Symantec discovers new APT activating all over the globe

Aug 8, 2016 10:15 GMT  ·  By

A cyber-espionage group has hit at least seven companies across four countries since October 2011, utilizing its homegrown malware, a backdoor trojan called Remsec.

According to Symantec, the group, nicknamed Strider, has hit four companies in Russia and one in Belgium (embassy), Sweden, and China (airline). At the operation level, Symantec notes some vague similarities to the Flamer group because they both utilized malware based on Lua modules.

Additionally, one of Strider's targets was also infected with the Regin backdoor malware in the past. Other than these two details, there are no other links to other cyber-espionage campaigns, and Symantec has not ventured to give attribution of the attacks to any specific country or industrial espionage criminal group.

Strider uses Remsec malware to compromise targets

All Strider attacks have been carried out with the Remsec backdoor trojan. This malware is capable of infecting devices and performing several actions using secondary Lua modules loaded at runtime.

The backdoor, which runs most of the time in the computer's memory, is very hard to detect. Along with the fact that it focused on a small number of targets, it allowed the group to operate for five years undetected.

A basic Strider infiltration starts with the Remsec infection, which is usually via a malware loader hidden as the MSAOSSPC.dll file. This DLL loads files from disk into the OS memory.

Remsec is a very powerful and versatile backdoor trojan

The same file also contains all the Remsec modules, which the loader loads only when needed. These modules provide functionality for logging keystrokes, injecting the Lua malicious modules into system processes, and loading executables over a network to compromise other targets.

Additionally, Remsec can listen on local network sockets and open a backdoor to its C&C server in various ways. A PDF detailing the Remsec backdoor trojan capabilities is available for download.

"Strider is capable of creating custom malware tools and has operated below the radar for at least five years," the Symantec team notes. "Based on the espionage capabilities of its malware and the nature of its known targets, it is possible that the group is a nation-state level attacker."

UPDATE: Kaspersky has released a separate report on the activities of the Strider group, which they call OperationSauron, and which they say they found on the systems of over 30 organizations in countries such as Russia, Iran, Rwanda, and many Italian-speaking nations.

Geographical distribution of Strider targets
Geographical distribution of Strider targets

Photo Gallery (2 Images)

New Strider APT discovered
Geographical distribution of Strider targets
Open gallery