AuthentificationCyberCrimeFirewallSecuritySecurity ManagementVirus

Sowbug Hacking Group Targets South America & Asian Governments

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Follow on: Google +

Previously unknown hacking group found targeting foreign policy and diplomatic targets

A previously unknown espionage group dubbed ‘Sowbug’ has been discovered targeting foreign policy institutions and diplomatic targets in South America and South East Asia.

Researchers at Symantec first became aware of the collective in March when it observed a piece of malware called ‘Felismus’, which looked to extract data from targets.

It is believed the group has been active since early 2015, possibly earlier, and has infiltrated organisations in Argentina, Brazil, Ecuador, Peru, Brunei and Malaysia.

hacker

Sowbug hack

“While cyber espionage attacks are often seen against targets in the U.S., Europe, and Asia, it is much less common to see South American countries targeted,” said the researchers. “However, the number of active cyber espionage operations has increased steadily in recent years and the emergence of Sowbug is a reminder that no region is immune to this kind of threat.”

The evidence suggests the group looks for specific pieces of information such as a particular file or database. In one case it targeted all Word documents within a certain date range and revisited it to obtain updated data.

Indeed, Symantec believes the group is capable of maintaining a ‘long-term’ presence on infected systems – as long as six months – by impersonating commonly known software.

How targets are infected however remains a mystery with all signs pointing to a tool called Starloader which installs the malware alongside other software such as credential dumpers and keyloggers.

“It is still unknown how Starloader is installed on the compromised computer,” concluded Symantec. “One possibility is that the attackers use fake software updates to install files. Symantec has found evidence of Starloader files being named AdobeUpdate.exe, AcrobatUpdate.exe, and INTELUPDATE.EXE among others. These were used to create versions of the Felismus backdoor as well as other tools.”

Are you a security pro? Try our quiz!