Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Attackers Upgrade Aumlib and Ixeshe Malware Used Against New York Times

According to new research from soon-to-go-public security firm FireEye, the threat actors behind the attacks against the New York Times late last year appear to be using upgraded versions of the malware they use, and are conducting a new wave of attacks.

According to new research from soon-to-go-public security firm FireEye, the threat actors behind the attacks against the New York Times late last year appear to be using upgraded versions of the malware they use, and are conducting a new wave of attacks.

These new attacks appear to be the “first significant stirrings from the group since it went silent in January” after a report exposed the group and its exploits, which security researchers believe is a massive spying operation stemming from China.

The newest campaign uses updated versions of Aumlib and Ixeshe, FireEye said.

According to the security firm, Aumlib now encodes certain HTTP communications and FireEye researchers spotted the latest malware variant when analyzing a recent attack against an organization involved in shaping economic policy. FireEye also said a new version of Ixeshe uses new network traffic patterns, possibly to evade traditional network security systems.

The Ixeshe attacks, which have been traced back to at least July 2009, have been used to secretly gain access to large multinational corporations. Trend Micro previously found that Ixeshe was targeting East Asian governments, electronics manufacturers, and telecommunications companies, and had used compromised servers housed inside targeted organizations as command-and-control (C&C) servers.

In a previous interview, Tom Kellermann, vice president of cybersecurity at Trend Micro, told SecurityWeek that the technique of using compromised servers as C&C servers was being adopted by elite hacker crews, and he rated the sophistication of the Ixeshe campaign as a 9.3 out of 10.

Interestingly, despite the assumed success of the attacks, the Aumlib malware itself had not changed since at least May 2011, and Ixeshe had not evolved since at least December 2011, FireEye said, noting that the recent updates are significant for both malware families.

“When a larger, successful threat actor changes up tactics, the move always piques our attention,” FireEye researchers Ned Moran and Nart Villeneuve noted in a blog post Monday. “Naturally, our first priority is ensuring that we detect the new or altered techniques, tactics, or procedures (TTPs). But we also attempt to figure out why the adversary changed — what broke? — so that we can predict if and when they will change again in the future.”

Advertisement. Scroll to continue reading.

“We cannot say for sure whether the attackers were responding to the scrutiny they received in the wake of the episode,” the researchers continued. “But we do know the change was sudden. Akin to turning a battleship, retooling TTPs of large threat actors is formidable. Such a move requires recoding malware, updating infrastructure, and possibly retraining workers on new processes.”

FireEye said a sample of Aumlib (Backdoor.APT.Aumlib) was found being used against an organization involved in shaping economic policy, that incorporated subtle changes could be enough to evade existing IDS signatures designed to detect older variants of the Aumlib family.

For Ixeshe (Backdoor.APT.Ixeshe), FireEye analyzed a sample that appears to have targeted entities in Taiwan, activity consistent with previous Ixeshe targets. According to FireEye, the new Ixeshe variant revealed network traffic that does not match the earlier pattern and also has the potential to evade existing network traffic signatures designed to detect Ixeshe related infections.

“Innovative and clever” attacks such as the one against the New York Times is why security experts recommend organizations deploy layered security mechanisms and not just rely on one single mode of protection, Kurt Hagerman, the director of information security at FireHost, told SecurityWeek in February. The best defense for Web applications and software is an intelligent security model, which incorporates numerous layers of protection, including DDoS mitigation, IP Reputation Filtering, web application protection, virtual and hardware based firewalling, and IDS/IPS, Hagerman said. 

“Knowing how attackers’ strategy is shifting is crucial to detecting and defending against today’s advanced threats,” Moran and Villeneuve noted. “But knowing the ‘why’ is equally important. That additional degree of understanding can help organizations forecast when and how a threat actor might change their behavior — because if you successfully foil their attacks, they probably will.”

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.