Symantec Spots State-Sponsored ‘Strider’ Attacks

Security experts have discovered a highly targeted cyber espionage campaign aimed at just seven organizations over the past five years.

The Strider group has targeted a mere 36 machines in these organizations since 2011 with the Remsec backdoor malware, according to Symantec.

The malware itself has a Lua modular design which delivers various capabilities including keylogging, a network listener, HTTP back door and a network loader.

The aim is to remotely tap a victim’s machine, allowing the malware authors to move across the network and exfiltrate data as required.

Remsec contains several elements which allow it to remain hidden from traditional defenses, Symantec continued, adding:

“Several of its components are in the form of executable blobs (Binary Large Objects), which are more difficult for traditional antivirus software to detect. In addition to this, much of the malware’s functionality is deployed over the network, meaning it resides only in a computer’s memory and is never stored on disk. This also makes the malware more difficult to detect and indicates that the Strider group are technically competent attackers.”

The majority of victim organizations are located in Russia (4), followed by Belgium, Sweden and China.

Judging by the sophistication of the malware, the choice of targets, and the fact that Strider can build custom malware to suit its needs, Symantec reckons the actors behind Remsec are state sponsored, although it didn’t speculate which nation they may hail from.

It did suggest there were links with the Flamer group discovered back in 2012 targeting organizations in the Middle East and Eastern Europe. That group also used Lua modules, Symantec claimed.

There are also references in the code used by Strider to Sauron, the evil titular character from The Lord of the Rings.

Symantec has also compiled an Indicators of Compromise page to help organizations better spot if Strider may be targeting their data.

What’s Hot on Infosecurity Magazine?