The Explosive Trojan also periodically checks with its command-and-control (C&C) servers for confirmation that it is safe to continue operating. All of its communications are obfuscated to appear as random network traffic and the C&C infrastructure is redundant. The program contacts both hard-coded and dynamic update servers and if those fail, it uses a domain generation algorithm (DGA) to find new servers.
While the Explosive Trojan is only installed on Windows servers, the attackers also compromised Linux-based servers and installed Web shells on them, said Check Point security researcher Shahar Tal. No zero-day exploits -- exploits for previously unknown vulnerabilities -- were found, but the use of such exploits cannot be excluded, he said.
The Check Point researchers found a large number of victims in Lebanon, but compromised organizations were also found in Israel, Turkey, the U.K., Japan, the U.S. and other countries.
There are hundreds of victims, but their exact number and accurate geographical distribution is not yet available, because that data is still being collected, Tal said. Check Point plans to release a follow-up report at a later date that will likely include more information about this aspect, he said.
As far as attribution goes, technical evidence -- C&C server hosting, domain whois records and other information -- suggests that the attackers are based in Lebanon. Their high level of sophistication and the nature of the targeted organizations points to possible sponsorship by a nation state or political group, but the high number of victims in Lebanon also indicates intrastate espionage. This could mean that the operation is not supported by the main authorities in that country, Tal said.
Establishing attribution for cyberattacks is always complicated and can't be done with complete accuracy, Tal said, adding that there's always the possibility that evidence pointing to Lebanon was intentionally forged by the attackers.
What's clear is that these attackers are not some kids playing around; they do this as as their day-to-day job, Tal said. They're not at the same level of sophistication as the NSA, but they're persistent and have operational discipline. It's also not every day that researchers see completely custom malware like the Explosive Trojan, he said.
The Volatile Cedar attackers have already reacted after Check Point privately shared its report and indicators of compromise with other security vendors a few days ago, Tal said. They activated a self-destruct command that will remove the malware from any infected system that establishes a connection with their command-and-control server, he said.
Sign up for CIO Asia eNewsletters.