Cyber Spy Group Uncovered After Years Of Attacks

Symantec and Kaspersky Lab researchers have uncovered another espionage group that is likely backed by a nation-state. The former has dubbed the threat actor Strider, while the latter named it ProjectSauron (after a mention in the code of one of the malware modules the group deploys).

According to the researchers, evidence of ProjectSauron’s activity can be found as far back as 2011, and as near as early 2016. Within that period, the group has targeted at least 30 organizations around the world – Russia, China, Sweden, Belgium, Iran, Rwanda, (possibly) Italy.

The complexity of the malware used, the fact that it remained hidden for so long, the nature of the victimized organizations (government and military entities, embassies, telecoms, scientific research centers), and the nature of the data collected and exfiltrated all point to a state-backed attack group, but it’s impossible to say for sure which one.

“The actor behind ProjectSauron is very advanced, comparable only to the top-of-the-top in terms of sophistication: alongside Duqu, Flame, Equation, and Regin. Whether related or unrelated to these advanced actors, the ProjectSauron attackers have definitely learned from them,” Kaspersky researchers have noted.

The malware used

“ProjectSauron implements a modular architecture using its own virtual file system to store additional modules (plugins) and a modified Lua interpreter to execute internal scripts,” the researchers found.

There are over of 50 different plugin types, and some of them are yet to be discovered and analyzed. Among those that were are a keylogger, a network listener, and several different backdoors and loaders.

Remsec (as Symantec researchers dubbed the attack framework) is great at keeping a low profile.

“Several of its components are in the form of executable blobs (Binary Large Objects), which are more difficult for traditional antivirus software to detect. In addition to this, much of the malware’s functionality is deployed over the network, meaning it resides only in a computer’s memory and is never stored on disk,” they noted.

More technical details about the various modules, as well as Indicators of Compromise and YARA rules that can help with identifying breaches by this APT actor can be found here.

But it’s good to note that IoCs may or may not be of much use, as the malware implants and the infrastructure used to attack each target organizations are customized, and never used again. As it stands, YARA rules should be much more helpful, and Kaspersky researchers have also provided some.

The initial infection vector used by the group to penetrate targets’ networks is still unknown.

The attackers’ goal

“The actor behind ProjectSauron has a high interest in communication encryption software widely used by targeted governmental organizations. It steals encryption keys, configuration files, and IP addresses of the key infrastructure servers related to the encryption software,” the researchers found.

They also exfiltrate a wide variety of document and archive files:

One very interesting thing to know is that the group has the ability to steal information from air gapped systems and networks via specially-crafted USB storage drives that hide exfiltrated data in a custom-encrypted partition and aren’t blocked by many Data Loss Prevention solutions.

But the researchers believe that this approach is seldom used, and so is the leveraging of zero-day exploits.

Aside from that, ProjectSauron also uses a number of other data exfiltration and communication methods, including widely used and well known protocols.

The C&C domain and server infrastructure used for the attacks is always different, to prevent creating patterns and minimize the researchers’ ability to track the group’s activities.

HelpNetSecurity: http://bit.ly/2bhg0wC

 

« Red Team: IBM Cyber Security Service Revealed
15 Years After 9/11 »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Checkmarx

Checkmarx

Checkmarx provides state-of-the-art application security solutions with static code analysis software.

My Data Recovery Lab

My Data Recovery Lab

We recover data from: HDDs, RAIDs, NAS, SSDs, USB Flash Devices, Desktop Computers, Mobile devices and other data storage media.

Cyanre

Cyanre

Cyanre delivers state of the art cyber forensic services through software technologies and procedures that exceed conformities of major law enforcement agencies across the globe.

Cyberwrite

Cyberwrite

Cyberwrite was founded to provide underwriters around the world a unique and innovative Cyber Underwriting platform.

National Digital Exploitation Centre (NDEC) - United Kingdom

National Digital Exploitation Centre (NDEC) - United Kingdom

NDEC is a project to create a centre of cyber and digital development and education for the UK. It will offer training in digital practices, cyber security and research.

Cyfirma

Cyfirma

CYFIRMA offers Cyber threat visibility and intelligence suite and services aimed at keeping your organization’s cybersecurity posture up-to-date.

Apozy

Apozy

Apozy replaces a secure web gateway to nullify phishing, malware and impersonation attacks.

Salt Cybersecurity

Salt Cybersecurity

Salt Cybersecurity offer a four-pronged approach to information security that includes Custom Security Policy, Vulnerability Assessment, Threat Detection, and Security Awareness Training.

ThreatX

ThreatX

ThreatX provides complete web application & API protection to address expanding app footprints and complex attacks.

ADL Consulting

ADL Consulting

ADL Consulting provide information security-related consultancy and training support to businesses across the UK. Our services include ISO27001, GDPR, Cyber Essentials and training.

FoxTech

FoxTech

FoxTech is an independent, friendly and deeply specialised cyber security company in the UK, with expertise spanning decades of Public Sector and Government services.

Cyber7

Cyber7

CYBER7 is a National Cyber Security Innovation community initiated by Israel National Cyber Directorate, Ministry of Economy and Israel Innovation Authority led by Tech7 – Venture Studio.

Nasuni

Nasuni

The Nasuni File Data Platform offers the protection, detection, and recovery of file shares from ransomware attacks or random disasters within minutes.

Grindstone Ventures

Grindstone Ventures

Grindstone Ventures is a post-seed fund that supports post-seed equity and quasi-equity investments in early-stage innovation-driven and/or technology companies.

Gilsbar

Gilsbar

For more than half a century, Gilsbar has offered insurance service solutions and support for businesses and their employees.

STACK Cybersecurity

STACK Cybersecurity

STACK Cybersecurity serves as a strategic partner, guiding you through the intricate and dynamic cybersecurity landscape.