DV Hardware - bringing you the hottest news about processors, graphics cards, Intel, AMD, NVIDIA, hardware and technology!
   Home | News submit | News Archives | Reviews | Articles | Howto's | Advertise
DarkVision Hardware - Daily tech news
June 6, 2020 
Main Menu
News archives

Who's Online
There are currently 74 people online.


Latest Reviews
Ewin Racing Flash gaming chair
Arctic BioniX F120 and F140 fans
Jaybird Freedom 2 wireless sport headphones
Ewin Racing Champion gaming chair
Zowie P-TF Rough mousepad
Zowie FK mouse
BitFenix Ronin case
Ozone Rage ST headset

Follow us

Kaspersky discovers new state-sponsored spyware capable of stealing data from offline PCs

Posted on Monday, August 08 2016 @ 20:08:36 CEST by

Kaspersky logo
Security researchers from Kaspersky Lab announce the discovery of "ProjectSauron", a top-level espionage platform that seems to be supported by a nation state as the piece of spyware is extremely advanced and likely cost million of dollars to develop.

The security firm says ProjectSauron primarily targets organizations that provide a key role in state services, including government, military, scientific research centers, telecom operator and financial organizations, and that it has a bias towards encrypted communication.

ProjectSauron remained hidden for several years, the researchers believe it has been operational since June 2011 and claim its ultimate goal is to steal confidential and secret information from state-sensitive organizations.

An infection is difficult to detect because ProjectSauron creates a unique footprint on every system that it infects, core implants for instance use different file names and sizes for each target. Also worth mentioning is that the espionage tool is capable of bypassing air-gapped computers via USB drives. Not a lot of details are known but it's capable of spreading via flash drives, stolen data gets concealed in hidden compartments on the flash drive and is uploaded once the USB drive is plugged into an Internet-connected PC.
ProjectSauron tools and techniques of particular interest include:

  • Unique footprint: Core implants that have different file names and sizes and are individually built for each target – making it very difficult to detect since the same basic indicators of compromise would have little value for any other target.

  • Running in memory: The core implants make use of legitimate software update scripts and work as backdoors, downloading new modules or running commands from the attacker purely in memory.

  • A bias towards crypto-communications: ProjectSauron actively searches for information related to fairly rare, custom network encryption software. This client-­server software is widely adopted by many of the target organizations to secure communications, voice, email, and document exchange. The attackers are particularly interested in encryption software components, keys, configuration files, and the location of servers that relay encrypted messages between the nodes.

  • Script-based flexibility: ProjectSauron has implemented a set of low-level tools which are orchestrated by high-level LUA scripts. The use of LUA components in malware is very rare - it has previously only been spotted in the Flame and Animal Farm attacks.

  • Bypassing air-gaps: ProjectSauron makes use of specially-prepared USB drives to jump across air-gapped networks. These USB drives carry hidden compartments in which stolen data is concealed.

  • Multiple exfiltration mechanisms: ProjectSauron implements a number of routes for data exfiltration, including legitimate channels such as email and DNS, with stolen information copied from the victim disguised in day-to-day traffic.
  • More details at Kaspersky.



    DV Hardware - Privacy statement
    All logos and trademarks are property of their respective owner.
    The comments are property of their posters, all the rest © 2002-2019 DM Media Group bvba