Security researchers have uncovered yet another state-sponsored advanced persistent attack group, this time based most likely in Lebanon, targeting defense contractors, telcos, media firms, and educational institutions.
The Volatile Cedar campaign began in 2012 and has managed to stay undetected by most major AV vendors since then thanks to a carefully planned operation “that constantly monitors its victims’ actions and rapidly responds to detection incidents,” according to Check Point.
Although live infections are spread over a wide variety of countries, including the US, Canada, Turkey, Israel, the UK, and Lebanon, it is the latter which researchers believe is the base of the group.
They reached this conclusion after observing the UTC creation times of related malware samples; C&C servers hosted by a major Lebanese hosting firm; DNS registrant information; and a WHOIS privacy failure on the part of the attackers which briefly revealed the real identity of one registrant.
Check Point said the low infection rate and targeted nature of the campaign, along with some of the organizations infected with malware, led it to believe this was a state-sponsored campaign with political motivation.
The malware in question is a custom-built remote access trojan (RAT) dubbed ‘Explosive’ which was deliberately protected from prying eyes via a number of concealment measures.
“The attackers select only a handful of targets to avoid unnecessary exposure. New and custom versions are developed, compiled and deployed specifically for certain targets, and ‘radio silence’ periods are configured and embedded specifically into each targeted implant,” Check Point wrote.
“This attacker group initially targets publicly facing web servers, with both automatic and manual vulnerability discovery. Once in control of a server, the attackers further penetrate the targeted internal network via various means, including manual online hacking as well as an automated USB infection mechanism.”
Worryingly for organizations, the Explosive RAT not only has data theft functionality but file deletion and arbitrary code execution capabilities, making it particularly dangerous.