Hacking group Sowbug is accessing sensitive data from foreign policy and diplomatic targets in South America and South East Asia, according to Symantec researchers.
The group, which is believed to have been active since 2015, was found to be extracting data from institutions in those regions.
“While cyber espionage attacks are often seen against targets in the U.S., Europe, and Asia, it is much less common to see South American countries targeted,” said the researchers.
“However, the number of active cyber espionage operations has increased steadily in recent years and the emergence of Sowbug is a reminder that no region is immune to this kind of threat.”
“To date, Sowbug appears to be focused mainly on government entities in South America and Southeast Asia and has infiltrated organizations in Argentina, Brazil, Ecuador, Peru, Brunei and Malaysia,” the Symantec report said.
The security researcher made the discovered after becoming aware of the Felismus malware – which allows attackers to communicate with a remote server, download files, and execute shell commands – in March.
The company suspects the group maintains an active presence on systems through Starloader piggybacking malware and mimicking common software.
“It is still unknown how Starloader is installed on the compromised computer,” the security group concluded.
Based on Symantec findings, the hackers reportedly used fake, malicious software updates of Windows or Adobe Reader.
“One possibility is that the attackers use fake software updates to install files. Symantec has found evidence of Starloader files being named AdobeUpdate.exe, AcrobatUpdate.exe, and INTELUPDATE.EXE among others. These were used to create versions of the Felismus backdoor as well as other tools.”
The researchers found that Sowbug gathers information discriminatively, in that it singles out specific files or blocks of a database.
“The group is well resourced, capable of infiltrating multiple targets simultaneously and will often operate outside the working hours of targeted organizations,” the research said.
In one attack, doc files within a fixed date range were extracted and revisited for updates.
The identity of Sowbug attackers remains unknown.