After spending a half-decade operating undetected, an APT (advanced persistent threat) known as “ProjectSauron” has been uncovered by both Symantec and Kaspersky Labs. A group called “Strider” has been using Remsec, an advanced tool that appears to have been designed for spying.
According to Symantec, the malware has been active since at least October 2011. Symantec became aware of ProjectSauron when their behavioural engineer detected the virus on a customer’s systems. Kaspersky’s software detected the malware in a Windows domain controller as an executable library registered as a Windows password filter.
The spyware can deploy custom modules as required, and has a network monitor. Once it has infected a system, it can open backdoors, log keystrokes, and steal files. It is heavily encrypted, allowing it to avoid detection as it takes control, moving across the network and stealing data. As many of its functions are deployed over the network, it resides only in the computer’s memory, not on disk. This, along with the fact that several components are in the form of Binary Large Objects makes it extremely difficult for antivirus software to detect.
So far, evidence of a ProjectSauron infection has been detected in 36 computers by Symatec, spanning seven separate organizations in Russia, China, Sweden, and Belgium, as well as individual’s PCs in Russia. Kaspersky has found more than 30 infections across Russia, Iran, and Rawanda, and suspects that Italy may also have been targeted.
Both Symantec and Kaspersky have suggested that a nation-state may be behind this APT. Kaspersky has collected 28 domains and 11 IP addresses in the US and Europe that may be connected to ProjectSauron campaigns. While it appears that the spyware has gone dark, no one can confirm whether or not Strider’s efforts have ceased. If Strider is in fact a nation-state attacker, these infections will likely continue to crop up.
The fact that ProjectSauron operates by mimicking a password filter module is yet another indication that it may be time for technology users worldwide to move away from relying on passwords, favoring instead biometrics and other more sophisticated security measures.
Need more information on how to best protect your data, devices and business against malware? Contact Alary Clinitech at (416) 291-7377 or firstname.lastname@example.org with your questions. We’re the trusted IT professionals.
Thanks for helping us upgrade our Macs and get them working exactly as our business needs! Fast, convenient and very knowledgeable! You’re the best!
Alary Technologies has been our IT support team for the past year at the START Clinic for Mood and Anxiety Disorders. They have done a excellent job in upgrading our system, organization, and supporting us in technical computer matters. Compared to other IT companies we have worked with, Alary Technologies comes on top. Ahmed Kufaishi the Managing Director at Alary Technologies is solution focused, knowledgeable and makes an effort to really understand his clients’ needs. It has been a pleasure to work with Ahmed and Alary Technologies. I would recommend their services to other companies and clinics.
“We continue to work with Alary Technologies due to the fact that they are quite educated and knowledge based with current upgrades, and their commitment to their customers.”
Ahmed has been providing our company with expert IT services for close to 3 years. He has guided us through hardware upgrades, server back up procedures and was instrumental in brokering a custom software program that fully automated some key functions in our business. Ahmed has always been thoroughly professional in all his dealings with us and has provided consistent and sound advise for all of our IT requirements. We consider Ahmed and Alary Technologies to be an important partner for our business.
It is refreshing to work with someone who can organize things and describe in plain language. I have a large and growing knowledge base for my work as an architect. I have realized that I can’t do everything, that I do need a team member who can look after this one relatively small by crucial part of my practice.