ProjectSauron is malware that hides almost five years – Bitmag

In September 2015, Kaspersky platform against targeted attacks identified a prototype with an unusual feature within the network of a client. The failure led researchers to ProjectSauron A threat actor nation state attacking state organizations with a unique set of tools for each victim.

ProjectSauron intended mainly to gain access to communications encrypted through an advanced modular platform of cyber espionage that incorporates unique techniques.

the malware has the preferred targets governments, military institutions, scientific research centers and financial organizations. to date, they have been identified more than 30 victims organizations in Russia, Iran and Rwanda, and there may be more in countries of the Italian language.

The Project Sauron seems to be an experienced actor who learned from other actors too advanced, including Duqu, Flame, Equation and Regin, adopting much of their innovative techniques and improving others, in order to remain undetected. According to Kaspersky Lab ProjectSauron cases were detected as HEUR:. Trojan.Multi.Remsec.gen

The most prominent feature in ProjectSauron is that deliberately avoid the use of standards, customizing the way implementation and infrastructure for each individual target, thus hampering their detection.

“Some targeted attacks are based tools low cost and ready to use. ProjectSauron, by contrast, is one of which are based on homemade tools, reliable, with customizable codes. Use unique indicators, such as the control server, encryption keys and other things, together with the use of cutting-edge techniques of other actors greatest threat, it is a novelty. The only way to resist these threats is to have many layers of security, based on a sensor network to monitor the minimum anomaly multiplied with a forensic analysis and intelligence to identify patterns even when there seems to be no, “he said in a statement Vitaly Kamluk, Security principal Investigator at Kaspersky Lab

the main features ProjectSauron:.

• Unique footprint: core implants have different names and sizes individually created for each target – which makes it very difficult detection, since the same basic compromise indicators would not have almost any value . for another purpose

• Memory: The core of the implants makes use updates command software legitimate and works as an backdoor , downloading new modules and running the attacker’s commands only in memory.

• Tendency to crypto-communications : the ProjectSauron search actively information related to a software very rare encrypted and personalized network. This software client-server is widely used by various organizations in order to maintain secure communication: voice, email and document exchange. The attackers are particularly interested in the crypto-software components, keys, configuration files, and the location of servers that transmit encrypted messages between nodes.

• Flexibility scripts: ProjectSauron sets in motion a set of low-level that are organized by high-level scripts LUA tools. The use of LUA components in Malware is very strange. – Was only previously seen in Flame and Animal Farm attacks

• No go by air -gaps: ProjectSauron uses USB media specially prepared to jump between networks air-gap . . These carriers have hidden compartments where stolen data is stored in a hidden way

• Mechanisms multiple exfiltration: ProjectSauron implements a set of routes for exfiltration data, including legitimate channels such as email and DNS, which lead stolen from the victim copied information on traffic day-to-day.

the Kaspersky security experts advise organizations to audit complete their iT networks and terminals and to implement the following measures:

• Install a solution against targeted threats, combined with existing or not the terminals protection. The endpoint protection in itself is not enough to support the next generation of actors threat.
• Call the experts if detected an anomaly. The most advanced security solutions will be able to identify an attack even though still in progress, and security professionals are often the ones who can effectively block, mitigate and analyze the major attacks.
• Add to suggested above intelligence, enabling inform security teams on the latest developments in the panorama of threats, attacks trends and signs that should be alert.
• and finally, since many of the biggest attacks begin with spear-phishing or another approach to employees, confirm that your staff understands and carries out a responsible cyber behavior.