Security researchers from Kaspersky Lab announce the discovery of "ProjectSauron", a top-level espionage platform that seems to be supported by a nation state as the piece of spyware is extremely advanced and likely cost million of dollars to develop.
The security firm says ProjectSauron primarily targets organizations that provide a key role in state services, including government, military, scientific research centers, telecom operator and financial organizations, and that it has a bias towards encrypted communication.
ProjectSauron remained hidden for several years, the researchers believe it has been operational since June 2011 and claim its ultimate goal is to steal confidential and secret information from state-sensitive organizations.
An infection is difficult to detect because ProjectSauron creates a unique footprint on every system that it infects, core implants for instance use different file names and sizes for each target. Also worth mentioning is that the espionage tool is capable of bypassing air-gapped computers via USB drives. Not a lot of details are known but it's capable of spreading via flash drives, stolen data gets concealed in hidden compartments on the flash drive and is uploaded once the USB drive is plugged into an Internet-connected PC.
ProjectSauron tools and techniques of particular interest include:
Unique footprint: Core implants that have different file names and sizes and are individually built for each target – making it very difficult to detect since the same basic indicators of compromise would have little value for any other target.
Running in memory: The core implants make use of legitimate software update scripts and work as backdoors, downloading new modules or running commands from the attacker purely in memory.
A bias towards crypto-communications: ProjectSauron actively searches for information related to fairly rare, custom network encryption software. This client-server software is widely adopted by many of the target organizations to secure communications, voice, email, and document exchange. The attackers are particularly interested in encryption software components, keys, configuration files, and the location of servers that relay encrypted messages between the nodes.
Script-based flexibility: ProjectSauron has implemented a set of low-level tools which are orchestrated by high-level LUA scripts. The use of LUA components in malware is very rare - it has previously only been spotted in the Flame and Animal Farm attacks.
Bypassing air-gaps: ProjectSauron makes use of specially-prepared USB drives to jump across air-gapped networks. These USB drives carry hidden compartments in which stolen data is concealed.
Multiple exfiltration mechanisms: ProjectSauron implements a number of routes for data exfiltration, including legitimate channels such as email and DNS, with stolen information copied from the victim disguised in day-to-day traffic.