The advanced persistent threat (APT) group first detailed in 2011 after its attack on the chemical sector is back and changing up its tactics, according to new research from Palo Alto Networks.
The group, dubbed “Nitro” by Symantec researchers, appears to have carried out multiple attacks this year that targeted a range of industries, including a U.S.-based IT solutions provider and a U.S.-based provider of medical and dental imaging systems and IT solutions.
In most of the new cases, the group leveraged the “Spindest” malware, but “PCClient” and “Farfli” variants were also found. Previous iterations of Nitro attacks capitalized off spear phishing campaigns and “Poison Ivy” malware, but neither of these tactics were seen in the most recent attacks. Ryan Olson, Unit 42 intelligence director, Palo Alto Networks, said in a Monday interview with SCMagazine.com that he and the other researchers weren't sure what the second stage of the malware would be.
“It's possible to steal data, and it's possible to install additional malware,” Olson said. “But the group seems to be targeting industries that have information interesting to the attackers.”
He said he believes that espionage appears to be the most likely purpose behind the attacks.Also of note to the researchers, besides the chosen malware, was the recycling of a familiar IP address that connects directly to the group's command-and-control servers (C&C). Although the attackers have altered other aspects of their attacks, this maintained IP address is peculiar; however, it did allow Olson and the other researchers to attribute their findings back to Nitro. The group used the same Singapore-based IP address in their earlier attacks.
Olson suggested that enterprises begin blocking executable downloads unless a user consents to them because each attack stemmed from an executable online download. This, he said, would successfully mitigate most of Nitro's risk.
“For these specific attacks it's going to be very effective,” he said.
[An earlier version of this article incorrectly referred to the malware as "Farfali" instead of "Farfli."]