'Volatile Cedar' APT group spies on enterprises, focusing on Lebanese companies

Check Point Software Technologies issued a report on the group, which has been targeting enterprises since 2012, with its customized "Explosive" malware.
Check Point Software Technologies issued a report on the group, which has been targeting enterprises since 2012, with its customized "Explosive" malware.

Even meticulous monitoring of Command and Control (C&C) servers and swapping out of customized malware to updated forms couldn't keep a newly discovered Advanced Persistent Threat (APT) group from being discovered.

Check Point Software Technologies released a report on Monday about “Volatile Cedar,” a group it says began targeting enterprises in late 2012 and only recently has been stopped through the company's creation of sinkholes. Although primary targets include enterprises in Lebanon, 10 different countries have seen infections, including the U.S., U.K., and Canada.

Impacted verticals include defense contractors, telecommunication groups, media companies and educational institutions. These infections could indicate that the group is based in Lebanon and has a political agenda, Check Point said.

Volatile Cedar doesn't rely on a spear phishing email to enter its target's systems, or even a drive-by download. Instead, this group begins by targeting publicly facing web servers with both automatic and manual vulnerability discovery, Check Point wrote.

“As these servers have a common business functionality, their security is often sacrificed for productivity, making them an easy target for attackers,” the report stated.

Once successfully in control of a server, the attackers continue to penetrate further, starting with a vulnerability scan. If an exploitable vulnerability is found, a web shell code is injected into the server and becomes the way in which the attackers can implant their “Explosive” trojan.

This malware comes in three versions, as well as two other less sophisticated ones, and contains a main executable binary and a DLL file containing “backend” API calls. The exported DLL functions include “GetaAllData,” which collects data from the user, OS and applications, and “GetIEHistory,” which gathers Internet Explorer's browsing data history, among other features.

“We can see that as the attackers have evolved over time they've added more features,” Dan Wiley, head of incident response at Check Point, said in an interview with SCMagazine.com “They've hidden the command and control over the period of time.”

This group has especially taken advantage of C&C servers by using multiple types, including having some for backup, in case one becomes unresponsive.

Kaspersky noted in a blog post on the group that “when they cannot connect to their hardcoded static [C&C], they fall back to a DGA algorithm, and cycle through other domains [with which to connect.]”

Check Point's creation of sinkholes tipped off the group and ultimately led it to utilize the malware's “self-destruct” feature.

“It basically means this campaign in its current form is gone,” Wiley said. “It doesn't mean much other than [the group] needs to start over again. It might take some time, but it'll start over again.”

Wiley went on to stress that these attacks emphasize a need for visibility and control in security, as well as a formalized incident response plan to respond to these attacks.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS