Cyber Spy Group Uncovered After Years Of Attacks

Symantec and Kaspersky Lab researchers have uncovered another espionage group that is likely backed by a nation-state. The former has dubbed the threat actor Strider, while the latter named it ProjectSauron (after a mention in the code of one of the malware modules the group deploys).

According to the researchers, evidence of ProjectSauron’s activity can be found as far back as 2011, and as near as early 2016. Within that period, the group has targeted at least 30 organizations around the world – Russia, China, Sweden, Belgium, Iran, Rwanda, (possibly) Italy.

The complexity of the malware used, the fact that it remained hidden for so long, the nature of the victimized organizations (government and military entities, embassies, telecoms, scientific research centers), and the nature of the data collected and exfiltrated all point to a state-backed attack group, but it’s impossible to say for sure which one.

“The actor behind ProjectSauron is very advanced, comparable only to the top-of-the-top in terms of sophistication: alongside Duqu, Flame, Equation, and Regin. Whether related or unrelated to these advanced actors, the ProjectSauron attackers have definitely learned from them,” Kaspersky researchers have noted.

The malware used

“ProjectSauron implements a modular architecture using its own virtual file system to store additional modules (plugins) and a modified Lua interpreter to execute internal scripts,” the researchers found.

There are over of 50 different plugin types, and some of them are yet to be discovered and analyzed. Among those that were are a keylogger, a network listener, and several different backdoors and loaders.

Remsec (as Symantec researchers dubbed the attack framework) is great at keeping a low profile.

“Several of its components are in the form of executable blobs (Binary Large Objects), which are more difficult for traditional antivirus software to detect. In addition to this, much of the malware’s functionality is deployed over the network, meaning it resides only in a computer’s memory and is never stored on disk,” they noted.

More technical details about the various modules, as well as Indicators of Compromise and YARA rules that can help with identifying breaches by this APT actor can be found here.

But it’s good to note that IoCs may or may not be of much use, as the malware implants and the infrastructure used to attack each target organizations are customized, and never used again. As it stands, YARA rules should be much more helpful, and Kaspersky researchers have also provided some.

The initial infection vector used by the group to penetrate targets’ networks is still unknown.

The attackers’ goal

“The actor behind ProjectSauron has a high interest in communication encryption software widely used by targeted governmental organizations. It steals encryption keys, configuration files, and IP addresses of the key infrastructure servers related to the encryption software,” the researchers found.

They also exfiltrate a wide variety of document and archive files:

One very interesting thing to know is that the group has the ability to steal information from air gapped systems and networks via specially-crafted USB storage drives that hide exfiltrated data in a custom-encrypted partition and aren’t blocked by many Data Loss Prevention solutions.

But the researchers believe that this approach is seldom used, and so is the leveraging of zero-day exploits.

Aside from that, ProjectSauron also uses a number of other data exfiltration and communication methods, including widely used and well known protocols.

The C&C domain and server infrastructure used for the attacks is always different, to prevent creating patterns and minimize the researchers’ ability to track the group’s activities.

HelpNetSecurity: http://bit.ly/2bhg0wC

 

« Red Team: IBM Cyber Security Service Revealed
15 Years After 9/11 »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

PubNub

PubNub

PubNub enables developers to build secure realtime Mobile, Web, and IoT Apps.

ISF Annual World Congress

ISF Annual World Congress

ISF Annual World Congress, our flagship global event, offers attendees an opportunity to discuss and find solutions to current security challenges.

Cyanre

Cyanre

Cyanre delivers state of the art cyber forensic services through software technologies and procedures that exceed conformities of major law enforcement agencies across the globe.

TEISS

TEISS

Teiss.co.uk is a website dedicated to providing information about cyber security. TEISS also provide a series of conferences and events focused on cyber security.

Cryptovision

Cryptovision

cv cryptovision GmbH is one of the leading specialists for modern, user-friendly cryptography and solutions for secure electronic identities.

Axonius

Axonius

Axonius is the only solution that offers a unified view of all assets and their coverage, empowering customers to take action to enforce their organization’s security policies.

Crypto Valley Association

Crypto Valley Association

Crypto Valley Association is an independent, government-supported association established to build the world’s leading blockchain and cryptographic technologies ecosystem.

SimSpace

SimSpace

SimSpace is the visionary yet practical platform for measuring how your security system responds under actual, sustained attack.

SecureLogix

SecureLogix

SecureLogix deliver a unified voice network security and call verification solution. Protect against call attacks & fraud.

White Hawk Software

White Hawk Software

White Hawk provides code tamper-proofing solutions to protect mission critical software applications from malicious and Zero day attacks and reverse engineering at run time.

Dynics

Dynics

The Dynics ICS-Defender is an Industrial Control System Security Appliance for OT or OT/IT convergent environments.

Coviant Software

Coviant Software

Coviant Software delivers secure managed file transfer (MFT) software that integrates smoothly and easily with business processes.

Otava

Otava

Otava is a global leader of secure, compliant hybrid cloud and IT solutions for service providers, channel partners and enterprise clients.

PyNet Labs

PyNet Labs

PyNet Labs is a Training Company serving corporates as well as individuals across the world with ever-changing IT and technology training.

SecureChain AI

SecureChain AI

SecureChain are combining blockchain and AI technology to create a smarter blockchain platform especially in terms of security.

Commission Nationale de l'Informatique et des Libertés (CNIL)

Commission Nationale de l'Informatique et des Libertés (CNIL)

The mission of CNIL is to protect personal data, support innovation, and preserve individual liberties.