Advertisment

Researchers discover an advanced malware hidden for 5 years

author-image
CIOL Writers
New Update
CIOL Researchers discover an advanced malware hidden for 5 years

Security experts have discovered a malware platform that's so advanced in its design and execution that it could probably have been developed only by a state-sponsored group.

Advertisment

The malware—known alternatively as "ProjectSauron" by researchers from Kaspersky Lab and "Remsec" by their counterparts from Symantec—has been active since at least 2011. In September last year, Kaspersky first detected the malware on an unspecified "government organization" network.

CIOL Researchers discover an advanced malware hidden for 5 years

Much of ProjectSauron resides solely in computer memory and was written in the form of Binary Large Objects, making it hard to detect using antivirus.

Advertisment

The main purpose of the malware platform was to obtain passwords, cryptographic keys, configuration files, and IP addresses of the key servers related to any encryption software that was in use. Infected groups include government agencies, scientific research centers, military organizations, telecommunication providers, and financial institutions in Russia, Iran, Rwanda, China, Sweden, Belgium, and possibly in Italian-speaking countries.

ProjectSauron is able to disguise itself in a wide variety of ways - as files with names similar to those published by organizations like Microsoft, for example, and does not always use the same methods for sending data back to the attacker."The attackers clearly understand that we as researchers are always looking for patterns," the company notes in its report. "Remove the patterns and the operation will be harder to discover. We are aware of more than 30 organizations attacked, but we are sure that this is just a tiny tip of the iceberg." Symantec researchers, in a report of their own, said they were aware of seven organizations infected.

The malware can steal files, log all keystrokes and open a "back door" allowing wide-ranging access to the compromised computer, according to Symantec.

Advertisment

One aspect of ProjectSauron that makes it so impressive is its ability to collect data from air-gapped computers. To do this, it uses specially prepared USB storage drives that have a virtual file system that isn't viewable by the Windows operating system. To infected computers, the removable drives appear to be approved devices, but behind the scenes are several hundred megabytes reserved for storing data that is kept on the air-gapped machines. The arrangement works even against computers in which data-loss prevention software blocks the use of unknown USB drives.

It is not yet clear how the attackers would have used this method to control an air-gapped computer, but they believe it might have been via a "zero day" - previously undetected - exploit that they have not yet found.

"We believe it was probably deployed in rare, hard-to-catch instances," notes the Kaspersky report. ProjectSauron is characteristic of state-sponsored style malware, according to cyber security expert Graham Cluley.

Advertisment

"These are very stealthy, insidious attacks that can lurk in the background for years gathering information," he told the BBC."We have seen the steady progression and evolution of these sorts of attacks. As governments try to protect themselves and get clued up, it is essentially an arms race."

microsoft malware