Symantec has identified a previously unknown group called Sowbug that has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targets. Sowbug has been seen mounting classic espionage attacks by stealing documents from the organizations it infiltrates.
Symantec saw the first evidence of Sowbug-related activity with the discovery in March 2017 of an entirely new piece of malware called Felismus used against a target in Southeast Asia. We have subsequently identified further victims on both sides of the Pacific Ocean. While the Felismus tool was first identified in March of this year, its association with Sowbug was unknown until now. Symantec has also been able to connect earlier attack campaigns with Sowbug, demonstrating that it has been active since at least early-2015 and may have been operating even earlier.
To date, Sowbug appears to be focused mainly on government entities in South America and Southeast Asia and has infiltrated organizations in Argentina, Brazil, Ecuador, Peru, Brunei and Malaysia. The group is well resourced, capable of infiltrating multiple targets simultaneously and will often operate outside the working hours of targeted organizations in order to maintain a low profile.
Highly targeted intrusions
Some clues about the motivation and interests of the attackers can be found in their activities after compromising victims. For example, in a 2015 attack on one South American foreign ministry, the group appeared to be searching for very specific information.
The first evidence of its intrusion dated from May 6, 2015 but activity appeared to have begun in earnest on May 12. The attackers appeared to be interested in one division of the ministry that is responsible for relations with the Asia-Pacific region. They attempted to extract all Word documents stored on a file server belonging to this division by bundling them into a RAR archive by running the following command:
cmd.exe /c c:\windows\rar.exe a -m5 -r -ta20150511000000 -v3072 c:\recycler\[REDACTED].rar “\\[REDACTED]\*.docx” \\[REDACTED]\*.doc.
Interestingly, the command specified that only files modified from May 11, 2015 onwards should be archived.
How Sowbug performs its initial infiltration of a target’s network remains unknown. In some cases, there was no trace of how Felismus made its way onto compromised computers, meaning it was likely deployed from other compromised computers on the network. In other attacks, there was evidence that Felismus was installed using a tool known as Starloader (detected by Symantec as Trojan.Starloader). This is a loader that installs and decrypts data from a file called Stars.jpg. Additionally, Starloader was also observed deploying additional tools used by the attackers, such as credential dumpers and keyloggers.
It is still unknown how Starloader is installed on the compromised computer. One possibility is that the attackers use fake software updates to install files. Symantec has found evidence of Starloader files being named AdobeUpdate.exe, AcrobatUpdate.exe, and INTELUPDATE.EXE among others. These were used to create versions of the Felismus backdoor as well as other tools.
While cyber espionage attacks are often seen against targets in the U.S., Europe, and Asia, it is much less common to see South American countries targeted. However, the number of active cyber espionage operations has increased steadily in recent years and the emergence of Sowbug is a reminder that no region is immune to this kind of threat.
Symantec customers are protected against Sowbug and Symantec has also made efforts to notify identified targets of its operations.
Customers with Intelligence Services or WebFilter-enabled products are protected against activity associated with the Sowbug group. These products include:
- Web Security Service (WSS)
- Advanced Secure Gateway (ASG)
- Security Analytics
- Content Analysis
- Malware Analysis
- SSL Visibility
Symantec has the following specific detections in place for the threats called out in this blog: