A newly uncovered cyberespionage group called Strider has been found to be targeting specific organisations and individuals in Russia, China, Belgium and Sweden, using a stealth malware called Remsec. Interestingly enough, the malware's code actually contains a reference to Sauron, the infamous and most feared, all-seeing super-villain in the Lord of the Rings.
According to Symantec security researchers, the Remsec malware has been specifically designed to aid Strider's spying activities. The group, which has been active since 2011, but maintained a low-profile, primarily targeted specific organisations and individuals that would be of interest to any country's intelligence agencies. The Remsec malware has been specifically designed to open up a backdoor on infected systems, steal files and log keystrokes.
"Strider has been highly selective in its choice of targets and, to date, Symantec has found evidence of infections in 36 computers across seven separate organisations. The group's targets include a number of organizations and individuals located in Russia, an airline in China, an organization in Sweden, and an embassy in Belgium," said Symantec.
"As these are highly targeted attacks, lower infection numbers are to be expected. The attackers also use a number of means to go undetected and the attackers may remove the malware and tools used following a successful compromise. Symantec started investigating the group this year so there may have been some infections prior to this that have since been removed or cleaned up," Director of Symantec security intelligence delivery Orla Cox told IBTimes UK.
Modular design and detection evasion
Symantec also noted that the Remsec malware has a "modular design", which provides the cyberespionage group with a framework to help them gain complete control of an infected system. The modular framework also allows the hackers to "move across a network, exfiltrate data, and deploy custom modules as required".
Symantec found that some of the modules of the Remsec malware were written in the Lua programming language, which has also been used by another cyberespionage threat actor called Flamer, which was found to be aiming at specific targets in the Middle East.
Additionally, the malware comes loaded with stealth features, which enables it to avoid detection, especially from traditional antivirus software. Most notably, the malware's functionality is deployed over the network, which ensures that it leaves no trace of itself on the hard disk, only making use of the computer's memory. Efforts to avoid detection indicate that Strider is an advanced and "technically competent" hacker group.
Remsec in Lau
"We suspect that the reason Lua is used is because of the fact that it's simple to develop new functionality in it. The scenario we imagine is that someone developed the Remsec malware, a competent programmer, or set of programmers. From there, the tool is given to others to use, and these others, the operators, are likely technical to some degree, but not programmers like the creators of Remsec," Cox added.
"Strider is capable of creating custom malware tools and has operated below the radar for at least five years. Based on the espionage capabilities of its malware and the nature of its known targets, it is possible that the group is a nation-state level attacker," the firm said.
Cox also noted that Strider does not this carry out mass attacks. "The targets were most likely chosen because they have information or work in a field that is of interest to the attackers," Cox said.