Sowbug APT uses Felismus backdoor to for cyberespionage operations
Sowbug APT uses Felismus backdoor to for cyberespionage operations

A previously unknown cyberespionage group called Sowbug has been found using the Felismus backdoor to spy on several South American and Pacific Rim national governments for the last several years.

The APT group was first officially uncovered by Symantec researchers in March 2017 when it saw Felismus being used against a couple of Southeast Asian countries, but once a deeper look was taken it was realized that this group had been poking around illegally in some government files for several years. However, until March the malware was not associated with Sowbug, tying the APT group to the backdoor was not accomplished until now, Symantec reported.

A lot remains unknown about the group behind the operation other than who and what information it is targeted. Sowbug is focusing its efforts mainly on government and has infiltrated organizations in Argentina, Brazil, Ecuador, Peru, Brunei and Malaysia. The group is well resourced, capable of infiltrating multiple targets simultaneously and has a strong and often operates when the group knows the local staff is at work, the report stated.

With that said figuring out whether or not this is a nation-state backed attack is not known, but certain assumptions can be made Dick O'Brien, security researcher at Symantec, told SC Media.

“We were unable to identify any technical or operational aspects of the attack that would indicate possible origin of this activity. However, we can say the targets are likely of interest to a nation-state and the malware used in these attacks is at the level of sophistication we would expect to see with state-sponsored attackers. The kind of information the attackers appeared to be looking for is also consistent with a state-sponsored group,” he said.

O'Brien also was not sure at this point if this invasive technique can be used against targets with more sophisticated defenses.

“The investigation is ongoing and there are several things we still don't know about Sowbug, such as how they initially compromise organizations, which means it's hard to make a judgement on who is better protected against them,” he told SC.

Another point that remains a mystery is how Felismus is being injected into the target systems. Symantec said neither the attackers nor the software leaves any type of trail to follow. However, in other instances where Felismus was discovered there was evidence that a tool known as Starloader was used for installation, possibly using a fake update as bait. Symantec pointed out a few cases where Starloader files were named AdobeUpdate.exe, AcrobatUpdate.exe.

Once Sowbug has an inroad into a system it begins a systematic search, sometimes for very specific documents. In 2015 an attack against the foreign ministry of an unnamed South American country took place where the attackers attempted to obtain information on relations with nations in the Asia-Pacific region, particularly those from a specific date range. The malware then went searching for attached drives containing similar information.

Symantec also noted that Sowbug has a strong persistence ability being able stay inside a system for months.