Super-Sophisticated Spyware Has Been Discovered After Undetected Five-Year Run

BY:

Aug 29, 2016

After spending a half-decade operating undetected, an APT (advanced persistent threat) known as “ProjectSauron” has been uncovered by both Symantec and Kaspersky Labs. A group called “Strider” has been using Remsec, an advanced tool that appears to have been designed for spying.

According to Symantec, the malware has been active since at least October 2011. Symantec became aware of ProjectSauron when their behavioural engineer detected the virus on a customer’s systems. Kaspersky’s software detected the malware in a Windows domain controller as an executable library registered as a Windows password filter.

Spyware

The spyware can deploy custom modules as required, and has a network monitor. Once it has infected a system, it can open backdoors, log keystrokes, and steal files. It is heavily encrypted, allowing it to avoid detection as it takes control, moving across the network and stealing data. As many of its functions are deployed over the network, it resides only in the computer’s memory, not on disk. This, along with the fact that several components are in the form of Binary Large Objects makes it extremely difficult for antivirus software to detect.

So far, evidence of a ProjectSauron infection has been detected in 36 computers by Symatec, spanning seven separate organizations in Russia, China, Sweden, and Belgium, as well as individual’s PCs in Russia. Kaspersky has found more than 30 infections across Russia, Iran, and Rawanda, and suspects that Italy may also have been targeted.

Both Symantec and Kaspersky have suggested that a nation-state may be behind this APT. Kaspersky has collected 28 domains and 11 IP addresses in the US and Europe that may be connected to ProjectSauron campaigns. While it appears that the spyware has gone dark, no one can confirm whether or not Strider’s efforts have ceased. If Strider is in fact a nation-state attacker, these infections will likely continue to crop up.

The fact that ProjectSauron operates by mimicking a password filter module is yet another indication that it may be time for technology users worldwide to move away from relying on passwords, favoring instead biometrics and other more sophisticated security measures.

Need more information on how to best protect your data, devices and business against malware? Contact {company} at {phone} or {email} with your questions. We’re the trusted IT professionals.

Related Blogs

  • This image shows two businesspeople shaking hands. Superimposed are glowing rows of binary code. This image is meant to represent a technological partnership." alt="">
    4 Reasons Companies Migrating to AWS Prefer to Work With the AWS Partner Network

    Only an AWS Partner can help you leverage all the benefits of the AWS ecosystem Key Takeaways: The AWS Partner Network is made up of vetted, experienced, certified companies that provide migration...

    Learn More
  • AWS Data Migration Services" alt="">
    Best Practices for Using AWS Data Migration Services for Your Cloud Migration

    Following these best practices can ensure a smooth data migration to the cloud Key Takeaways: Data migration is the most important element in a cloud-based digital transformation A well-planned data...

    Learn More
  • This image is a drawing of a man in a business suit with a large magnifying glass. He’s standing in front of a backdrop of a cityscape, and in front of him are a number of clouds; one of them is red, the others are white. This represents making a choice of cloud service providers." alt="">
    AWS and Beyond: The Cloud Service Providers Your Company Should Consider

    Cloud migration is a must for business today, here’s how to be sure you choose the right cloud services provider. Key Takeaways: It’s important for businesses to choose the right cloud service...

    Learn More