Home Malware Programs Malware ICEFOG


Posted: June 11, 2019

ICEFOG is a family of backdoor Trojans that can upload collected files from your computer, download other threats, and give hackers control over your system. There are multiple, significant variants of this threat, the latest of which uses a non-file-based persistence method. Users can monitor network security protocols for possible breaches and use anti-malware services for finding and removing ICEFOG as it's relevant.

The Fog Dispersed – but Came Back Later

Much like seasonal weather can create recurring spates of rain and thunder that's interspersed with sunny days, Trojans will, sometimes, come to a dead halt before reviving themselves after weeks, months or years. ICEFOG is an extreme example of such a pattern, and its apparent resurrection may be due to shared resources among different hacking groups. In its earliest stages, ICEFOG attacks go back to 2011, but malware experts are re-verifying its active presence in today's world.

ICEFOG is the sole tool of China-based threat actors, and its 2011 releases, such as ICEFOG Type 1 and Type 2, implied a single organization behind its concentrated attacks. They appeared concerned about being publicity since they stopped all use of ICEFOG after the cyber-security industry's publication of an initial analysis of the backdoor Trojan. However, it's recurrences in 2014 and 2018 point to its being a tool of new criminals with more flexible motives that encompass political espionage and IP theft.

All variants of ICEFOG Trojans that malware experts survey have some points in kind, such as the main capabilities of the payload. These attacks include:

  • Downloading and uploading files.
  • Performing other file operations, such as deletion or renaming.
  • Closing program processes automatically.
  • Operating screen-grabbing and keylogging features for collecting information.
  • Monitoring specified directories.

While ICEFOG's accepted commands are small in number, they're invasive enough that a remote attacker gains incisive control over the computer and can drop other threats as he requires their services.

Some Warmer Weather for Your Hard Drive

A 2018 version of ICEFOG requires more emphasis than old builds of the Trojan, due to an overhaul of its structure. This version, ICEFOG M, no longer creates files on disk for its payload and hijacks the Windows Registry for its 'host' file. It also takes advantage of a more secure C&C protocol that uses HTTPS over port 443. These facts show that whoever is using ICEFOG, still, has some considerations for avoiding analysis and detection by AV programs.

Most builds of ICEFOG that malware experts see, including the 2018 campaigns, target Windows x86 and 64-bit environments. There is, however, a port of ICEFOG to Mac OSes with all of its payload's functionality intact. Victims of its various campaigns include, mostly, business sector entities, such as Russian news media, European agricultural companies, and multiple Turkish and Kazakh organizations.

Users should disable RDP, use secure password protocols, and scan e-mail attachments and links before interactions with them. Most anti-malware programs should delete ICEFOG in all of its versions before the installation, which is much less troublesome than complete disinfection and re-securing of a network.

Innovation in hacking knows no bounds, and malware researchers don't often see old Trojans with as substantial an overhaul as ICEFOG. This backdoor Trojan is proving that even old software can learn new tricks, which is unhappy news for anyone outside of China.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to ICEFOG may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria .

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.