Sweed
Sweed is a threat actor that deploys spyware for collecting confidential information from potentially profitable targets, such as unprotected business networks. Although this group lacks the resources of a state-sponsored hacking entity, they make routine updates to their infection techniques and emphasize avoiding detection by security solutions. Users should inspect unexpected e-mails for potential attacks and update their anti-malware services for removing Trojans associated with the Sweed toolkit.
Meeting a Trojan Agent's Manager
The majority of threat actors' groups that receive attention from the cyber-security news media consist of high-profile entities with suspected government backing or equally-impressive credentials. Sweed is, however, a contrast to that trend – a three-years-running threat actor that depends, mostly, on open-source resources and for-hire software, such as toolkits available on the dark Web. Sweed is far more novice-level than, for instance, China's menuPass, but the group does represent a credible danger to poorly-protected businesses with valuable information.
Sweed's campaigns are global and span such different regions as Africa, North America, Russia, and various parts of Asia indiscriminately. The hackers update their infection strategies frequently and use multiple means of obfuscating the payload, which is almost always spyware. Malware experts can isolate most infection techniques to e-mails carrying corrupted Microsoft Office content. These files run through several delivery stages before dropping the final Trojan.
Agent Tesla, a keylogger and screen-grabber, is one of Sweed's preferred payloads. Less often-seen, but still in-use alternatives to that Trojan include Lokibot and FormBook, which are also spyware, as well as Remote Access Trojans that offer backdoors and remote administration. Infections place Sweed in a position for compromising the remainder of the network and collecting passwords and other information of value.
The Hoops that Data Robbers Jump through for Hiding
Sweed doesn't use much software that could be considered a privately-controlled or in-house project, a la Ke3chang APT's Okrum backdoor Trojan. This threat actor compensates for using widely-known tools by implementing anti-analysis and detection defenses, which include XOR encryption, steganography, and a rotation of Java and PowerShell-based droppers. Since Sweed's hackings are financially motivated, individual PC users are unlikely, but not impossible targets for their attacks.
Many of Sweed's infection vectors favor vulnerabilities, such as CVE-2017-11882's arbitrary code execution or macros. Updating Microsoft Office software will lower the number of vulnerabilities available for exploiting significantly, as well as turn macros off, by default. Workers should avoid enabling macros or advanced content for e-mail attachments that may be unsafe, including fake billing documentation.
Anti-malware programs can help with removing the spyware in use by Sweed, but users still should compensate for any stolen data, such as passwords, with appropriate precautions.
Sweed is a 'working class' hacker essentially, a group that needs profit and uses third-party tools for making it. Although its campaigns aren't as glamorous as sabotaging nuclear hardware like the attacks of Stuxnet, it's a more practical foe for today's companies easily.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.