Both Symantec and FireEye experts agree that the malware and the C&C are the same

Mar 2, 2013 08:24 GMT  ·  By

It appears there’s a link between the recent Bit9 security incident and the latest Java zero-day attacks.

Experts have found that one of the Trojans signed with a stolen Bit9 certificate is the same as the final payload in the attacks which leverage the Java 6 Update 41 and Java 7 Update 15 vulnerabilities.

Symantec, which detects the McRat (HiKit) malware as Trojan.Naid, says the command and control server to which it connects, located at the 110.173.55.187 IP address, has been used in both the Bit9 attack and the latest Java attacks.

“The Trojan.Naid attackers have been extremely persistent and have shown their sophistication in multiple attacks. Their primary motivation has been industrial espionage on a variety of industry sectors. The attackers have employed multiple zero-days,” Symantec experts noted.

Alex Lanstein, a senior security researcher at FireEye, told Brian Krebs that it was unlikely for multiple attack groups to be using the same infrastructure and the same malware, which might indicate there’s a connection.