Strider Cyberespionage Group Strike Seven targets in Russia, Belgium, Sweden and China
Symantec discovered a former unknown group of cyberespionage, which select its targets in a way that it is believed to have only compromised 7 organisations along with 36 endpoints from the time when it started working 5 years back. Symantec has named it as "Strider", the threat actor's malware of choice is a customized, Windows infostealer known as Remsec - modular, stealthy, and is written in Lua.
The 7 organisations include embassy in the Belgium, organization in the Sweden, targets in the Russian country, and airline in the Chinese country. DiMaggio says that it is an extremely small number of targets, even for sophisticated actor.
Moreover, one of the targets of Strider too was infected with backdoor malware of Regin during the past. Besides these 2 details, no other links are there to other campaigns of cyber-espionage, and Symantec has not expressed to make any specific country or industrial espionage criminal group responsible for the attacks. Remsec, an advanced malware, was used by Strider for conducting its attacks.
The file includes all the modules of Remsec, which is loaded by the loader only when it is required. These modules are providing functionalities for logging the keystrokes, injecting malicious modules of Lua into the system processes, and also for loading the executables over the network for compromising other targets.
Symantec blog states that "much of the functionality is deployed over the network, meaning it resides only in a computer's memory and is never stored on disk".
Darkreading.com posted on August 8th, 2016, stating that Lua modules in the Remsec comprise a host loader, network loader, basic pipe back door, network listener, a more advanced pipe back door which is able to read, write and delete the files, a keylogger, and an HTTP back door including URLs for a C&C server.
Remsec could listen on the local network sockets, and then open the backdoor to C&C server in different ways. A PDF with details regarding backdoor trojan capabilities of the Remsec is there for download.
Symantec team observes that "Strider is capable of creating custom malware tools and has operated below the radar for at least five years. Based on the espionage capabilities of its malware and the nature of its known targets, it is possible that the group is a nation-state level attacker".
» SPAMfighter News - 8/15/2016