A previously unknown espionage group dubbed ‘Sowbug’ has been discovered targeting foreign policy institutions and diplomatic targets in South America and South East Asia.
Researchers at Symantec first became aware of the collective in March when it observed a piece of malware called ‘Felismus’, which looked to extract data from targets.
It is believed the group has been active since early 2015, possibly earlier, and has infiltrated organisations in Argentina, Brazil, Ecuador, Peru, Brunei and Malaysia.
“While cyber espionage attacks are often seen against targets in the U.S., Europe, and Asia, it is much less common to see South American countries targeted,” said the researchers. “However, the number of active cyber espionage operations has increased steadily in recent years and the emergence of Sowbug is a reminder that no region is immune to this kind of threat.”
The evidence suggests the group looks for specific pieces of information such as a particular file or database. In one case it targeted all Word documents within a certain date range and revisited it to obtain updated data.
Indeed, Symantec believes the group is capable of maintaining a ‘long-term’ presence on infected systems – as long as six months – by impersonating commonly known software.
How targets are infected however remains a mystery with all signs pointing to a tool called Starloader which installs the malware alongside other software such as credential dumpers and keyloggers.
“It is still unknown how Starloader is installed on the compromised computer,” concluded Symantec. “One possibility is that the attackers use fake software updates to install files. Symantec has found evidence of Starloader files being named AdobeUpdate.exe, AcrobatUpdate.exe, and INTELUPDATE.EXE among others. These were used to create versions of the Felismus backdoor as well as other tools.”
Are you a security pro? Try our quiz!