Strider hackers in highly-targeted 'espionage' malware campaign

Previously unknown bad actor used Remsec to infect just 36 machines in what appears to be a quiet cyber-espionage operation.

The all-seeing Eye of Sauron - Lord of the Rings
The all-seeing Eye of Sauron - Lord of the Rings

Security researchers have found a previously unknown hacking group that has been carrying out cyber espionage-style attacks against selected targets in Russia, China, Sweden and Belgium.

The group, named by Symantec as Strider, uses malware known as Remsec (Backdoor.Remsec) to conduct its attacks. Symantec said the malware appears to be primarily designed for spying purposes. It also said the code contains a reference to Sauron, the all-seeing antagonist in Lord of the Rings.

It added that the group has been highly selective in its choice of targets, finding evidence of infections in just 36 computers across seven separate organisations.

The group's targets include a number of organisations and individuals located in Russia, an airline in China, an organisation in Sweden and an embassy in Belgium.

Researchers said that the Remsec malware has a modular design that gives hackers complete control over an infected computer, allowing them to move across a network, exfiltrate data and deploy custom modules as required.

The malware also has a number of stealth features to help it avoid detection.

“Several of its components are in the form of executable blobs (binary large objects), which are more difficult for traditional antivirus software to detect. In addition to this, much of the malware's functionality is deployed over the network, meaning it resides only in a computer's memory and is never stored on disk. This also makes the malware more difficult to detect and indicates that the Strider group are technically competent attackers,” said the researchers.

In a blog post, the firm said that Strider's attacks have a tentative link with a previously uncovered group, Flamer. It pointed to the use of the Lua programming language as evidence of the link.

“Based on the espionage capabilities of its malware and the nature of its known targets, it is possible that the group is a nation-state level attacker,” said the researchers.

Symantec has compiled  an indicators-of-compromise document containing further details which can be used to help identify the threats if they are present within an organisation's infrastructure.

Mark James, security specialist at ESET, told SCMagazineUK.com that malware has many designs, and typical malware is created to harvest as much information as possible and target as many victims as it can to achieve its goal. “However, it can easily be created with a specific target in mind, it's quite capable of picking and choosing its targets to ensure it harvests the correct information and ignoring those not on its target list,” he said.

Ilia Kolochenko, CEO of High-Tech Bridge, told SC that there are numerous cyber-mercenaries and Black Hats who are paid well to compromise companies and organisations.

“Victims are selected by the buyer – the person(s) who pay to hack or destroy (eg, DDoS attacks) – therefore the only reason that some particular victims are carefully selected is because someone has paid to compromise them,” he said. “Usually, individual users (except if they are ‘VIP victims' or have access to confidential documents of the victim) are not directly targeted in such attacks.”

He added that countermeasures remain the same as always: proper maintenance of complete inventory of organisations' digital assets, holistic risk assessment with appropriate and priority-based mitigation and continuous security monitoring.

“These simple rules can prevent 90 percent of attacks," Kolochenko said.