A sophisticated cyber espionage group that has managed to keep a low profile has been found to target organizations in Russia, China and a couple of European countries, Symantec reported on Sunday.
The threat actor, dubbed Strider by Symantec, and also known as ProjectSauron, is believed to have been active since at least 2011. Symantec analyzed one of the group’s tools, named Remsec, after a customer submitted a sample detected by its security product due to suspicious behavior.
According to researchers, Remsec is a piece of malware primarily designed for spying. The threat can open a backdoor on the infected computer, log keystrokes, steal files from the infected machine, and allow the attackers to move laterally on the network.
“Remsec contains a number of stealth features that help it to avoid detection. Several of its components are in the form of executable blobs (Binary Large Objects), which are more difficult for traditional antivirus software to detect,” Symantec researchers explained. “In addition to this, much of the malware’s functionality is deployed over the network, meaning it resides only in a computer’s memory and is never stored on disk. This also makes the malware more difficult to detect and indicates that the Strider group are technically competent attackers.”
Symantec has discovered a total of 36 infections across seven organizations in four countries, including Russian entities, a Chinese airline, an embassy in Belgium and an organization in Sweden.
Kaspersky Lab, which calls the campaign ProjectSauron, discovered that more than 30 organizations in Russia, Iran, Rwanda had been infected, noting that other Italian-speaking countries may have been hit as well. Kaspersky said that it has found cases where the malware has successfully penetrated air-gapped networks.
The malicious functionality is provided by a series of modules, each responsible for a specific task. For example, Remsec relies on a loader module, implemented as a fake Security Support Provider, to load files from the disk and execute them. The malware also includes three different backdoor modules (basic, advanced and HTTP) and a network listener.
Interestingly, the network loader, host loader and keylogger modules are written in the Lua programming language. Researchers pointed out that this is similar to Flame (Flamer), a highly sophisticated cyber weapon that has been compared to Stuxnet and Duqu. An analysis of the keylogger module also revealed that its code contains references to Sauron, the main antagonist in Lord of the Rings.
Symantec also noticed that one of Strider’s targets had been previously infected by Regin, another highly sophisticated Trojan compared to Stuxnet and used in cyber espionage operations since at least 2008. It’s worth noting that both Regin and Flame have been attributed to various governments, including the United Kingdom, the United States and Israel.
Based on its capabilities, sophistication and the nature of targets, Symantec believes Strider could also be sponsored by a nation state.
The security firm has published indicators of compromise (IoC) to help organizations detect the presence of the threat on their systems.
*Updated with additional details from Kaspersky Lab