For the past two years, a cyberespionage group that likely operates from Lebanon has hacked into hundreds of defense contractors, telecommunications operators, media groups and educational organizations from at least 10 countries.
The still-active attack campaign was uncovered and analyzed recently by security researchers from Check Point Software Technologies, who dubbed it Volatile Cedar. The company's researchers found evidence that the attackers started their operation in late 2012, but have managed to fly under the radar until now by carefully adapting their tools to avoid being detected by antivirus programs.
Unlike most cyberespionage groups, the Volatile Cedar attackers do not use spear phishing or drive-by downloads to gain a foothold into their victims' networks. Instead they target Web servers and use them as initial entry points.
The attackers use automated vulnerability scanners, as well as manual techniques to find and exploit flaws in websites and Web applications. Those compromises are then used to install backdoor scripts known as Web shells on the affected Web servers, according to a detailed report released Tuesday by Check Point.
If the compromised servers run Microsoft's IIS Web server software, the attackers use their access to install a custom-made Windows Trojan program called Explosive that has key logging and other information-stealing capabilities. This is the group's main malware tool and is used to extract information from the compromised servers, including passwords typed by their administrators.
The same Trojan program is also used to infect other servers and systems running inside the networks of the targeted organizations. Its most recent version contains functionality for spreading over USB mass storage devices.
"Residues of custom-built port scanners and several other attack tools have been found on the victim servers, leading us to believe the attackers use the initially infected servers as a pivot to manually spread to the entire network," the Check Point researchers said in their report.
Three main versions of the Explosive Trojan that were used at different times over the past two years have been identified. Typically, a new, technically improved version was released after attackers found signs that a previous version had been detected by antivirus programs -- in most cases such detection events were accidental and due to aggressive antivirus software heuristics rather than manual analysis by researchers.
There is ample evidence that the Volatile Cedar attackers went to great lengths to keep their malware infections undiscovered. They constantly checked antivirus detection results and updated the Trojan on infected servers, the Check Point researchers said.
The malicious program monitors its own memory consumption to ensure that it doesn't exceed certain thresholds that could arouse suspicion and it goes into periods of "radio silence" during which it doesn't initiate external communications. These periods are different for each victim and are predefined in its configuration file.
Sign up for CIO Asia eNewsletters.