Cybersecurity researchers at Symantec have discovered a previously-unknown hacker group they have dubbed 'Strider', which has been infecting organisations and individuals that would be of potential interest to a nation state's intelligence services.
The group's Remsec malware appears to mainly target organisations and individuals in Russia, but has also infiltrated the systems of an airline in China, an embassy in Belgium, and an unspecified organisation in Sweden. The malware is very much designed to spy on its targets: once it has infected a system, it opens a backdoor through which it can log keystrokes and steal files.
It's thought the highly-targeted malware -- only 36 infections in five years -- has been in operation since October 2011, avoiding detection by the vast majority of antivirus systems for almost five years through a number of features designed to ensure stealth.
Several of the components which make up Remsec are built in the form of a Binary Large Object (BLOB), collections of binary data which are difficult for security software to detect. In addition, the malware's functionality is deployed across a network which means it isn't stored on disk, another factor which makes it difficult to detect.
Many of the Remsec modules are written in the Lua programming language, an embeddable scripting language which can be used to perform various functions and processes -- in this case including keylogging and it's this code which contains references to the all-seeing Eye of Sauron from the Lord of the Rings.
It's because of this use of Lua modules that researchers believe that Strider may have links to the Flamer hacking group, which also uses this style of programming in its malware. There may also be a connection to the infamous Regin malware, as one of Remsec's victims had previously been infected with this line of malicious software.
Due to the advanced nature of the malware, cybersecurity researchers believe that the Strider group are very technically competent developers of malicious software and could even be from a "nation-state level attacker".