“The
attackers clearly understand that we as researchers are always looking for
patterns. Remove the patterns and the operation will be harder to discover. We
are aware of more than 30 organizations attacked, but we are sure that this is
just a tiny tip of the iceberg”
Kaspersky researchers in
a report published Monday August 8th 2016 on ProjectSauron
Telecom
Provider and Government Agencies, beware!
Some
computer viruses are very clever in their design indeed. So much so that they
can avoid detection by virtue of not behaving like a virus.
Such
is the case of a malware program named “ProjectSauron” by Kaspersky and
“Remsec” by Symantec as reported in the article “Advanced
Malware Stayed Hidden For Five Years”, published August 9, 2016 By Justin
Pot, Digitaltrends.
Kaspersky researchers discovered the malware in September 2015. The main purpose of the malware was:
1.
Obtain passwords
2.
Cryptographic keys
3.
Configuration files
4.
IP addresses for encryption software
According
to sources, a Western-friendly government organization hired Kaspersky to
investigate anomalous network traffic. They discovered a library of code hiding
in the domain controller servers, masquerading as a Windows password filter.
A
Windows password filter is a piece of software used by Network Admins to make
sure passwords are unbreakable. The library of code modules stated each time a
network or local user logged in or changed a password, enabling it to view
passcodes in plaintext.
So
who was being targeted by this very sophisticated malware?
ProjectSauron or Remsec
targeted Governments - Sleeper cells and keylogger since 2011
ProjectSauron
or Remsec, whichever you prefer, has been active since 2011 and possibly longer
in the following countries:
1.
Russia
2.
Iran
3.
Rwanda
4.
China
5.
Sweden
6.
Belgium
7.
Italy
The
virus has evaded detection these long five (5) years because it's designed to
have no definite infection patters. The malware mainly targeted the following
computer systems:
1.
Government entities
2.
Military operations
3.
Research institutions
4.
Banks
5.
Telecommunication companies
According
to Kaspersky, the malware was quote: “designed to perform specific functions
like stealing documents, recording keystrokes, and hijacking encryption keys
from both infected computers and attached USB sticks”.
Basically,
it is a sophisticated keylogger similar to the ones referred to in my blog article
entitled “Professor
Marco Gercke warns of Scammers using Keyloggers and How to use Keyloggers and
Protect yourself”.
But
how did it avoid detection for so long?
ProjectSauron lays low by
being chill - No patterns makes it harder to detect
Not
much is known about the malware program named “ProjectSauron” by Kaspersky and
“Remsec” by Symantec.
Most
likely, it was designed by an unknown country, possibly North Korea, Israel or
most likely the US of A, to spy on Western-friendly Governments as pointed out
in the article “Researchers
crack open unusually advanced malware that hid for 5 years”, published
8/8/2016 by Dan Goodwin, ArsTechnica.
Kasperksy’s
name “ProjectSauron” refers to the character in the book Lord of the Rings, who
possess a ring of power and is represented by a single eye.
Sauron
has an army made up of rag-tag conscripts all fighting to destroy humans and
elves in Middle Earth. This use of symbolism by these state-sponsored hackers
implies that they probably are hackers who live and operate within the in the
Darknet and their sponsored has ambitions similar to the character in the Lord
of the Rings; to possess the one ring to rule them all!
Its
design made it look more like a passive file than a virus while performing the
function of a keylogger, spying on its targets and sending information back to
its client. For instance, it changed its name depending on the type of computer
and operating system it infected as shown below, thereby avoiding suspicion.
It
also had a multi-vector approach to infection, spreading itself via email
attachments as well as via infecting files in USB drives in order to carry out
its keylogger function.
It
most likely did this by sniffing USB mouse and keyboard nearby and hopping
across via Bluetooth or Wi-Fi connections as described in my blog article
entitled “How
Bastile's US$12 Geetech Crazyradio Bluetooth dongle can hack Wireless Keyboards
and Mice”.
It
even changed itself into fifty (50) possible plugins to record keystrokes form
various machines. One would have though IT Admin would have spotted it when it
sent back data to its host. But this malware had clever methods of sending the
keystrokes it captured, such as converting the data to metadata and sending it
via a DNS connection.
More
reason for Governments to secure their systems, as this is not a case of
malware, but espionage, possible sponsored by the USA, Israel or North Korea.
No comments:
Post a Comment