Cyber Spy Group Uncovered After Years Of Attacks

Symantec and Kaspersky Lab researchers have uncovered another espionage group that is likely backed by a nation-state. The former has dubbed the threat actor Strider, while the latter named it ProjectSauron (after a mention in the code of one of the malware modules the group deploys).

According to the researchers, evidence of ProjectSauron’s activity can be found as far back as 2011, and as near as early 2016. Within that period, the group has targeted at least 30 organizations around the world – Russia, China, Sweden, Belgium, Iran, Rwanda, (possibly) Italy.

The complexity of the malware used, the fact that it remained hidden for so long, the nature of the victimized organizations (government and military entities, embassies, telecoms, scientific research centers), and the nature of the data collected and exfiltrated all point to a state-backed attack group, but it’s impossible to say for sure which one.

“The actor behind ProjectSauron is very advanced, comparable only to the top-of-the-top in terms of sophistication: alongside Duqu, Flame, Equation, and Regin. Whether related or unrelated to these advanced actors, the ProjectSauron attackers have definitely learned from them,” Kaspersky researchers have noted.

The malware used

“ProjectSauron implements a modular architecture using its own virtual file system to store additional modules (plugins) and a modified Lua interpreter to execute internal scripts,” the researchers found.

There are over of 50 different plugin types, and some of them are yet to be discovered and analyzed. Among those that were are a keylogger, a network listener, and several different backdoors and loaders.

Remsec (as Symantec researchers dubbed the attack framework) is great at keeping a low profile.

“Several of its components are in the form of executable blobs (Binary Large Objects), which are more difficult for traditional antivirus software to detect. In addition to this, much of the malware’s functionality is deployed over the network, meaning it resides only in a computer’s memory and is never stored on disk,” they noted.

More technical details about the various modules, as well as Indicators of Compromise and YARA rules that can help with identifying breaches by this APT actor can be found here.

But it’s good to note that IoCs may or may not be of much use, as the malware implants and the infrastructure used to attack each target organizations are customized, and never used again. As it stands, YARA rules should be much more helpful, and Kaspersky researchers have also provided some.

The initial infection vector used by the group to penetrate targets’ networks is still unknown.

The attackers’ goal

“The actor behind ProjectSauron has a high interest in communication encryption software widely used by targeted governmental organizations. It steals encryption keys, configuration files, and IP addresses of the key infrastructure servers related to the encryption software,” the researchers found.

They also exfiltrate a wide variety of document and archive files:

One very interesting thing to know is that the group has the ability to steal information from air gapped systems and networks via specially-crafted USB storage drives that hide exfiltrated data in a custom-encrypted partition and aren’t blocked by many Data Loss Prevention solutions.

But the researchers believe that this approach is seldom used, and so is the leveraging of zero-day exploits.

Aside from that, ProjectSauron also uses a number of other data exfiltration and communication methods, including widely used and well known protocols.

The C&C domain and server infrastructure used for the attacks is always different, to prevent creating patterns and minimize the researchers’ ability to track the group’s activities.

HelpNetSecurity: http://bit.ly/2bhg0wC

 

« Red Team: IBM Cyber Security Service Revealed
15 Years After 9/11 »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Bulb Security

Bulb Security

Whether your internal red team or penetration testing team needs training, or you lack internal resources and need an outsourced penetration test, Bulb Security can help.

DataVantage

DataVantage

DataVantage data masking and data management software helps you prevent data breaches, pass compliance audits and meet regulatory requirements such as HIPAA and PCI DSS.

RiskLens

RiskLens

RiskLens is a software company that specializes in the quantification of cybersecurity risk.

Maryman & Associates

Maryman & Associates

Maryman & Associates are specialists in computer forensic investigations, incident response and e-discovery services.

Executive Women's Forum (EWF)

Executive Women's Forum (EWF)

The Executive Women's Forum is the largest member organization serving emerging leaders and influential female executives in the Information Security, Risk Management and Privacy industries.

IEEE Cyber Science and Technology Congress (CyberSciTech)

IEEE Cyber Science and Technology Congress (CyberSciTech)

CyberSciTech provides a platform for scientists, researchers, and engineers to share their latest ideas and advances in the broad scope of cyber-related science, technology, and application topics.

Cybersecure Policy Exchange (CPX)

Cybersecure Policy Exchange (CPX)

Cybersecure Policy Exchange is a new initiative dedicated to advancing effective and innovative public policy in cybersecurity and digital privacy.

Bolt Learning

Bolt Learning

Bolt's Cyber Security eLearning module provides users with an in-depth understanding of cybercrime, how it can occur and what everyone can contribute to preventing it.

Bigbee Technology

Bigbee Technology

Bigbee Technology are an IT solutions company based in Dar es Salaam founded by a group of professionals from around the globe.

iSTORM

iSTORM

iStorm specialise in supporting organisations who require a range of Privacy, Security and Penetration testing related services.

GoPlus Security

GoPlus Security

GoPlus is working as the "security infrastructure" for web3, by providing open, permissionless, user-driven Security Services.

CommandK

CommandK

CommandK provides companies with infrastructure to protect their sensitive data. Built-in solutions to prevent data-leaks and simplify governance.

Cytek

Cytek

Cytek is a leading provider of cybersecurity and HIPAA compliance for dental practices and other industries.

CaseMatrix

CaseMatrix

Discover a new era of legal intelligence with CaseMatrix. We identify potential class action cases arising from cyber incidents and data breaches.

APCERT

APCERT

APCERT cooperates with CERTs and CSIRTs to ensure internet security in the Asia Pacific region, based around genuine information sharing, trust and cooperation.

Cypheria

Cypheria

Cypheria harness the expertise of elite military units and combine it with extensive digital combat experience to deliver unparalleled security solutions for organizations.