Kaspersky finds advanced cyber-espionage malware that hid for five years
Kaspersky Lab's security researchers have found a new cyber-espionage malware, most likely built by a nation-state to use against other states' organizations.
Dubbed "ProjectSauron", it is "particularly interested" in accessing encrypted communications. The malware hunts such communications down using an "advanced modular cyber-espionage platform", comprised of a number of different and unique tools.
Researchers say traditional compromise indicators are "almost useless" in this case, because ProjectSauron has noteworthy avoidance patterns. It customizes its implants and infrastructure for each individual target, and never recycles them, meaning it’s extremely hard to notice it. ProjectSauron looks as it was created by an "experienced and traditional actor", drawing inspiration from Duqu, Flame, Equation and Regin.
Iran, Rwanda, Russia and possibly a few Italian-speaking countries were targets. More than 30 victim organizations in these countries were identified, but Kaspersky Lab believes there are probably many, many more. The malware usually targets government, military, scientific research centers, telecom operators and financial organizations. It seems as the platform has been in operation since 2011, and still remains active.
"A number of targeted attacks now rely on low-cost, readily-available tools. ProjectSauron, in contrast, is one of those that relies on homemade, trusted tools and customizable scripted code. The single use of unique indicators, such as control server, encryption keys and more, in addition to the adoption of cutting edge techniques from other major threat actors, is rather new. The only way to withstand such threats is to have many layers of security in place, based on a chain of sensors monitoring even the slightest anomaly in organizational workflow, multiplied with threat intelligence and forensic analysis to hunt for patterns even when there appear to be none", says Vitaly Kamluk, principal security researcher at Kaspersky Lab.
Published under license from ITProPortal.com, a Net Communities Ltd Publication. All rights reserved.