Malware researchers from Symantec have spotted a new cyber espionage APT dubbed Sowbug group that has been active at least since 2015.

A new cyber espionage group dubbed Sowbug appeared in the threat landscape, according to the experts it has been active since 2015 and was involved in highly targeted attacks against a host of government organizations in South America and Southeast Asia.

“Symantec has identified a previously unknown group called Sowbug that has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targets. Sowbug has been seen mounting classic espionage attacks by stealing documents from the organizations it infiltrates. ” reads the analysis published by Symantec.

The group was spotted by experts from Symantec who uncovered clandestine attacks against foreign policy institutions, government bodies and diplomatic targets in countries, including Argentina, Brazil, Ecuador, Peru, and Malaysia. The Sowbug group uses a strain of malware dubbed Felismus to compromise target systems. The malicious code was first detected in March by researchers at Forcepoint, but only Symantec experts linked it with the Sowbug group. “Analysis shows the malware overall to be modular, well-written, and to go to great lengths to hinder both analysis efforts and the content of its communications. Its apparent scarcity in the wild implies that it is likely highly targeted. Furthermore, as discussed in this analysis, the good ‘operational hygiene’ relating to the re-use of email addresses and other similarly traceable artefacts similarly suggests the work of coordinated professionals.” stated Forcepoint. Felismus is a sophisticated remote access Trojan (RAT) with a modular structure that allows the backdoor trojan to extend its capabilities.

“Symantec saw the first evidence of Sowbug-related activity with the discovery in March 2017 of an entirely new piece of malware called Felismus used against a target in Southeast Asia. ” continues Symantec. “We have subsequently identified further victims on both sides of the Pacific Ocean. While the Felismus tool was first identified in March of this year, its association with Sowbug was unknown until now. Symantec has also been able to connect earlier attack campaigns with Sowbug, demonstrating that it has been active since at least early-2015 and may have been operating even earlier.”

The Felismus backdoor allows attackers to take full control of an infected system, researchers were able to link previous attack campaigns with the Sowbug hacking group. They concluded that the group is at least active since early-2015.

“To date, Sowbug appears to be focused mainly on government entities in South America and Southeast Asia and has infiltrated organizations in Argentina, Brazil, Ecuador, Peru, Brunei and Malaysia,” reads the Symantec report. “The group is well resourced, capable of infiltrating multiple targets simultaneously and will often operate outside the working hours of targeted organisations.” According to the malware researchers, the Sowbug group uses fake, malicious software updates of Windows or Adobe Reader to compromise the target systems. In the arsenal of the group, there is also a tool called Starloader used by hackers to deploy additional malware and tools, such as credential dumpers and keyloggers on the target system.

The Starloader tool was spread as software updates entitled AdobeUpdate.exe, AcrobatUpdate.exe, and INTELUPDATE.EXE among others.

“Rather, it gives its tools file names similar to those used by the software and places them in directory trees that could be mistaken for those used by the legitimate software. This allows the attackers to hide in plain sight, as their appearance in process listings is unlikely to arouse suspicion.” states Symantec.

The Sowbug hackers took further measures to remain under the radar by operating outside of standard office hours. In one case, the hackers remained undetected on the target’s network for up to six months between September 2016 and March 2017.

Share this...

Linkedin Reddit Pinterest

Share On