Sauron spyware attacking targets in Belgium, China, Russia and Sweden
A previously unknown hacking group called Strider has been conducting cyber espionage against selected targets in Belgium, China, Russia and Sweden, according to Symantec.
The security firm suggested that the product of the espionage would be of interest to a nation state’s intelligence services.
Strider uses malware known as Remsec that appears primarily to have been designed for espionage, rather than as ransomware or any other nefarious software.
Symantec has linked Strider with a group called Flamer which uses similar attack techniques and malware.
The Lord of the Rings reference is deliberate as the Remsec stealth tool contains a reference to Sauron, the necromancer and main protagonist in a number of Tolkien’s stories.
“Strider has been active since at least October 2011. The group has maintained a low profile until now and its targets have been mainly organisations and individuals that would be of interest to a nation state’s intelligence services,” said Symantec in a blog post.
“Symantec obtained a sample of the group’s Remsec malware from a customer who submitted it following its detection by our behavioural engine.”
The security company explained that Strider has been highly selective in its targeting so far, limiting it to 36 infections across seven organisations in four countries. Russia accounts for four of those seven organisations.
“The Remsec malware used by Strider has a modular design. Its modules work together as a framework that provides the attackers with complete control over an infected computer, allowing them to move across a network, exfiltrate data and deploy custom modules as required,” said Symantec.
“Remsec contains a number of stealth features that help it to avoid detection. Several of its components are in the form of executable binary large objects, which are more difficult for traditional antivirus software to detect.
“In addition to this, much of the malware’s functionality is deployed over the network, meaning it resides only in a computer’s memory and is never stored on disk. This also makes the malware more difficult to detect, and indicates that the Strider group are technically competent attackers.”
Symantec has compiled a Backdoor.Remsec: Indicators of Compromise briefing paper containing further details to help identify the threats.