A New Hacking and Cyber Espionage Group Called Sowbug launching highly targeted cyber attacks targetting South America and Southeast Asia. They are mounting attacks with classic espionage techniques and steals documents from organizations.
Snowbug primarily focussing on government entities in South America and Southeast Asia and infiltrated to organizations in Argentina, Brazil, Ecuador, Peru, Brunei, and Malaysia.
Symantec uncovered this Cyber Espionage group, the first evidence of them was found in March 2017 where the Hackers using a piece of malware called Felismus to attack the target in Southeast Asia. With their further analysis, the security analyst found them in the first intrusion in early 2015.
Also Read: Dangerous Keylogger Found in MantisTek GK2 Keyboard that Capture Users Data and Sending into China
They use to maintain a long-term presence and perform reconnaissance activities through CMD and collects system and network related information.
According to Symantec The first evidence of its intrusion dated from May 6, 2015, but activity appeared to have begun in earnest on May 12. The attackers appeared to be interested in one division of the ministry that is responsible for relations with the Asia-Pacific region. They attempted to extract all Word documents stored on a file server belonging to this division by bundling them into a RAR archive by running the following command:
cmd.exe /c c:\windows\rar.exe a -m5 -r -ta20150511000000 -v3072 c:\recycler\[REDACTED].rar “\\[REDACTED]\*.docx” \\[REDACTED]\*.doc.
Their infiltration to the target network still remains unknown and still, there are no traces on how Felismus enters into victims computer.
The Cyber Espionage Group is well equipped, capable of attacking multiple targets simultaneously and will often work outside the working hours of targeted organizations in order to maintain a low profile.
According to analysis from Forcepoint, the malware appears to be modular and capable of self-updating and the executable is written with obfuscation methods to harden analysis and reverse engineering effects.
Felismus installed through Starloader, according to Symantec attackers may be providing fake updates or through the Starloader files being named AdobeUpdate.exe, AcrobatUpdate.exe, and INTELUPDATE.EXE among others.
Cybercriminals are increasingly exploiting search engine optimization (SEO) techniques and paid advertisements to manipulate search…
Cybersecurity experts have unearthed an intricate cyber campaign that leverages deceptive websites posing as the…
Hackers are exploiting what's known as "Dangling DNS" records to take over corporate subdomains, posing…
Security researchers and cybersecurity experts have recently uncovered new variants of the notorious HelloKitty ransomware,…
The RansomHub ransomware group has emerged as a significant danger, targeting a wide array of…
Threat actors are increasingly using email bombing to bypass security protocols and facilitate further malicious…