Researchers Warn of Volatile Cedar APT Campaign


Researchers at Check Point Software Technologies recently uncovered an advanced persistent threat (APT) malware campaign called Volatile Cedar, which has been targeting indviduals, companies and institutions worldwide since 2012.

The campaign, likely based in Lebanon, has successfully penetrated what the researchers describe as "a large number of targets" using a variety of attack techniques, including custom-made malware named Explosive.

"Once installed, the tool continuously runs a keylogger and a clipboard logger, which transmit the results to the C&C server," the researchers write. "In addition, Explosive has a wide array of options that can be activated by a C&C command, including a variety of data theft and machine fingerprinting capabilities, stealth and self-destruction functions, proliferation options and a remote shell."

While Explosive's main goals appear to be data theft and cyber espionage, it also has arbitrary code execution and file deletion functionality, potentially enabling it to cause significant damage to an infected system.

Notably, the researchers state, "the Volatile Cedar target vertical distribution strongly aligns with nation-state/political-group interests, eliminating the possibility of financially motivated attackers."

Confirmed targets include defense contractors, telecom and media companies and educational institutions in the U.S., U.K., Canada, Turkey, Lebanon and Israel.

"The attackers select only a handful of targets to avoid unnecessary exposure," the researchers write. "New and custom versions are developed, compiled and deployed specifically for certain targets, and 'radio silence' periods are configured and embedded specifically into each targeted implant."

"The campaign has been continually and successfully operational through this entire timeline, evading detection through a well-planned and carefully managed operation that constantly monitors its victims' actions and rapidly responds to detection incidents," Dan Wiley, head of incident response and threat intelligence at Check Point, said in a statement.

"This is one face of the future of targeted attacks: malware that quietly watches a network, stealing data, and can quickly change if detected by antivirus systems," Wiley added. "It’s time for organizations to be more proactive about securing their networks."

Rapid7 global security strategist Trey Ford told eSecurity Planet by email that what ultimately distinguishes a professional attacker is the ability to avoid detection. "Truly masterful attackers are not reliant upon zero-day or previously unknown vulnerabilities to gain access -- they are careful, deliberate, patient, and more interested in keeping a low profile and maintaining access than quickly and loudly gaining access," he said.

"This attack has been in play for almost three years, and that is a virtue of deliberate management and patience," Ford added.