A hacking group called Strider has been conducting cyber espionage against selected targets in Belgium, China, Russia and Sweden, according to independent research conducted by security firms Symantec and Kaspersky Lab.
The firms' findings showed that the malware is going after numerous high-profile sectors such as military, telecoms and scientific research centres, suggesting that the group behind the malware is backed by a nation state.
Strider uses malware known as Remsec that appears primarily to have been designed for espionage, rather than as ransomware or any other nefarious software.
The Lord of the Rings reference in the Strider name is deliberate as the Remsec stealth tool contains a reference to Sauron, the necromancer and main protagonist in a number of Tolkien's stories.
Kaspersky said it had uncovered evidence of 30 victims, including some in Russia, Iran and Rwanda. Meanwhile, Symantec has linked Strider with a group called Flamer that uses similar attack techniques and malware.
"The group has maintained a low profile until now and its targets have been mainly organisations and individuals that would be of interest to a nation state's intelligence services," said Symantec in a blog post.
The firm explained that Strider has been highly selective in its targeting so far, limiting it to 36 infections across seven organisations in four countries. Russia accounts for four of those seven organisations.
"The Remsec malware used by Strider has a modular design. Its modules work together as a framework that provides the attackers with complete control over an infected computer, allowing them to move across a network, exfiltrate data and deploy custom modules as required," said Symantec.
"Remsec contains a number of stealth features that help it to avoid detection. Several of its components are in the form of executable binary large objects, which are more difficult for traditional antivirus software to detect.
"In addition to this, much of the malware's functionality is deployed over the network, meaning it resides only in a computer's memory and is never stored on disk. This also makes the malware more difficult to detect, and indicates that the Strider group are technically competent attackers."
Symantec has compiled a Backdoor.Remsec: Indicators of Compromise briefing paper containing further details to help identify the threats.
Kaspersky added that the malware seems to have been in use since as far back as 2011 and clearly has the hallmarks of a well-funded and highly capable group.
“A number of targeted attacks now rely on low-cost, readily available tools. Project Sauron, in contrast, is one of those that relies on homemade, trusted tools and customisable scripted code," said Vitaly Kamluk, principal security researcher at Kaspersky.
"The single use of unique indicators, such as control server, encryption keys and more, in addition to the adoption of cutting-edge techniques from other major threat actors, is rather new.
"The only way to withstand such threats is to have many layers of security in place, based on a chain of sensors monitoring even the slightest anomaly in organisational workflow, multiplied with threat intelligence and forensic analysis to hunt for patterns even when there appear to be none."
Ultra-high-end all-in-one PCs from HP feature either 24-inch or 27-inch displays
Roomba 'smart' vacuum cleaner company iRobot plans to sell maps of users' homes to Apple, Amazon and Google
'Smart' products spying on their owners and selling the data for profit? Who'd have thought it!
TNT Express still struggling with NotPetya malware - crucial documents remain locked up in borked systems as staff grapple with manual procedures
TNT depots over-flowing with parcels as the company struggles to recover from NotPetya - while Reckitt Benckiser reports 'ongoing' recovery
Full roll-out of Android O expected within weeks