted cyber espionage campaigns. At the CONFidence cybersecurity conference, Chi-en Shen, FireEye’s senior researcher, presented her analysis of new ICEFOG malware samples. She spotted at least 9 campaigns in which modified malware was used, starting from 2014 to the present days. With varying degrees of confidence, these campaigns were attributed to several Chinese hacking groups targeted government organizations in Asia and the Middle East. Until 2018, attackers used the ICEFOG-P variant, which was not particularly sophisticated and did not fall under the spotlight of researchers only because of the careful selection of targets during the attacks. At the same time, APT groups continued to improve and add features to each new version of the malware, turning it into a full-featured tool for cyber espionage. In the middle of last year, the adversaries switched to the ICEFOG-M variant, which supports all the features of previous versions, but it is fileless and is much more difficult to detect with standard security solutions.
The researcher also managed to uncover a version of the malware for attacks on Mac users, but it seems that it is still under development and testing. Chinese APT groups increasingly resort to sharing tools and infrastructure during operations, as was the case with the Winnti Group, and that makes it impossible to attribute campaigns to known threat actors with the detected malware only. To uncover attacks of advanced threat actors, you can use the APT Framework rule pack which helps SIEM to detect APT activity using the methodology of Cyber Kill Chain: https://my.socprime.com/en/integrations/apt-framework-arcsight