A new cyber espionage group dubbed Sowbug appeared in the threat landscape, according to the experts it has been active since 2015 and was involved in highly targeted attacks against a host of government organizations in South America and Southeast Asia.
“Symantec has identified a previously unknown group called Sowbug that has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targets. Sowbug has been seen mounting classic espionage attacks by stealing documents from the organizations it infiltrates. ” reads the analysis published by Symantec.
The group was spotted by experts from Symantec who uncovered clandestine attacks against foreign policy institutions, government bodies and diplomatic targets in countries, including Argentina, Brazil, Ecuador, Peru, and Malaysia.
The Sowbug group uses a strain of malware dubbed Felismus to compromise target systems. The malicious code was first detected in March by researchers at Forcepoint, but only Symantec experts linked it with the Sowbug group.
“Analysis shows the malware overall to be modular, well-written, and to go to great lengths to hinder both analysis efforts and the content of its communications. Its apparent scarcity in the wild implies that it is likely highly targeted. Furthermore, as discussed in this analysis, the good ‘operational hygiene’ relating to the re-use of email addresses and other similarly traceable artefacts similarly suggests the work of coordinated professionals.” stated Forcepoint.
The Felismus backdoor allows attackers to take full control of an infected system, researchers were able to link previous attack campaigns with the Sowbug hacking group. They concluded that the group is at least active since early-2015.
“To date, Sowbug appears to be focused mainly on government entities in South America and Southeast Asia and has infiltrated organizations in Argentina, Brazil, Ecuador, Peru, Brunei and Malaysia,” reads the Symantec report.
“The group is well resourced, capable of infiltrating multiple targets simultaneously and will often operate outside the working hours of targeted organisations.”
According to the malware researchers, the Sowbug group uses fake, malicious software updates of Windows or Adobe Reader to compromise the target systems. In the arsenal of the group, there is also a tool called Starloader used by hackers to deploy additional malware and tools, such as credential dumpers and keyloggers on the target system.