One APT to Rule Them All: ProjectSauron Remained Hidden for 5 Years

Researchers and security experts at Kaspersky Labs and Symantec have identified a new type of malware platform that has been so advanced and secretive that very few details are just coming to light now.  ProjectSauron as the malware has been named has been active since at least 2011. What distinguishes ProjectSauron from other APTs and zero-day exploits is that it has operated virtually undetected for five years and has multiple modules that can be installed based on needs of the attacker(s).  Security professionals are stopping short of naming its country of origin but suspect that the advanced persistent threat (APT) malware could “…probably have been developed only with the active support of a nation-state,” according to ARS Technica.

Researchers have also discovered that ProjectSauron is difficult to detect using traditional anti-virus due to the fact that much of the malware resides in computer memory and written in the form of Binary Large Objects.  The way ProjectSauron works is still being learned about, but the clues left behind by the program’s software artifacts are unique to its targets.  According to ARS Technica and Kaspersky, unlike “…many malware operations that reuse servers, domain names, or IP addresses for command and control channels, the people behind ProjectSauron chose a different one for almost every target.”  This means that each instance of the malware is uniquely tailored to its environment.  Both Kaspersky and Symantec researchers feel that this is just the beginning.  Currently, more than 30 organizations have been attacked and that number is expected to rise.  The targets have been government agencies, scientific research centers, military organizations, telecommunication providers, and financial institutions.  So far, no US-based organizations have reported being infected with the malware, but it has appeared in Russia, Iran, Rwanda, China, Sweden, Belgium and possibly in Italian-speaking countries.

ProjectSauron itself is made up of many different modules that will do various things based on the target.  According to an FAQ published by Kaspersky, in a discovered instance of ProjectSauron, it “registers its persistence module on domain controllers as a Windows Local Security authority password filter.”   A password filter is a common tool used by system administrators to enforce password policies and validate new passwords against complexity and length requirements.  ProjectSauron inserts itself in this process and starts every time any network, local user, and even an administrator logs in or changes a password.  Then ProjectSuron harvests the password in plain text. In instances where domain controllers lack direct internet access, the attackers can install additional modules on “other local servers which have both local network and Internet access…” and passes through a significant amount of network traffic.  These nodes are then set up for silent and inconspicuous data exfiltration that blends in with legitimate traffic, using the high volume of network traffic as a disguise.  ProjectSauron’s modules are installed as “sleeper cells,” which means that they will not activate until commands are received through the incoming network traffic.  Researchers believe this is why the APT malware has survived this long in the wild without discovery.

ProjectSaruon can also infect air-gapped networks. In situations where networks are isolated, Kaspersky identified a scenario where a toolkit was specially designed to move data from air-gapped networks to Internet=connected systems via infected removable USB devices.  To do this, the attacker first comprises an Internet-connected system, waits for the user to attach a USB, then a ProjectSauron module is installed on a partition on the USB disk that reserves an amount of hidden data where custom-encrypted partitions that aren’t recognized by the common OS such as Windows.  It should be noted that this method can also bypass many DLP products that disable the plugging of “unknown USB devices based on DeviceID” because in this case, the USB was known and recognized as a genuine USB drive.

For more information on ProjectSauron, please read the Kaspersky report.

CyberSheath stands with you in your effort to defeat advanced persistent threats.   Let us help you shore up your security by conducting an assessment today.