The group was spotted by experts from Symantec who uncovered clandestine attacks against foreign policy institutions, government bodies and diplomatic targets in countries, including Argentina, Brazil, Ecuador, Peru, and Malaysia.

The Sowbug group uses a strain of malware dubbed Felismus to compromise target systems. The malicious code was first detected in March by researchers at Forcepoint, but only Symantec experts linked it with the Sowbug group.

“Analysis shows the malware overall to be modular, well-written, and to go to great lengths to hinder both analysis efforts and the content of its communications. Its apparent scarcity in the wild implies that it is likely highly targeted. Furthermore, as discussed in this analysis, the good ‘operational hygiene’ relating to the re-use of email addresses and other similarly traceable artefacts similarly suggests the work of coordinated professionals.” stated Forcepoint.

“To date, Sowbug appears to be focused mainly on government entities in South America and Southeast Asia and has infiltrated organizations in Argentina, Brazil, Ecuador, Peru, Brunei and Malaysia,” reads the Symantec report.

“The group is well resourced, capable of infiltrating multiple targets simultaneously and will often operate outside the working hours of targeted organisations.”

According to the malware researchers, the Sowbug group uses fake, malicious software updates of Windows or Adobe Reader to compromise the target systems. In the arsenal of the group, there is also a tool called Starloader used by hackers to deploy additional malware and tools, such as credential dumpers and keyloggers on the target system.

Pierluigi Paganini

(Security Affairs – Sowbug group, cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]