A skilled group of attackers believed based in Lebanon has successfully penetrated and stolen data from a large number of individuals and organizations around the world over the past two years, says a security vendor.

In a report issued Tuesday, Check Point Software Technologies called the campaign “carefully orchestrated.” It dubs the attack Volatile Cedar, adding the way it works “strongly aligns with nation-state/political-group interests, eliminating the possibility of financially motivated attackers.”

While many of the technical aspects of the threat are not considered “cutting edge,” the report says, the campaign has been “continually and successfully operational throughout this entire timeline, evading detection by the majority of AV products. This success is due to a well-planned and carefully managed operation that constantly monitors its victims’ actions and rapidly responds to detection incidents.”

The report itself says victims include including defence contractors, telecommunications and media companies, and educational institutions. It doesn’t identify countries where the malware has been found, although a Check Point official said in an email to ITWorldCanada.com that it has been seen in Lebanon, Israel, Canada, the U.S., Britain, Japan and other countries.

Volatile Cedar is heavily based on a custom-made remote access Trojan named Explosive, say researchers, which is implanted within its targets and then used to harvest information. A handful of targets have been chosen, presumably to avoid unnecessary exposure. New and custom versions are developed, compiled and deployed specifically for certain targets, and ”radio silence” periods are configured and embedded specifically into each targeted implant

The group behind the attacks initially targets publicly facing Web servers, with both automatic and manual vulnerability discovery. Once a server is controlled it is used to explore, identify, and attack additional targets located deeper inside the internal network. Check Point has seen evidence of online manual hacking as well as an automated USB infection mechanism. It can also detect and try to avoid defensive measures mounted by IT, says the vendor.

“This is one face of the future of targeted attacks: malware that quietly watches a network, stealing data, and can quickly change if detected by antivirus systems,” Dan Wiley, Check Point’s head of incident response and threat intelligence, said in a statement. “It’s time for organizations to be more proactive about securing their networks.”

The vendor says organizations can protect themselves against an attack like Volatile Cedar through a combination of  proper firewall segmentation, IPS, anti-bot, patching, and application control configuration.

The typical Volatile Cedar attack begins with a vulnerability scan of the target server, says the report. Once an exploitable vulnerability is located, it is used to inject a web shell code into the server. The web shell is then used by the attacker to control the victim server and is the means through which a trojan it calls “Explosive” is implanted into the victim server. This trojan allows the attackers to send commands to all targets via an array of command and control servers. The command list contains all the functionality required by the attacker to maintain control and extract information from the servers and includes keylogging to capture passwords, clipboard logging, screenshots, run commands and other tools.

The “Explosive” trojan goes to a lot of effort to hide from common detection tools: AV detections are avoided by frequently checking AV results and changing versions and builds on all infected servers when any traces of detection appear.  New versions have dedicated thread to monitor memory consumption to prevent common server administration utilities from detecting the processes. Once Explosive’s memory consumption reaches a predefined threshold, its hosting process is immediately restarted.

API activities which may be considered suspicious are detached from the main logic file and contained in a separate DLL. This enables the attackers to make sure that heuristic detections do not lead to exposure of the Trojan logic itself.

A dedicated thread makes periodic “secure checks” with the C&C server to confirm that it is safe to operate. Once the response to these checks is negative, the Explosive Trojan ceases all operations until instructed otherwise.

Check Point admits that pinpointing the attacks aren’t easy and the evidence can be forged. But it notes the command and control servers for the first Explosive version were hosted at a major Lebanese hosting company. Also, DNS registrant information from several of the infrastructure servers shows that they are or were previously registered under contacts with a very similar Lebanese address. •

In addition, there was what Check Point believes was a DNS registration failure for a brief period (possibly before the server was operational) which exposed an e-mail address that lead to social media accounts “that show public and clear affinity with Lebanese political activism.”