Volatile Cedar, the cyber espionage campaign from Lebanon

Volatile Cedar APT group is a new hacking team, apparently from Lebanon, that compromised systems worldwide, most of those in Israel

Security experts from Check Point Software Technologies have uncovered a new cyber espionage campaign, dubbed Volatile Cedar, that targeted hundreds of entities from at least ten countries (Lebanon, Israel, Turkey, the UK, Japan, the US, etc.).

The hackers are likely to operate from Lebanon and hacked into systems of defense contractors, telecommunications operators, educational organizations and media groups.

“This is the first time we are aware of cyber capabilities of some kind from an actor in Lebanon. It’s not surprising, a matter of time really before anyone in the government or a major political group developed capabilities in that realm,” explained Shahar Tal, vulnerability research manager at Check Point Software Technologies. 

The experts speculate that the Volatile Cedar campaign started in late 2012 and it is still active, threat actors behind the operations remained hidden by adopting sophisticated techniques that allowed them to silently compromise the targets.

The experts noticed that hackers behind Volatile Cedar campaign don’t use spear phishing, neither drive-by downloads in the early stage of attacks, instead they target Web servers.

“Spear phishing is the expected way to go,” Tal said. “This is actually a pretty effective way of entering networks. If you have web hacking skills, you’re going to get something on that webserver. Once you’re inside the webserver, there’s usually little protection going from the outside to the intranet.” continues Tal.

There is no evidence for the use of zero-day exploits.

The attackers used custom-built scanners and several other attack tools to identify flaws in the targeted websites. Once compromised the system the hacker served a Web shells backdoor on the Web servers. In particular in case the web server is a Microsoft’s IIS, the attackers install a custom-made Windows Trojan dubbed Explosive.

Explosive is the principal weapon in the arsenal of Volatile Cedar APT, it implements data stealing capabilities and a key logging feature. The malicious code is also used for lateral movements within the compromised network, experts have detected many versions of the malware, including a recent release implements functionality for spreading over USB mass storage devices.

“Residues of custom-built port scanners and several other attack tools have been found on the victim servers, leading us to believe the attackers use the initially infected servers as a pivot to manually spread to the entire network,” continues the report.

Explosive malware presents a modular structure, experts at Check Point explained that it contains a main executable binary and a DLL with backend API calls.

“The Explosive DLL file is dynamically loaded by the main executable at runtime whenever it is needed, and unloaded when the desired action is complete,” states the report. “This separation is probably designed to support quick functionality patches by the attackers, and to avoid heuristic detection of the main executable by common AV engines and other protection software.”

The Volatile Cedar attackers used at least three different versions of malware over the time, each of them implements new features to avoid detection.

Other features implemented by the Explosive malware used by hackers behind the Volatile Cedar campaign there are:

• Monitoring antivirus detection results.
• Monitors memory consumption to avoid arousing suspicion.
• Suspension of external communications to avoid detection.
• Obfuscation of communications.
• Uses a domain generation algorithm (DGA) to find new servers.

The Check Point researchers found a large number of victims in Lebanon, but compromised organizations were also found in Israel, Turkey, the U.K., Japan, the U.S. and other countries.

Who is behind the Volatile Cedar? Cyber crime or State Sponsored hackers?

The high level of sophistication and the nature of the targeted organizations lead the experts to suspect that the operation was operated by state-sponsored hackers.

While the investigation is still ongoing, the operators of the Volatile Cedar campaign are already reacting after Check Point shared the report of its analysis, experts noticed, in fact, that they activated a self-destruct command to remove the malicious code from the infected systems worldwide.

Pierluigi Paganini

(Security Affairs –  Volatile Cedar APT,   hacking)