A cyberespionage group that has been active since at least early-2015 has been targeting organizations in South America and Southeast Asia, while focusing mainly on foreign policy institutions and diplomatic targets, Symantec reports.
Called Sowbug by Symantec, the group is using a piece of malware called Felismus, which was detailed earlier this year. The malware is a modular Remote Access Trojan (RAT) that packs anti-analysis functions and self-updating routines, and which is capable of file upload, file download, file execution, and shell (cmd.exe) command execution.
According to Symantec, the hackers managed to infiltrate organizations in Argentina, Brazil, Ecuador, Peru, Brunei and Malaysia with the purpose of stealing documents.
“The group is well resourced, capable of infiltrating multiple targets simultaneously and will often operate outside the working hours of targeted organizations in order to maintain a low profile,” Symantec says.
An attack conducted in May 2015 on one South American foreign ministry was focused on the division of the ministry responsible for relations with the Asia-Pacific region. The hackers attempted to steal Word documents stored on a file server using a command that would bundle them into a RAR archive.
After successfully exfiltrating 4 days’ worth of data, the attackers proceeded to list all remote shared drives and attempted to access remote shares owned by the targeted division, also looking to extract all Word documents. The attackers then listed the contents of various directories on remote shares, including one belonging to the division responsible for relations with international organizations.
The attackers also deployed two unknown payloads to an infected server and maintained a presence on the target’s network for four months between May and September 2015.
This is a typical tactic for the group, which frequently maintains a long-term presence on the networks of targeted organizations, sometimes for up to six months. For that, it impersonates commonly used software packages such as Windows or Adobe Reader by renaming its tools with similar names and hiding in plain sight.
In September 2016, the group deployed the Felismus backdoor on one of the computers of an organization in Asia using the file name adobecms.exe. Next, they installed additional components and tools to a directory and started performing reconnaissance activities. Several days later, they created a sub-directory Program Files\Adobe\common and installed another tool in it, also as adobecms.exe.
The attackers supposedly performed successful network reconnaissance operations, as they managed to compromise another computer within the organization. Next, they returned to the initially compromised machine and installed an executable called fb.exe, which appears designed to copy Felismus across the network to other computers. The group maintained a presence on the target’s network until March 2017.
What the security researchers haven’t yet discovered is how Sowbug performs its initial infiltration of a target’s network. In some instances, it appears to have been deployed from other compromised computers on the network, while in others the tool known as Starloader might have been used for infection.
The same loader was observed deploying additional tools, such as credential dumpers and keyloggers, but the manner in which the loader is installed on the compromised computers remains a mystery. Fake software updates might have been employed, being used to create versions of the Felismus backdoor as well as other tools, Symantec says.
“While cyber espionage attacks are often seen against targets in the U.S., Europe, and Asia, it is much less common to see South American countries targeted. However, the number of active cyber espionage operations has increased steadily in recent years and the emergence of Sowbug is a reminder that no region is immune to this kind of threat,” Symantec notes.
Related: Modular Felismus RAT Emerges