An software security group has found an advanced malware platform that was likely developed with the support of a government involved in cyber espionage.
Researchers from Kaspersky Lab found that the malware dubbed ‘ProjectSauron’ – ‘Remsec’ by their colleagues from Symantec – has been operating undetected for five years.
Active since 2011, ‘ProjectSauron’ has been detected on approximately 30 targets. According to Ars Technica, its invisibility is due to some ingenious coding by its creators.
There is evidence to suggest that malware such as Flame, Duqu Regin and Stuxnet have all been sponsored by nation states. ‘ProjectSauron’ is so difficult to detect as it was written in Binary Large Objects, a collection of data which is hard to find using antivirus software.
The way ‘ProjectSauron’ was written means that it leaves traces of itself in ‘software artefacts’ that are unique to each target. Ars Technica says this uniqueness means that finding infections on other computers is no easier despite having prior knowledge of the virus.
‘ProjectSauron’ chooses new servers, domain names or IP addresses for pretty much every target unlike other forms of malware.
The virus can obtain data from air-gapped computers by utilising USB storage devices that have a virtual file system prepared – this means it isn’t viewable by the Windows operating system. Infected computers see the removable drives as approved devices, but several hundred megabytes are actually reserved for storing data kept on the air-gapped machines. Ars Technica reports that the arrangement works even against computers in which data-loss prevention software blocks the use of unknown USB drives.
The Kaspersky researchers believe that the malware is made of at least 50 modules which can be mixed and matched to all objectives of each infection. They are still unsure of how the USB-enabled exfiltration works.
In a report published yesterday, Kaspersky researchers wrote that “the attackers clearly understand that we as researchers are always looking for patterns.
“Remove the patterns and the operation will be harder to discover. We are aware of more than 30 organizations attacked, but we are sure that this is just a tiny tip of the iceberg.”
Symantec said they were aware of seven organisations infected.
In a different blog post, Kaspersky wrote that “once installed, the main Project Sauron modules start working as 'sleeper cells,' displaying no activity of their own and waiting for 'wake-up' commands in the incoming network traffic.
“This method of operation ensures Project Sauron’s extended persistence on the servers of targeted organisations.”
The researchers said they found the malware last September when a customer at a government organisation hired them to investigate unusual network traffic. They discovered a program library in the memory of one of the customer’s domain controller servers, disguised as a Windows password filter.