November 07, 2017
A previously unknown hacking and cyber-espionage group that has been in operation since at least 2015 have conducted a series of highly targeted attacks against a host of government organizations in South America and Southeast Asia to steal their sensitive data.
Codenamed Sowbug, the hacking group has been exposed by Symantec security researchers, who spotted the group conducting clandestine attacks against foreign policy institutions, government bodies and diplomatic targets in countries, including Argentina, Brazil, Ecuador, Peru and Malaysia.
Symantec analysis found that the Sowbug hacking group uses a piece of malware dubbed “Felismus” to launch its attacks and infiltrate their targets.
First identified in late March of this year, Felismus is a sophisticated, well-written piece of remote access Trojan (RAT) with a modular construction that allows the backdoor trojan to hide and or extend its capabilities.
The malware allows malicious actors to take complete control of an infected system and like most RATs, Felismus also allows attackers to communicate with a remote server, download files, and execute shell commands.
By analysing Felismus, researchers were able to connect previous attack campaigns with the Sowbug hacking group, indicating that it had been active since at least early-2015 and may have been operating even earlier.
“To date, Sowbug appears to be focused mainly on government entities in South America and Southeast Asia and has infiltrated organizations in Argentina, Brazil, Ecuador, Peru, Brunei and Malaysia,” the Symantec report said.
“The group is well resourced, capable of infiltrating multiple targets simultaneously and will often operate outside the working hours of targeted organisations.”