The Nitro Attacks: Stealing Secrets from the Chemical and Defense Industry

The Malware Attack with Remote Administration Tool (RAT),A Backdoor developed by Chinese Hacker.

The Attackers send a fake email with attachment of malware,
Once the victim open the attachment, it will infect the system and install the Poison ivy Server(malware).

After the infection, it contacted a C&C server on TCP port 80 using an encrypted communication protocol. Using the C&C server, the attackers then instructed the compromised computer to provide the infected computer’s IP address, the names of all other computers in the workgroup or domain, and dumps of Windows cached password hashes.

By using access to additional computers through the currently logged on user or cracked passwords through dumped hashes, the attackers then began traversing the network infecting additional computers.

Typically, their primary goal is to obtain domain administrator credentials and/or gain access to a system storing intellectual
property. Domain administrator credentials make it easier for the attacker to find servers hosting the desired intellectual property and gain access to the sensitive materials.The attackers may have also downloaded and installed additional tools to penetrate the network further.

The attackers change their targets after certain time. At first(from april to May 2011) , they target on Human rights related NGOs. Then, they changed their target to motor industry in May. There is no attack in june.

According to the report, "29 Chemical Industries and another 19 other industries(Most of them defense sector) infected. In a recent two week period, 101 unique IP addresses contacted a command and control server with traffic consistent with an infected machine. These IPs represented 52 different unique Internet Service Providers or organizations in 20 countries".Symantec Report