Super-Sophisticated Spyware Spotted After 5-Year Run
Symantec and Kaspersky Lab last week separately announced the discovery of a highly sophisticated advanced persistent threat that had eluded security researchers for at least five years. A previously unknown group called "Strider" has been using Remsec, an advanced tool that seems to be designed primarily for spying. Its code contains a reference to Sauron, the main villain in The Lord of the Rings, according to Symantec. The APT spyware is called "ProjectSauron" or "Strider" in Kaspersky's report. The malware has been active since at least October 2011, Symantec said. It obtained a sample after its behavioral engine detected it on a customer's systems.
Kaspersky found out about ProjectSauron when its software caught an executable library registered as a Windows password filter loaded in the memory of a Windows domain controller. The library had access to sensitive data in cleartext.
"Learning that some sophisticated malware has been running in your infrastructure for half a decade without detection is certainly painful," said S¡ndor B¡lint, security lead for applied data science at Balabit. "Installing antivirus software and running a personal firewall provide only a bare minimum of protection," he added.
The spyware is modular, and it includes a network monitor. It can deploy custom modules as required. It opens backdoors on infected computers, and it can log keystrokes and steal files.
Its modules create a framework that provides complete control over an infected computer, Symantec said, moving across a network and stealing data.
Encryption is heavily used to prevent detection, as are stealth features. Several components are in the form of executable Binary Large OBjects, or blobs, which are difficult for traditional antivirus software to detect, according to Symantec.
Further, much of the spyware's functionality is deployed over the network, so it resides only in a computer's memory and not on disk -- again, making detection difficult.
Symantec has found evidence of infections in 36 computers across seven separate organizations. It has detected it in individuals' PCs in Russia, in an airline in China, in an organization in Sweden, and in an embassy in Belgium.
Kaspersky has found more than 30 infected organizations in Russia, Iran and Rwanda, and it suspects that Italy also have might been targeted.
Kaspersky collected 28 domains linked to 11 IP addresses in the United States and several European countries, which might be connected to ProjectSauron campaigns.The targets could be considered minor players, but "the fact that they're not the typical targets of APT campaigns makes this more interesting," said Jon DiMaggio, senior threat intelligence analyst at Symantec.