ProjectSauron: cyber spyware cracking encrypted communications channels of government organizations

    ProjectSauron disguised itself as a password filter for Windows systems for five years, unnoticed



    Kaspersky Lab has detected a powerful specialized virus that has been undetected on networks of various government organizations since 2011. The actions of the virus were aimed at breaking the encrypted communication channels of compromised systems. Information security experts determined the presence of this malware in the networks of more than 30 organizations in different countries.

    Malware is classified as APT (Advanced Persistent Threat) class cyber espionage software. Only the most complex and lengthy cyber spyware attacks correspond to this classification. APT malware are also Equation , Regin , Duqu and Careto. ProjectSauron (codenamed Strider) has long gone unnoticed due to the fact that it was in the system as an executable library, loaded into the memory of a domain controller on a network running Microsoft Windows.

    Compromised system reckonedlibrary with a password filter, as a result of which ProjectSauron gained access to encrypted data in the clear. According to experts who discovered it, the developer of this software is an unknown cyber grouping that is responsible for attacks on key state enterprises in different countries (Russia, Iran, Rwanda). According to experts, there are much more countries and organizations that have been affected by the virus, what is known is only the tip of the iceberg. The main targets of attacks were government agencies, research centers, military centers, telecommunications companies, and financial organizations.

    Key Features of ProjectSauron:

    • This is not a simple virus, but a modular platform that is designed for cyber espionage;
    • The platform and its modules use advanced encryption algorithms, including RC6, RC5, RC4, AES, Salsa20;
    • More than 50 plugin modules have been developed for the platform, expanding the ability of the central element;
    • The creators of ProjectSauron using this software steal encryption keys, configuration files and IP addresses of the main network servers that are related to the protection of information in the enterprise or organization;
    • Attackers can steal data even from networks that are not connected to the Internet. This is done using special USB-drives. The stolen data is placed in a hidden area that is not available to the OS software;
    • ProjectSauron has been operating since at least 2011.

    The virus is very difficult to detect. The fact is that the platform is modified for each new attack. Servers, domain names, IP addresses that cybercriminals register for each instance of the modified platform are unique. Unique and plug-ins. They have unique names, file sizes, and other characteristics. The timestamps of the modules correspond to the characteristics of the system in which the virus should work. The modules are designed for a variety of purposes, including theft of documents, keylogging, theft of encryption keys.

    ProjectSauron is also being implemented differently in the organization’s network each time. In some cases, the attackers changed the scripts that the network administrators of the enterprise use to update legal software on computers in the local network. The ProjectSauron loader is very small, when installed on a PC, it starts with administrator rights, connects to a unique IP address and downloads the main software element. As mentioned above, an extensive network of domains and servers is used to operate the platform and its modules, each element being used for a specific victim.

    Now, information security experts have discovered 28 domains tied to 11 IP addresses in the United States and European countries. Malware has advanced networking capabilities based on the stack of the most common protocols ICMP, UDP, TCP, DNS, SMTP and HTTP. The platform uses the DNS protocol to send current operations data to a remote server in real time.

    In order for ProjectSauron to go unnoticed for a long time, its developers have done a lot. This, for example, the use of different command and control servers for different software instances. Unique domains and IP addresses, the use of various cryptographic algorithms in different cases, work with conventional protocols and message formats. There are no signs of domain and server reuse. A unique algorithm was used for each attacked target, which made it impossible to detect other copies of the software after one of them was detected by a specific indicator. The only way to identify this software is structural similarities of the code.


    First of all, the attackers were interested in information that relates to non-standard cryptographic software. Such software is usually created for organizations that need to protect their communication channels, including voice communication, e-mail, document exchange. There are known file formats that are most interesting to the creators of the virus. This is * .txt; *. Doc; *. Docx; *. Ppt; *. Pptx; *. Xls; *. Xlsx; *. Vsd; *. Wab; *. Pdf; *. Dst; *. Ppk; * .rsa; *. rar; *. one; *. rtf; ~ WPL * .tmp; *. FTS; *. rpt; *. conf; *. cfg; *. pk2; *. nct; *. key; * .psw. They are also interested in information of the following types:. * Account. * |. * Acct. * |. * Domain. * |. * Login. * |. * Member. * |. * User. * |. * Name |. * Email |. * _ id | id | uid | mn | mailaddress |. * nick. * | alias | codice | uin | sign-in | strCodUtente |. * pass. * |. * pw | pw. * | additional_info |. * secret . * |. * segreto. *

    The virus can steal documents as well as intercept keystrokes, search and send encryption keys to its creators from compromised systems and drives connected to them. It is now known that ProjectSauron is able to attack all modern versions of Microsoft Windows. Other types of this software designed to work in the environment of other OSs have not yet been discovered.

    When it enters the system, ProjectSauron deploys malicious modules inside the company's cryptographic software catalog and disguises its own files among existing ones. The downloaded virus remained in the system in sleep mode, waiting for the activation command. Subsequently, ProjectSauron was involved in identifying encryption keys, configuration files, and server addresses that encrypt messages between network nodes.

    Experts from Kaspersky Lab suggest that the cost of preparing cyber spyware at this level is many millions of US dollars. An operation of this level can only be realized with the active support of an entire state. Most likely, various teams of specialists were involved in the creation of ProjectSauron.

    Now Kaspersky Lab software is able to detect signs of the presence of ProjectSauron in the system, with detection of samples of this malware as ProjectSauron as HEUR: Trojan.Multi.Remsec.gen.

    A full report on the analysis of the virus and its work is available at this link (.pdf) .

    Also popular now: