Security researchers have found a previously unknown hacking group that has been carrying out cyber espionage-style attacks against selected targets in Russia, China, Sweden and Belgium.
Advertisement
The attacks are executed using a piece of sophisticated malware known as Remsec, which Symantec described as “a stealthy tool that appears to be primarily designed for spying purposes including a keylogger, network listener, a basic and an advanced pipe back door, and an HTTP back door”.
According to the researchers, the source code of Remsec has references to Sauron, the all-seeing evil character from The Lord of the Rings trilogy. This modular approach also allows the Strider APT group to integrate new custom malware tools.
“Based on the espionage capabilities of its malware and the nature of its known targets, it is possible that the group is a nation state-level attacker”, Symantec said, but it did not speculate about which government might be behind the software.
Symantec found that some of the modules of the Remsec malware were written in the Lua programming language, which has also been used by another cyberespionage threat actor called Flamer, which was found to be aiming at specific targets in the Middle East.
Although Strider is believed to have been active since at least October 2011, the group has maintained a low profile until now.
“I$3 ts targets have been mainly organizations and individuals that would be of interest to a nation state’s intelligence services”, Symantec wrote in an online report about its discovery.
“Symantec obtained a sample of the group’s Remsec malware from a customer who submitted it following its detection by our behavioural engine”. Both Kaspersky and Symantec note the group has been remarkably selective in its targets and has successfully (until now) kept off security researchers’ radars.
Though Strider has been active since 2011, Symantec found only 36 total infections across a scant seven organizations. “The group’s targets include a number of organizations and individuals located in Russian Federation, an airline in China, an organization in Sweden, and an embassy in Belgium”, said Symantec.
Remsec spyware lives within an organisation’s network rather than being installed on individual computers, giving attackers complete control over infected machines, researchers said.
“We suspect that the reason Lua is used is because of the fact that it’s simple to develop new functionality in it”. “Using the victim system’s memory in place of storing binary and data components on the disk itself is a technique used to prevent defenders from being able to identify or analyze the activity itself”.
The malware uses some highly deceptive chicanery that likely allowed it to avoid detection for so long. The malware is hard to detect in part because many of its features are “deployed over the network, meaning it resides only in a computer’s memory and is never stored on disk”.
Advertisement
As a resource for potentially infected organizations, Symantec has compiled various indicators of Remsec compromise into a document.
