Lord of the spy ring: Strider APT cites Tolkien, found snooping on Russian targets
The APT group Strider is using modular spyware called Remsec to conduct cyberespionage operations, including keylogging and exfiltrating data.
Symantec yesterday disclosed its discovery of a cyberespionage group called Strider – operational since at least October 2011 – that appears to be targeting mostly Russian entities with spyware attacks that bear the hallmarks of a sophisticated nation-state operation.
The advanced persistent threat (APT) appears to be highly selective in nature, infecting targets “that would be of interest to a nation state's intelligence services,” according to a Symantec blog post, including Russian organizations and individuals, a Chinese airline, a Swedish organization and an embassy in Belgium. Overall, researchers found only 36 infections in seven organizations distributed across four countries.
Symantec's behavioral analysis tools detected the malware, dubbed Remsec, whose code references J. R. R. Tolkien's Lord of the Rings villain Sauron, whose infamous eye kept watch over Middle-earth. Its bag of tricks includes the ability to log keystrokes and steal files through a secret backdoor that it creates on infected computers.
“The behavior of the binary was [flagged] by our behavioral engine due to having… behavioral-based characteristics that have been associated with malicious activity previously,” explained Jon DiMaggio, Symantec senior threat intelligence analyst, in an emailed interview with SCMagazine.com. “Further analysis by Symantec led to the discovery…of the Strider attacker.”
Symantec describes Remsec as having a modular design – its individual components comprising a framework that allows attackers to move silently and laterally throughout a compromised system under a command-and-control protocol. This modular approach also allows the Strider APT group to integrate new custom malware tools. In fact, one of Remsec's targets was previously infected by the similarly modular spyware program Regin.
Some of Remsec's modules are written in the Lua programming language – an unusual quirk that Symantec has noted was previously found in Flame malware, which in 2012 was discovered to be targeting Iranian and other Middle Eastern computers with code that was considered to be at least as complex as that found in the Stuxnet worm.
The malware uses some highly deceptive chicanery that likely allowed it to avoid detection for so long. For instance, several of its components exist as executable blobs (Binary Large Objects) to evade antivirus software detection, and much of its functionality resides only in memory and not on disk.
“The executable blobs are likely used because of the differences in the structure usually seen in traditional-based PE executables. This could provide the attacker with a better chance of going undetected,” said DiMaggio. “Using the victim system's memory in place of storing binary and data components on the disk itself is a technique used to prevent defenders from being able to identify or analyze the activity itself. When a computer is turned off, the data stored in memory is lost. That is not generally the case when stored on a disk, which is likely why we are seeing this technique used more frequently,” he added.
As a resource for potentially infected organizations, Symantec has compiled various indicators of Remsec compromise into a document.