Cyber security company Symantec recently identified a new cyber espionage group called “Sowbug” that targets governments initially in South East Asia and South America. Sowbug uses a sophisticated piece of malware called “Felismus” that was discovered earlier this year by Forcepoint Security Labs.
It is currently unknown how Felismus infiltrates a target’s network but once deployed it can maintain a persistent presence, avoiding detection by disguising itself as an Adobe or Word file. The operators of the malware also appear to work outside the usual business hours of the victim, possibly to avoid arousing suspicion from legitimate users.
Sowbug uses Felismus to predominantly steal information relating to foreign policy, diplomatic relations and, specifically, Asia-Pacific relations. It has also been seen searching for files on remote shares in an attempt to infect other computers on the network.
Sowbug has probably been operating since at least early 2015, but its stealthy capabilities have enabled it to remain very low profile and evade detection.
Sowburg’s identity and primary motivation is currently unknown. There has been speculation this could be a state sponsored group due to the government targets, the sophistication of Felismus, and its success. Some of the malware code appeared to indicate that the operators’ first language may not be English.
Upon execution, the malware makes a series of innocuous looking HTTP requests to wwwcosecmancom seemingly designed to look like normal browsing/shopping activity:
(i) GET /notice/news/items.php?V=ca09a22378d1673b&U= HTTP/1.1
(ii) GET /notice/news/items.php?V=ca09a22378d1673b&M=f871ff6f939cecf8&U=fe41320b0e4c5d1a
(iii) POST /notice/items/products.php?mobfhvkaqmrmsjjalllpdtkizewqx
Analysis of these requests and their associated responses show them to be part of the malware’s setup process.
Associated Domains & IP Addresses To Block
18.104.22.168 and 22.214.171.124, and 126.96.36.199
188.8.131.52 and 184.108.40.206 and 220.127.116.11