Story image

Southeast Asian govt firms targeted by Sowbug cyberespionage group

08 Nov 17

Southeast Asian and South American governments are under fire from a well-resourced cyberespionage group called Sowbug.

The group has been targeting government entities across the two regions and has already infiltrated organisations in Malaysia, Brunei, Argentina, Brazil, Ecuador and Peru.

Symantec Security Response researchers have been tracking the group’s movements, which first started in March 2017. The group itself may have been active since at least early 2015.

The group conducts surveillance. It also steals documents from the infiltrated organisations by bundling them in RAR archives and then extracting the archives later on.

Its other tactics include mining remote shared drives to grab remote shares owned by the targeted organisation.

Researchers believe the group is well-resourced and able to infiltrate many targets at once. It also operates outside the normal working hours of the targeted organisations, a strategy that may help them maintain a low profile.

In 2016, the group infected an organization based in Asia through the Felismus backdoor (Backdoor.Felismus). It then collected system information as part of a reconnaissance mission. Four days later the group installed another tool. These actions allowed the Felismus to spread from the initial computer across the network.

“In this case, the attackers maintained a presence on the target’s network for nearly six months between September 2016 and March 2017,” researchers say.

Sowbug uses methods such as impersonating software packages like Windows or Adobe Reader as part of its attack methods, but has never compromised the genuine software.

Because its tools have similar filenames and installs directory trees that could be mistaken for legitimate software, attackers are able to ‘hide in plain sight’.

However, Symantec researchers are not sure how Sowbug infiltrates a target’s networks.

“In some cases, there was no trace of how Felismus made its way onto compromised computers, meaning it was likely deployed from other compromised computers on the network,” they state.

Inother cases, a tool called Starloader (Trojan.Starloader) installs and decrypts data from a file called Stars.jpg.

It also used other tools including credential dumpers and keyloggers as part of its attack process.

“It is still unknown how Starloader is installed on the compromised computer. One possibility is that the attackers use fake software updates to install files. Symantec has found evidence of Starloader files being named AdobeUpdate.exe, AcrobatUpdate.exe, and INTELUPDATE.EXE among others. These were used to create versions of the Felismus backdoor as well as other tools,” researchers state.

Symantec warns that cyberespionage attacks are often seen in Asia. The number of cyberespionage campaigns are increasing: Sowbug’s existence demonstrates that no region is immune to threats.

Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.