New spyware detected targeting firms in Russia, China: Symantec

The Symantec booth is seen during the 2016 Black Hat cyber-security conference in Las Vegas Nevada

It did suggest there were links with the Flamer group discovered back in 2012 targeting organizations in the Middle East and Eastern Europe. Symantec has published on its website all that it is to know about the low-profile group that is working since 2011. Strider is the nickname of the fantasy trilogy's widely travelled main character Aragorn.

A hacking group called Strider has been conducting cyber espionage against selected targets in Belgium, China, Russia and Sweden, according to independent research conducted by security firms Symantec and Kaspersky Lab.

As a US technology company based in Mountain View, northern California, providing antivirus, antispyware, antimalware and firewall services, Symantec said it had obtained a sample of the group's Remsec malware, namely Backdoor.Remsec, from a customer who submitted it following its detection by Symantec and Norton products' behavioral engine. "It steals encryption keys, configuration files, and IP addresses of the key infrastructure servers related to the software", it says, adding that the malware includes the ability to install backdoors on infected systems, record keystrokes and steal documents.

According to Fortune, cyber security researchers explained that rather than being installed on individual computers, Remsec spyware spreads within an organization's network, giving attackers complete control over infected machines. It can also enable them to deploy custom modules as require.

The malware is created to be stealthy, for example remaining hidden until specified network protocols awaken it. Several of its components are in the form of executable binary large objects, which are more hard for traditional antivirus software to detect. These blobs are hard to find by traditional antivirus software and allow Strider to infect a computer without being noticed.

It uses a modular platform with at least 50 plugin types, deploys strong encryption, and targets communication encryption software used by governmental organisations, Kaspersky said. "Based on the espionage capabilities of its malware and the nature of its known targets, it is possible that the group is a nation-state level attacker".

Also known as "Strider", ProjectSauron was identified by Kaspersky Lab in September 2015.

Symantec believes that Strider has been very selective when choosing what and who to attack. Infections by the group were found in organisations in several countries including Russia, Iran, China, Sweden and Belgium. The majority of these were individuals and organisations in Russian Federation, but also included an airline in China, an organisation in Sweden and an embassy in Belgium. She said that the company had identified a maximum of 2 per year.

ProjectSauron has been active since at least 2011, but it was only unearthed recently because it was designed not to use patterns security experts usually look for when hunting for malware.