Security Experts:

Connect with us

Hi, what are you looking for?



Attackers Upgrade Aumlib and Ixeshe Malware Used Against New York Times

According to new research from soon-to-go-public security firm FireEye, the threat actors behind the attacks against the New York Times late last year appear to be using upgraded versions of the malware they use, and are conducting a new wave of attacks.

According to new research from soon-to-go-public security firm FireEye, the threat actors behind the attacks against the New York Times late last year appear to be using upgraded versions of the malware they use, and are conducting a new wave of attacks.

These new attacks appear to be the “first significant stirrings from the group since it went silent in January” after a report exposed the group and its exploits, which security researchers believe is a massive spying operation stemming from China.

The newest campaign uses updated versions of Aumlib and Ixeshe, FireEye said.

According to the security firm, Aumlib now encodes certain HTTP communications and FireEye researchers spotted the latest malware variant when analyzing a recent attack against an organization involved in shaping economic policy. FireEye also said a new version of Ixeshe uses new network traffic patterns, possibly to evade traditional network security systems.

The Ixeshe attacks, which have been traced back to at least July 2009, have been used to secretly gain access to large multinational corporations. Trend Micro previously found that Ixeshe was targeting East Asian governments, electronics manufacturers, and telecommunications companies, and had used compromised servers housed inside targeted organizations as command-and-control (C&C) servers.

In a previous interview, Tom Kellermann, vice president of cybersecurity at Trend Micro, told SecurityWeek that the technique of using compromised servers as C&C servers was being adopted by elite hacker crews, and he rated the sophistication of the Ixeshe campaign as a 9.3 out of 10.

Interestingly, despite the assumed success of the attacks, the Aumlib malware itself had not changed since at least May 2011, and Ixeshe had not evolved since at least December 2011, FireEye said, noting that the recent updates are significant for both malware families.

“When a larger, successful threat actor changes up tactics, the move always piques our attention,” FireEye researchers Ned Moran and Nart Villeneuve noted in a blog post Monday. “Naturally, our first priority is ensuring that we detect the new or altered techniques, tactics, or procedures (TTPs). But we also attempt to figure out why the adversary changed — what broke? — so that we can predict if and when they will change again in the future.”

“We cannot say for sure whether the attackers were responding to the scrutiny they received in the wake of the episode,” the researchers continued. “But we do know the change was sudden. Akin to turning a battleship, retooling TTPs of large threat actors is formidable. Such a move requires recoding malware, updating infrastructure, and possibly retraining workers on new processes.”

FireEye said a sample of Aumlib (Backdoor.APT.Aumlib) was found being used against an organization involved in shaping economic policy, that incorporated subtle changes could be enough to evade existing IDS signatures designed to detect older variants of the Aumlib family.

For Ixeshe (Backdoor.APT.Ixeshe), FireEye analyzed a sample that appears to have targeted entities in Taiwan, activity consistent with previous Ixeshe targets. According to FireEye, the new Ixeshe variant revealed network traffic that does not match the earlier pattern and also has the potential to evade existing network traffic signatures designed to detect Ixeshe related infections.

“Innovative and clever” attacks such as the one against the New York Times is why security experts recommend organizations deploy layered security mechanisms and not just rely on one single mode of protection, Kurt Hagerman, the director of information security at FireHost, told SecurityWeek in February. The best defense for Web applications and software is an intelligent security model, which incorporates numerous layers of protection, including DDoS mitigation, IP Reputation Filtering, web application protection, virtual and hardware based firewalling, and IDS/IPS, Hagerman said. 

“Knowing how attackers’ strategy is shifting is crucial to detecting and defending against today’s advanced threats,” Moran and Villeneuve noted. “But knowing the ‘why’ is equally important. That additional degree of understanding can help organizations forecast when and how a threat actor might change their behavior — because if you successfully foil their attacks, they probably will.”

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.