“Contrary to commonly held thought, Hydraq never went away. Month after month we've observed the attackers using the threat relentlessly on organizations across all sorts of different market sectors”, the Symantec Security Response team wrote in a recent blog.
Hydraq gained famed as the weapon used in Operation Aurora that targeted Google and other US companies in 2009. The attacks exploited a zero-day vulnerability in Internet Explorer to gain access to the companies’ computer systems and installed malware. The malware was then able to steal intellectual property and upload it to a remote server.
Symantec said that the new Hydraq attacks are similar to the previous ones in the way they infect the target’s computer system: “Well tailored email sent to specific recipients with a link to an exploit hosting website; exploitation leads to download and execution of the Trojan; the Trojan gathers system information and exfiltrates to a remote server; a remote server is contacted every so often to see if additional commands are available. On average we see a new wave of Hydraq attacks every six to eight weeks.”
However, unlike the initial Hydraq attacks, which exploited zero-day vulnerabilities and were targeted at US-based companies, these new attacks exploit known flaws and target organizations in at least 20 different countries.
“Targeted entities are either those that host intellectual property of value, or those that can be used as an asset in future malware campaigns. Even if an organization considers itself to be immune to the intellectual property bait, they could be compromised to aid the attackers in additional attack campaigns”, the blog warned.