Codenamed Sowbug, the hacking grouping has been exposed past times Symantec safety researchers, who spotted the grouping conducting metro attacks against unusual policy institutions, regime bodies together with diplomatic targets inwards countries, including Argentina, Brazil, Ecuador, Republic of Peru together with Malaysia.
Symantec analysis establish that the Sowbug hacking grouping uses a slice of malware dubbed "Felismus" to launch its attacks together with infiltrate their targets.
First identified inwards slow March of this year, Felismus is a sophisticated, well-written slice of remote access Trojan (RAT) with a modular structure that allows the backdoor trojan to enshroud together with or extend its capabilities.
The malware allows malicious actors to accept consummate command of an infected scheme together with similar well-nigh RATs, Felismus also allows attackers to communicate with a remote server, download files, together with execute crunch commands.
By analysing Felismus, researchers were able to connect previous assault campaigns with the Sowbug hacking group, indicating that it had been active since at to the lowest degree early-2015 together with may lead hold been operating fifty-fifty earlier.
"To date, Sowbug appears to last focused mainly on regime entities inwards South America together with Southeast Asia together with has infiltrated organizations inwards Argentina, Brazil, Ecuador, Peru, Negara Brunei Darussalam together with Malaysia," the Symantec written report said.
"The grouping is good resourced, capable of infiltrating multiple targets simultaneously together with volition oftentimes operate exterior the working hours of targeted organisations."Although it is even together with then unclear how the Sowbug hackers managed to arrive at a foothold inwards reckoner networks, prove gathered past times researchers suggested the hackers lead hold made operate of fake, malicious software updates of Windows or Adobe Reader.
The researchers also establish that the grouping lead hold used a tool known every bit Starloader to deploy additional malware together with tools, such every bit credential dumpers together with keyloggers, on victims' networks.
Symantec researchers lead hold establish prove of Starloader files beingness spread every bit software updates entitled AdobeUpdate.exe, AcrobatUpdate.exe, together with INTELUPDATE.EXE with others.
Instead of compromising the software itself, Sowbug gives its hacking tools file names "similar to those used past times software together with places them inwards directory trees that could last false for those used past times the legitimate software."
This play a joke on allows the hackers to enshroud inwards apparently sight, "as their appearance is unlikely to arouse suspicion."
The Sowbug hackers took several measures to rest under-the-radar past times carrying out their espionage operations exterior of criterion component hours to keep the presence on targeted networks for months at a time.
In i instance, the hacking grouping remained undetected on the target’s network for upwards to half-dozen months betwixt September 2016 together with March 2017.
Besides the Felismus malware's distribution method used inwards the Sowbug operation, the identity of Sowbug attackers also remains unknown.
