Hackers utilizing a RAT, otherwise known as a Remote Access Trojan, named Mirage have been engaging in a systematic cyber espionage campaign against a plethora of targets, including a Canadian energy company, a large oil firm in the Philippines and several other countries since April, according to Dell’s SecureWorks Counter Threat Unit.
This is the second tirade against oil companies that SecureWorks has discovered this year. Back in February researchers also discovered attackers using remote access tools similar to Mirage to target multiple oil companies located in Vietnam. That attack also targeted government agencies in other countries as well as an embassy, nuclear safety agency and multiple business groups.
According to SecureWorks, the domains for three of the command and control severs that were used to control Mirage, as well as several of the command and control servers used in the February attack, belong to the same individual or group of individuals.
What’s more is the fact that the IP addresses for the command and control servers used for Mirage and in the February attack belong to China’s Beijing Province Network. That same network was also implicated in last year’s attacks on security vendor RSA, which resulted in the theft of confidential information related to the company’s SecureID two-factor authentication technology.
The Mirage campaign has already affected companies in Canada, the Philippines, a military organization in Taiwan and several unidentified entities in Nigeria, Egypt, Brazil and Israel. The program itself is quite clever and is specifically designed to evade easy detection. All of its communications with its command and control servers are disguised to appear as URl traffic patterns associated with Google searches.
Several customized variants of Mirage have also been discovered. According to SecureWorks Analyst Silas Cutler, “One of the variants was seen in a subset of samples that had been modified specifically for the environment targeted by the threat actors. These samples had been configured with default credentials for the targeted environments web proxy servers.”
Source: Computer World – Cyber espionage campaign targets energy companies