A cyber-spy group thought to operate out of Lebanon has been discovered operating a long-running campaign of cyber-surveillance against hundreds of targets in the military and defence companies.
The group is thought to have been carrying out its campaign for the last two years and was discovered and analysed by Israeli security firm Check Point Software Technologies, who named it Volatile Cedar. The malware-targeted victims are in Lebanon as well as Israel, Turkey, the UK, Japan, the US and other countries.
The security firm unearthed evidence that the cyber-criminals started as early as the beginning of 2012, but have stayed under the radar. Among the victims are defence companies, telecommunications and media companies, and educational institutions. Check Point said the attacker's main motives are not financial but rather to exfiltrate sensitive information from the targets.
The group's main tool is a piece of custom malware dubbed “Explosive”. The implant has built-in file deletion functionality as well as arbitrary code execution, making it possible for the attackers to inflict a lot of damage on an infected system. The malware features a main executable binary and a DLL (dynamic-link library) with backend API calls.
The Trojan goes to a lot of effort to hide from common detection tools and merge into its surroundings. Each Trojan configuration maintains “radio silence” during which Explosive does not start any network communication. These times are set according to the specific target's working hours and low traffic periods.
The malware's attack vector shuns spear phishing, preferring to target flaws in web servers with both automatic and manual vulnerability discovery. Once the attacker gains control of the server, they then use this as a base to explore, identify, and attack additional targets located deeper inside the internal network. Check Point said that it had seen evidence of online manual hacking as well as an automated USB infection mechanism.
“Volatile Cedar is a very interesting malware campaign. The campaign has been continually and successfully operational through this entire timeline, evading detection through a well-planned and carefully managed operation that constantly monitors its victims' actions and rapidly responds to detection incidents,” said Dan Wiley, head of Incident Response & Threat Intelligence at Check Point Software Technologies.
“This is one face of the future of targeted attacks: malware that quietly watches a network, stealing data, and can quickly change if detected by anti-virus systems. It's time for organisations to be more proactive about securing their networks.”
John Hultquist, senior manager, cyber espionage threat intelligence at iSIGHT Partners, said that many Middle Eastern cyber-espionage actors rely on off-the-shelf malware solutions such as Xtreme RAT or Dark Comet RAT, “because custom tools, like we've seen with Volatile Cedar, take greater resources and sophistication”.
“Though we cannot confirm targeting in this case, aside from reviewing the actual data that has been taken, targeting specifics are often the one of the most indicative factors in determining motive,” he added.
“If this activity is indeed Lebanon-based cyber-espionage, we would anticipate domestic targeting as well as targeting in Israel and the US. In the last few years we have seen a rise in cyber-espionage activity from the region, much of it targeting Israel, governments in the Gulf, as well as US and European government agencies. These actors appear to be gathering intelligence on the region's many ongoing conflicts and the Middle Eastern policy of nations with interests there,” said Hultquist.
Ken Munro, senior partner at Pen Test Partners said what is really interesting is that they are clearly doing near real-time checks on sources to check to see if they are being detected by any of the major anti-virus companies and then modifying their payload slightly to avoid detection.
“The idea of actively monitoring for detection using some other resources that the security community uses for detection, that's clever,” he Munro told SCMagazineUK.com. “And actively modifying yourself, that's exactly the techniques that security researchers would use in order to detect things easily.”
Munro added that this reinforces the need to look for malware behaviours, such as connections back to unexpected hosts.
“It also reinforces the need for whitelisting. It is a pain and an overhead because people are going to want to browse the internet for research and go to sites not on a whitelist but if you are not whitelisting it is very difficult to stop this traffic connecting back.”
Volatile Cedar is not the only malware attempting to steal secrets. The Laziok Trojan has been targeting energy companies with a focus on firms in the Middle East.
According to Symantec researchers, the malware collects information such as computer names, installed software, anti-virus software, among other data. It uses this information to customise its attack on devices.
In a blog post, Christian Tripputi, security response manager at Symantec, said the detailed information enables the attacker to make “crucial decisions about how to proceed further with the attack, or to halt the attack.”
"During the course of our research, we found that the majority of the targets were linked to the petroleum, gas and helium industries, suggesting that whoever is behind these attacks may have a strategic interest in the affairs of the companies affected."