August 8, 2016
A cyber-espionage group has hit at least seven companies across four countries since October 2011, utilizing its homegrown malware, a backdoor trojan called Remsec.
According to Symantec, the group, nicknamed Strider, has hit four companies in Russia and one in Belgium (embassy), Sweden, and China (airline). At the operation level, Symantec notes some vague similarities to the Flamer group because they both utilized malware based on Lua modules.
Additionally, one of Strider’s targets was also infected with the Regin backdoor malware in the past. Other than these two details, there are no other links to other cyber-espionage campaigns, and Symantec has not ventured to give attribution of the attacks to any specific country or industrial espionage criminal group.
Strider uses Remsec malware to compromise targets
All Strider attacks have been carried out with the Remsec backdoor trojan. This malware is capable of infecting devices and performing several actions using secondary Lua modules loaded at runtime.
The backdoor, which runs most of the time in the computer’s memory, is very hard to detect. Along with the fact that it focused on a small number of targets, it allowed the group to operate for five years undetected.
A basic Strider infiltration starts with the Remsec infection, which is usually via a malware loader hidden as the MSAOSSPC.dll file. This DLL loads files from disk into the OS memory.