'Nitro' targeted malware attacks hit chemical companies

Symantec has traced the attacks back to a 20-something male located in the Hebei region in China.

Symantec's security response team has sounded an alarm for a new wave of targeted malware attacks against private companies involved in the research, development, and manufacture of chemicals and advanced materials.

The attacks, dubbed Nitro, combine social engineering lures (spear phishing e-mails) and the Poison Ivy remote access Trojan to infect targeted Windows computers and hijack sensitive information.

From Symantec's report [PDF]:

follow Ryan Naraine on twitter

The goal of the attackers appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes. In addition, the same attackers appear to have a lengthy operation history including attacks on other industries and organizations. Attacks on the chemical industry are merely their latest attack wave.

The report provides technical details on the attacks, which include the use of password-protected 7zip files which, when extracted, contain a self-extracting executable.  One of the e-mail lures purported to be a high-priority security update for Adobe Reader and Acrobat.  In other related attacks, Symantec said malicious PDF and DOC files were used to drop a backdoor on the infected machine.

Symantec said it traced the attacks back to a computer system that was a virtual private server (VPS) located in the United States.

However, the system was owned by a 20-something male located in the Hebei region in China. We internally have given him the pseudonym of Covert Grove based on a literal translation of his name. He attended a vocational school for a short period of time specializing in network security and has limited work experience, most recently maintaining multiple network domains of the vocational school.

Covert Grove claimed to have the U.S.-based VPS for the sole purpose of using the VPS to log into the QQ instant message system, a popular instant messaging system in China. By owning a VPS, he would have a static IP address. He claims this was the sole purpose of the VPS. And by having a static IP address, he could use a feature provided by QQ to restrict login access to particular IP addresses. The VPS cost was RMB200 (US$32) a month.

While possible, with an expense of RMB200 a month for such protection and the usage of a US-based VPS, the scenario seems suspicious. We were unable to recover any evidence the VPS was used by any other authorized or unauthorized users. Further, when prompted regarding hacking skills, Covert Grove immediately provided a contact that would perform ‘hacking for hire’. Whether this contact is merely an alias or a different individual has not been determined.

We are unable to determine if Covert Grove is the sole attacker or if he has a direct or only indirect role. Nor are we able to definitively determine if he is hacking these targets on behalf of another party or multiple parties.

While these types of social-engineering targeted attacks are happening on a daily basis, Symantec called out the Nitro attacks because of the way it was specifically looking for key intellectual property for competitive advantage.

"This attack campaign focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs, formulas, and manufacturing processes," the company said.