Southeast Asian and South American governments are under fire from a well-resourced cyberespionage group called Sowbug.
The group has been targeting government entities across the two regions and has already infiltrated organisations in Malaysia, Brunei, Argentina, Brazil, Ecuador and Peru.
Symantec Security Response researchers have been tracking the group’s movements, which first started in March 2017. The group itself may have been active since at least early 2015.
The group conducts surveillance. It also steals documents from the infiltrated organisations by bundling them in RAR archives and then extracting the archives later on.
Its other tactics include mining remote shared drives to grab remote shares owned by the targeted organisation.
Researchers believe the group is well-resourced and able to infiltrate many targets at once. It also operates outside the normal working hours of the targeted organisations, a strategy that may help them maintain a low profile.
In 2016, the group infected an organization based in Asia through the Felismus backdoor (Backdoor.Felismus). It then collected system information as part of a reconnaissance mission. Four days later the group installed another tool. These actions allowed the Felismus to spread from the initial computer across the network.
“In this case, the attackers maintained a presence on the target’s network for nearly six months between September 2016 and March 2017,” researchers say.
Sowbug uses methods such as impersonating software packages like Windows or Adobe Reader as part of its attack methods, but has never compromised the genuine software.
Because its tools have similar filenames and installs directory trees that could be mistaken for legitimate software, attackers are able to ‘hide in plain sight’.
However, Symantec researchers are not sure how Sowbug infiltrates a target’s networks.
“In some cases, there was no trace of how Felismus made its way onto compromised computers, meaning it was likely deployed from other compromised computers on the network,” they state.
Inother cases, a tool called Starloader (Trojan.Starloader) installs and decrypts data from a file called Stars.jpg.
It also used other tools including credential dumpers and keyloggers as part of its attack process.
“It is still unknown how Starloader is installed on the compromised computer. One possibility is that the attackers use fake software updates to install files. Symantec has found evidence of Starloader files being named AdobeUpdate.exe, AcrobatUpdate.exe, and INTELUPDATE.EXE among others. These were used to create versions of the Felismus backdoor as well as other tools,” researchers state.
Symantec warns that cyberespionage attacks are often seen in Asia. The number of cyberespionage campaigns are increasing: Sowbug’s existence demonstrates that no region is immune to threats.