Kaspersky and Symantec discover ProjectSauron malware keylogger spying since 2011

“The attackers clearly understand that we as researchers are always looking for patterns. Remove the patterns and the operation will be harder to discover. We are aware of more than 30 organizations attacked, but we are sure that this is just a tiny tip of the iceberg”

Kaspersky researchers in a report published Monday August 8th 2016 on ProjectSauron

Telecom Provider and Government Agencies, beware!

Some computer viruses are very clever in their design indeed. So much so that they can avoid detection by virtue of not behaving like a virus.

Such is the case of a malware program named “ProjectSauron” by Kaspersky and “Remsec” by Symantec as reported in the article “Advanced Malware Stayed Hidden For Five Years”, published August 9, 2016 By Justin Pot, Digitaltrends.

Kaspersky researchers discovered the malware in September 2015. The main purpose of the malware was:

1.      Obtain passwords

2.      Cryptographic keys

3.      Configuration files

4.      IP addresses for encryption software

According to sources, a Western-friendly government organization hired Kaspersky to investigate anomalous network traffic. They discovered a library of code hiding in the domain controller servers, masquerading as a Windows password filter.

A Windows password filter is a piece of software used by Network Admins to make sure passwords are unbreakable. The library of code modules stated each time a network or local user logged in or changed a password, enabling it to view passcodes in plaintext.

So who was being targeted by this very sophisticated malware?

ProjectSauron or Remsec targeted Governments - Sleeper cells and keylogger since 2011

ProjectSauron or Remsec, whichever you prefer, has been active since 2011 and possibly longer in the following countries:

1.      Russia

2.      Iran

3.      Rwanda

4.      China

5.      Sweden

6.      Belgium

7.      Italy

The virus has evaded detection these long five (5) years because it's designed to have no definite infection patters. The malware mainly targeted the following computer systems:

1.      Government entities

2.      Military operations

3.      Research institutions

4.      Banks

5.      Telecommunication companies

According to Kaspersky, the malware was quote: “designed to perform specific functions like stealing documents, recording keystrokes, and hijacking encryption keys from both infected computers and attached USB sticks”.

Basically, it is a sophisticated keylogger similar to the ones referred to in my blog article entitled “Professor Marco Gercke warns of Scammers using Keyloggers and How to use Keyloggers and Protect yourself”.

But how did it avoid detection for so long?

ProjectSauron lays low by being chill - No patterns makes it harder to detect

Not much is known about the malware program named “ProjectSauron” by Kaspersky and “Remsec” by Symantec.

Most likely, it was designed by an unknown country, possibly North Korea, Israel or most likely the US of A, to spy on Western-friendly Governments as pointed out in the article “Researchers crack open unusually advanced malware that hid for 5 years”, published 8/8/2016 by Dan Goodwin, ArsTechnica.

Kasperksy’s name “ProjectSauron” refers to the character in the book Lord of the Rings, who possess a ring of power and is represented by a single eye.

Sauron has an army made up of rag-tag conscripts all fighting to destroy humans and elves in Middle Earth. This use of symbolism by these state-sponsored hackers implies that they probably are hackers who live and operate within the in the Darknet and their sponsored has ambitions similar to the character in the Lord of the Rings; to possess the one ring to rule them all!

Its design made it look more like a passive file than a virus while performing the function of a keylogger, spying on its targets and sending information back to its client. For instance, it changed its name depending on the type of computer and operating system it infected as shown below, thereby avoiding suspicion.

It also had a multi-vector approach to infection, spreading itself via email attachments as well as via infecting files in USB drives in order to carry out its keylogger function.

It most likely did this by sniffing USB mouse and keyboard nearby and hopping across via Bluetooth or Wi-Fi connections as described in my blog article entitled “How Bastile's US$12 Geetech Crazyradio Bluetooth dongle can hack Wireless Keyboards and Mice”.

It even changed itself into fifty (50) possible plugins to record keystrokes form various machines. One would have though IT Admin would have spotted it when it sent back data to its host. But this malware had clever methods of sending the keystrokes it captured, such as converting the data to metadata and sending it via a DNS connection.

More reason for Governments to secure their systems, as this is not a case of malware, but espionage, possible sponsored by the USA, Israel or North Korea.