I smell a RAT

According to Dell’s SecureWorks Counter Threat Unit, since April this year, hackers using a Remote Access Trojan (or RAT for short) named Mirage have been conducting systematic cyber espionage against a Canadian energy company, a large oil firm in the Philippines and several other entities.  It is the second attack targeting oil companies to be found by SecureWorks this year.

According to SecureWorks, the domains of three of the command and control servers used to control Mirage appear to belong to the same individual or group of individuals.  Another interesting fact is that the IP addresses for the command and control servers belong to China’s Beijing Province Network.  This network was also implicated last year in an attack on security vendor RSA.  An attack which resulted in the theft of confidential information about RSA’s SecurID two-factor authentication technology.  Command and control servers from the Beijing Province Network were also involved in the 2009 GhostNet cyber espionage campaign.

Mirage has so far affected companies in Canada, the Phillippines, a Taiwanese military organization, and other entities in Nigeria, Egypt, Brazil, and Israel, according to SecureWorks researcher Joe Stewart.  The Mirage malware itself is designed to evade easy detection,  and its communications with its command and control servers are disguised as the URL traffic pattern associated with Google searches.  One of the ways Mirage gets into networks is by tricking mid-level to senior executives with phishing emails containing attachments meant to install Mirage onto their systems.

Also, over the past few months, several customized variants of Mirage were discovered.  They had been designed to evade detection by anti-virus, as well as anti-malware programs.