Strider is a hackers group that has been attacking individuals and organizations in Russia, China, Sweden, Belgium, and Rwanda, and apparently, they like the Lord of the Rings as much as they like to spy their victims. Symantec has published on its website all that it is to know about the low-profile group that is working since 2011.
Strider is the nickname of one of the characters in the medieval fantasy books The Lord of the Rings: Aragorn. And the Moscow-based Kaspersky Lab refers to Strider as “Project Sauron.” Sauron is another character of the Lord of the Rings and represents the infamous and most feared villain of the trilogy. Sauron is a big eye that can see it all, similar to what Strider’s malware does.
The criminals behind Strider use an advanced malware that is a stealthy tool known as Remsec. Symantec says that it seems to be developed for spying purposes. The malware opens a backdoor on an infected computer and can log keystrokes and steal files.
Symantec discovered that Remsec has a modular design, which means that Remsec to Strider a framework that helps them gain the complete control of an infected computer. This allows the cyberspies to move across the network of the hacked computer and exfiltrate data. It can also enable them to deploy custom modules as require.
Strider malware is well designed to avoid being detected, thanks to its various stealth features. Remsec uses a significant part of its components in the form of executable blobs, which are Binary Large Objects. These blobs are hard to find by traditional antivirus software and allow Strider to infect a computer without being noticed.
Additionally, Strider’s malware can be deployed over the network and not the stored disk, meaning that Remsec only uses the computer’s memory and makes its detection even more challenging. Strider can create custom malware tools, making it a significant cyber threat.
For those who used Symantec and Norton products to protect their computers, they can know if Strider is trying to attack them because the antivirus detects Remsec malware as Backdoor.Remsec.
Symantec suspects that a government agency is behind Strider
According to Kasperksy Lab, 30 organization have been targeted and attacked by Russia, Iran and Rwanda. The Lab has also estimated that there are more victims in Italian-speaking countries, Reuters reported.
Symantec believes that Strider has been very selective when choosing what and who to attack. The cyber security company found evidence of the Strider’s malware in 36 computers in 7 separate organizations. The cyberspies have attacked an airline in China, an organization in Sweden, and an embassy in Belgium, plus the 30 attacks in Russia, Iran, and Rwanda.
Oral Fox, Symantec’s director of security response, stated that discovering new malware is relatively an uncommon event. She said that the company had identified a maximum of 2 per year.
Regarding the quality of Strider’s modus operandi, Symantec stated that based on their malware capabilities and the nature of its targets, the suspect that a nation is behind the group. But they did not speculate about which country could be leading Strider’s operations.
Connecting Strider to other cyber-espionage groups, and tracking its origins
Symantec found that the malware Remsec uses Lua modules, which means that those modules are written in Lua programming language that can only be read with a Lua interpreter to run the module.
Remsec has Lua interpreters that allow that Lua modules to load an executable over the network for execution. Lua modules in Remsec also can decrypt and load at least 3 Lua modules that to the date, are almost unknown. The modules are ilpsen, updater, and kblog, and the last one is the only known and is identified as the Keylogger module.
The use of Lua modules is a technique that was also employed by another cyberspy group called Stuxnet, and its malware, Flamer, used Lua modules to attack systems.
Stuxnet is a military-grade computer virus, and it has been alleged that it was employed by the United States and Israel to sabotage Iran’s nuclear program in the last decade.
How is that Symantec knows so much about Strider?
The cyber security company used a sample that was obtained from a customer. This client submitted the evidence to the enterprise, and Symantec followed its detection by its behavioral engine.
Symantec has stated on its website that it will continue to investigate Strider’s moves and ways, including more modules that are used in its malware and the organizations and target that the spies are trying to attack to protect their customers better. The modules that Symantec have discovered so far are Loader, Network listener, Basic pipe back door, advanced pipe back door, and HTTP back door.
Strider has been active in the hacker’s world since October 2011 and managed to maintain a low profile until its attacks in Europe and China.