An energy firm from Canada, a military agency from Taiwan, a Philippines oil company, and various other high-profile organizations from countries such as Nigeria, Brazil, Israel and Egypt have been targeted by a campaign that relies on the remote access Trojan known as Mirage, or MirageFox.
Experts from Dell SecureWorks’ Counter Threat Unit (CTU) have been monitoring the operation since April 2012. They have determined that these attacks start with a spear phishing email that targets the mid- and senior-level executives of a company.
The attachment from these malicious notifications contains the Mirage RAT, which “phones home” to its C2 command and control server using standard HTTP requests.
According to researchers, the cybercriminals are trying to hide their identities and their servers by using dynamic DNS (dDNS) domains.
By analyzing the threat’s communications, the CTU was able to identify a number of email addresses that appeared to be owned by the masterminds of the Mirage operation. One of these addresses – email@example.com
– was found to be connected to a domain registered in China.
“Mirage represents only one small piece of malware involved in an ongoing worldwide campaign. Over the past few years, these campaigns have become extremely successful, and a great deal of intellectual property and company secrets has been stolen from the targeted companies,” Silas Cutler of Dell SecureWorks CTU Threat Intelligence explained
“For companies in the targeted industries, it is important to have a strong perimeter security line in place. Using active intrusion detection and prevention systems as well as DNS monitoring for malicious domains is essential to detecting this activity.”
He highlights the fact that in such targeted campaigns, cybercriminals don’t need to infect a large number of systems to ensure the success of the operation. Even a smaller botnet is enough to gather highly valuable information.