Security researchers have finally cracked a malware dubbed “ProjectSauron” and have labeled the group behind the attack “Strider”. This probably had a lot of you Lord of the Rings fans confused, as both names are references to polar opposite characters. Aragorn, also known as Strider, is one of the good guys in LoTR, while Sauron is the true definition of all evil. To add to the shock, security researchers have also been astonished by the malware’s sophistication and ability to go undetected for such a long period of time.
ProjectSauron was first detected in 2011, but only announced to have been cracked by Kaspersky labs in a report last week. And what they have discovered about it in the process is truly alarming. Found to have been operating undetected for some 5 years in at least 30 networks, the sophistication of this threat has led experts at Kaspersky to conclude that it must be a piece of state-sponsored malware.
According to Kaspersky “The threat actor behind ProjectSauron commands a top of the top modular cyber espionage platform in terms of technical sophistication, designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods.” To date, the group has targeted government agencies, military organisations, telecom firms, and financial institutions in Russia, Iran, China, Rwanda, Sweden, and Belgium.
Group Strider was clearly one step ahead of the game, as they did a remarkable job studying the activities of other state- sponsored hacking groups in an attempt to follow their advancements and avoid repeating their mistakes. “The actor behind ProjectSauron is very advanced, comparable only to the top-of-the top in terms of sophistication: alongside Duqu, Flame, Equation, and Regin.”
The BBC reports that Project Sauron resides solely in “computer memory and was written in the form of Binary Large Objects, making it hard to detect using antivirus.” The malware disguises itself in a unique way and never uses the same method to send data back to the hackers, making it specifically engineered to avoid detection. When investigating malware security researchers often look for reoccurring patterns, in this case, Group Strider was able to eliminate such patterns by using diverse ISPs while operating.
According to security researchers at Kaspersky, ProjectSauron’s “implants and infrastructure are customized for each individual target and never re-used — so the standard security approach of publishing and checking for the same basic indicators of compromise (IOC) is of little use”. To date, only 30 organizations have been attacked, however researchers cannot make any final conclusions on to the scope of possible attacks because the malware is hard to track and it is highly unpredictable. What captures the fascination of security researchers is that ProjectSauron can infect computers that aren’t and have never been connected to the Internet through USB drives.
“To carry out an attack the malware uses specially prepared USB storage drives that have a virtual file system that isn’t viewable by the Windows operating system. To infected computers, the removable drives appear to be approved devices, but behind the scenes are several hundred megabytes reserved for storing data that is kept on the ‘air-gapped‘ machines.”
Security researchers have stated that ProjectSauron consists of modules working together as a framework that provides complete control over an infected computer, allowing the attacker to move across a network, exfiltrate data and deploy custom modules.
Targets
So far, researchers have concluded that the creators of the malware have aimed at collecting sensitive information such as, IP addresses, encryption keys, passwords and network details. Most of this confidential data was confiscated by secretly monitoring internet traffic, taking screenshots, recording via an infected computer’s camera or microphone, logging keyboard strokes and conducted other forms of surveillance.
There has been considerable speculation that ProjectSauron is state sponsored, based on its highly selective targets and its reliance on homemade, trusted tools and customizable scripted code to attack. The Russian media has suggested that the malware may be designed by groups in the West, as its main targets were in Iran and Russia.
Leave a Comment