Advanced Malware, ProjectSauron, Undetected for Years

SauronA new type of malware has been discovered by researchers that is so advanced it probably was developed by a nation-state and has been active for years without anyone noticing. Going by both ProjectSauron and Remsec depending on who you talk to, the malware platform has been around since at least 2011 and has affected 30 known targets. Whoever developed ProjectSauron did so in part by studying the techniques of major state-sponsored hacking groups to improve upon what they did while avoiding their shortcomings.

ProjectSauron is extremely hard to detect using normal antivirus measures due to it being written in Binary Large Objects and existing only in computer memory. Additionally, unlike most malware that rely on reusing servers, IP addresses, and domain names for command and control purposes, it’s difficult to find clues of a ProjectSauron infection because what software artifacts are left behind are unique to each target. Basically, with each attack being specific to a target there are no patterns to study in order to find other infections.

One of the more sophisticated aspects of ProjectSauron is its ability to steal data from computers without an internet connection. So called “air-gapped” computers are used for storing particularly sensitive data. To get in, ProjectSauron utilizes USB storage drives that have a hidden file system that isn’t recognized by a Windows OS. The drives masquerade as an approved device, even fooling data-loss prevention software, meanwhile there are hundreds of megabytes of space that is used for the sole purpose of stealing data. No one is exactly sure how the whole process works, but it is believed it may be using some unknown Zero Day exploit. What is known is that ProjectSauron consists of at least 50 different modules that are used interchangeably depending on each specific infection

The malware was only discovered after security experts were brought in to determine the cause of some unusual network traffic within an unidentified government agency. They found an executable file behaving like a Windows password filter hidden in a domain control server. Anytime someone logged in or changed a password, the module activated a viewed them.

It appears ProjectSauron was designed to steal passwords, configuration files, cryptographic keys, and the IP addresses of any server handling encryption. Whoever is behind the malware is highly sophisticate with it infecting military agencies, government organizations, telecommunication providers, scientific research groups, and financial institutions in Russia, Iran, China, Italy, Belgium, Sweden, and Rwanda.