Cyber Spy Group Uncovered After Years Of Attacks

Symantec and Kaspersky Lab researchers have uncovered another espionage group that is likely backed by a nation-state. The former has dubbed the threat actor Strider, while the latter named it ProjectSauron (after a mention in the code of one of the malware modules the group deploys).

According to the researchers, evidence of ProjectSauron’s activity can be found as far back as 2011, and as near as early 2016. Within that period, the group has targeted at least 30 organizations around the world – Russia, China, Sweden, Belgium, Iran, Rwanda, (possibly) Italy.

The complexity of the malware used, the fact that it remained hidden for so long, the nature of the victimized organizations (government and military entities, embassies, telecoms, scientific research centers), and the nature of the data collected and exfiltrated all point to a state-backed attack group, but it’s impossible to say for sure which one.

“The actor behind ProjectSauron is very advanced, comparable only to the top-of-the-top in terms of sophistication: alongside Duqu, Flame, Equation, and Regin. Whether related or unrelated to these advanced actors, the ProjectSauron attackers have definitely learned from them,” Kaspersky researchers have noted.

The malware used

“ProjectSauron implements a modular architecture using its own virtual file system to store additional modules (plugins) and a modified Lua interpreter to execute internal scripts,” the researchers found.

There are over of 50 different plugin types, and some of them are yet to be discovered and analyzed. Among those that were are a keylogger, a network listener, and several different backdoors and loaders.

Remsec (as Symantec researchers dubbed the attack framework) is great at keeping a low profile.

“Several of its components are in the form of executable blobs (Binary Large Objects), which are more difficult for traditional antivirus software to detect. In addition to this, much of the malware’s functionality is deployed over the network, meaning it resides only in a computer’s memory and is never stored on disk,” they noted.

More technical details about the various modules, as well as Indicators of Compromise and YARA rules that can help with identifying breaches by this APT actor can be found here.

But it’s good to note that IoCs may or may not be of much use, as the malware implants and the infrastructure used to attack each target organizations are customized, and never used again. As it stands, YARA rules should be much more helpful, and Kaspersky researchers have also provided some.

The initial infection vector used by the group to penetrate targets’ networks is still unknown.

The attackers’ goal

“The actor behind ProjectSauron has a high interest in communication encryption software widely used by targeted governmental organizations. It steals encryption keys, configuration files, and IP addresses of the key infrastructure servers related to the encryption software,” the researchers found.

They also exfiltrate a wide variety of document and archive files:

One very interesting thing to know is that the group has the ability to steal information from air gapped systems and networks via specially-crafted USB storage drives that hide exfiltrated data in a custom-encrypted partition and aren’t blocked by many Data Loss Prevention solutions.

But the researchers believe that this approach is seldom used, and so is the leveraging of zero-day exploits.

Aside from that, ProjectSauron also uses a number of other data exfiltration and communication methods, including widely used and well known protocols.

The C&C domain and server infrastructure used for the attacks is always different, to prevent creating patterns and minimize the researchers’ ability to track the group’s activities.

HelpNetSecurity: http://bit.ly/2bhg0wC

 

« Red Team: IBM Cyber Security Service Revealed
15 Years After 9/11 »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Protective Intelligence

Protective Intelligence

Protective Intelligence brings together a group of information security specialists with a passion for delivering high-quality solutions.

Leonardo

Leonardo

Leonardo (formerly Finmeccanica) is a global high-tech company in Aerospace, Defence, Security & Information Systems including Cybersecurity & ICT solutions.

QATestLab

QATestLab

QATestLab is a leading International software testing company offering a full range of software testing services including security testing.

Security Audit Systems

Security Audit Systems

Security Audit Systems is a website security specialist providing website security audits and managed web security services.

Verimatrix

Verimatrix

Verimatrix is a global provider of innovative cybersecurity solutions that protect content, devices, software and applications.

XCure Solutions

XCure Solutions

XCure Solutions are a Finnish company specializing in data security, data protection and data recovery.

Terranova Security

Terranova Security

Terranova is dedicated to providing information security awareness programs customized to your internal policies and procedures.

SoftLock

SoftLock

Softlock is a regional leader in Information Security providing solutions, consulting, integration and testing services to protect information assets, identities and supporting infrastructure.

Deft

Deft

Deft (formerly ServerCentral Turing Group) is a trusted provider of colocation, cloud, and disaster recovery services.

Viettel Cyber Security

Viettel Cyber Security

Viettel Cyber Security is an organization under the Military Telecommunication Industry Group, conducting research and developing information security solutions for domestic and foreign customers.

FCI

FCI

FCI is a NIST-Based Managed Security Service Provider (MSSP) offering Cybersecurity Compliance Enablement Technologies & Services to Financial Services organizations.

Appurity

Appurity

Appurity specialises in mobile and application security, delivering comprehensive solutions across all verticals.

Carahsoft Technology Corp

Carahsoft Technology Corp

Carahsoft Technology is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets.

dWallet Labs

dWallet Labs

dWallet Labs is a cybersecurity company specializing in blockchain technology. We believe that the future of Web3 relies on cutting edge cryptography and unabated security.

Hartman Executive Advisors

Hartman Executive Advisors

Hartman Executive Advisors is an unbiased IT and cyber advisory firm uniquely designed to help mid-market executives maximize their IT investments.

Sprocket Security

Sprocket Security

Sprocket Security protects your business by monitoring the cybersecurity landscape and performing continuous penetration testing services.