Software security firm Symantec has identified a group called Strider that’s aiming spying-related malware at individuals and organizations in Belgium, China, Russia and Sweden. Apparently active since at least late 2011, Strider has kept a low profile and could be a nation-state attacker, Symantec said.
Strider uses “stealthy,” hard-to-detect malware called Remsec that provides backdoor access to infected computers for stealing data, logging keystrokes and other actions, according to Symantec. The organization appears to be highly selective, with only 36 attacks against seven targets detected since October of 2011.
In a separate report released today, the cybersecurity company Kaspersky Lab identified the spying group as “ProjectSauron.” The name stems from a string in the malware’s keylogger module that includes the word “Sauron,” the main villain in J.R.R. Tolkien’s “The Lord of the Rings.”
Malware Resides ‘Only in Memory’
“Strider is capable of creating custom malware tools and has operated below the radar for at least five years,” Symantec’s Security Response team wrote yesterday in a blog post. “Based on the espionage capabilities of its malware and the nature of its known targets, it is possible that the group is a nation-state level attacker.”
The security team said it first detected Strider’s malware through its behavioral engine that uses machine learning to look for anomalous computer processes. The researchers then analyzed a sample of the Remsec malware they obtained from a customer.
Remsec uses a variety of modules that together work as “a framework that provides the attackers with complete control over an infected computer,” the Symantec team noted. The malware is difficult to detect in part because many of its features are “deployed over the network, meaning it resides only in a computer’s memory and is never stored on disk.”
Aimed at Government, Military Targets
In a report released today, Kaspersky Lab…