Researchers at Kaspersky Lab and Symantec have found a new piece of malware that remained hidden for five years. Due to its complexity, it’s thought to be a state-sponsored program because of the high cost of development and operation (millions of dollars).
Alternatively known as ProjectSauron and Remsec, this piece of malware has been active since at least 2011 on about 30 targets. It is notoriously hard to detect because its code uses binary large objects (BLOB). Other state-level malware found include Duqu, Flame and Regin.
According to Kaspersky, some features and targets of ProjectSauron include:
- Unique footprint: The malware changes itself for each target and never reuses the same code.
- Running in memory: It runs in memory, using software updates and backdoors.
- Crypto-targets: The malware actively searches for information related to rare network encryption software. This specific software is widely used by many organizations.
- Script-based: It uses LUA scripts – which is rare in malware.
- Air gap bypass: ProjectSauron uses special USB drives to jump across air-gapped networks.
- Multiple data theft tools: The malware uses different routes to extract data from its targets. This includes email and DNS. It then hides these routes in normal network traffic.
So far, ProjectSauron attacked more than 30 organizations in Russia, Iran and Rwanda. Targets include:
- Scientific research centers
- Telecom operators
- Financial organizations
According to forensic analysis of ProjectSauron, it has been active since June 2011 and remains active in 2016. The researchers at Kaspersky say they first found the malware after an organization contacted them to investigate suspicious network traffic. The main purpose of the malware was to steal passwords, cryptographic keys, config files and IP addresses.
Kaspersky researchers said:
“The actor behind ProjectSauron is very advanced, comparable only to the top-of-the-top in terms of sophistication…”
Symantec’s researchers have slightly different information. They say that this malware is the work of previously-unknown cyberespionage group: Strider. The group’s attacks are similar to another hacking group – Flamer. The malware uses modules as part of its programming. The modules form part of a framework that gives Remsec/ProjectSauron different abilities. These modules include:
- Loader: The file name is MSAOSSPC.DLL. This module loads files from the disk and executes them. The files on disk contain the payload in BLOB format. The program encrypts/decrypts the blobs with a repeating key of 0xBAADF00D. The loader pretends to be a Security Support Provider.
- LUA modules: Lua is a programming language rarely seen in malware. The Lua modules include a network loader, host loader and keylogger. The network loader loads an executable file over the network, using RSA/RC6 encryption. The host loader can decrypt and load three other Lua modules. These include ilpsend, updater and kblog. Kblog is likely to be the keylogger. The keylogger logs keystrokes and sends this data to a server. This module is the one that has a reference to “Sauron” in it.
- Network listener: This opens a network connection to look for specific types of traffic, including ICMP, PCAP and RAW network sockets.
- Basic pipe back door: This is a small module that can execute data over named pipes.
- Advanced pipe back door: This does several more things than the basic pipe back door, like sending an executable blob, listing files and reading/writing/deleting files.
- HTTP back door: This module has several URLs for a command and control (C&C) server.
Both Symantec and Norton products can protect against ProjectSauron/Remsec by listing it as Backdoor.Remsec.