Project Sauron

Project Sauron, also named ProjectSauron and Remsec^[1] is a computer malware discovered in 2016,^[2][3][4] targeting only Windows systems.^[5] It has been spying on computers at governments and organizations for five years.^[6] It can steal encryption keys, collect information from air-gapped computers, and record keystrokes without being detected.^[7] It was discovered by security experts from Symantec (now part of Broadcom) and Kaspersky Lab,^[1] which was reportedly found on various targets in China, Russia, Iran, Sweden, Belgium, and Rwanda.^[8] Due to its complex and well-designed structure, the malware is believed to have been developed by a state-backed hacking group or an intelligence agency. Although the malware is considered to have been widely eradicated following its public disclosure, Project Sauron might still remain active on systems that are not protected by Kaspersky Lab solutions.^[9] The initial infected medium that led to the spread of Project Sauron still remains unknown.^[10]

Overview

What made ProjectSauron stand out from other malware at the time of its discovery was its unique design tailored specifically for almost all of its targets,^[11][12] along with its ability to remain "invisible" to all known and installed malware detection systems on the infected systems. Following the discovery of the malware, infected systems in Russia, Iran, and Rwanda were found across government agencies, scientific research centers, military computer systems, telecommunications providers, and financial institutions.^[13] Besides collecting plain text and keystroke data from infected systems, ProjectSauron also primarily targeted encryption software used for secure communications, leading to the hypothesis that the malware was designed to gather valuable intelligence.^[14]

In September 2015, Kaspersky's Anti-Targeted Attack Platform detected unusual network traffic in a client organization's network, which led to the discovery of a malicious program registered as a password filter service residing in the memory of the domain controller servers.^[15] This program also had access to administrators' passwords in clear text and included a backdoor that was activated to capture login credentials or changed passwords in plain text every time local or remote users typed them in.^[16] The malware was also discovered to steal encryption keys, configuration files, and IP addresses, as well as performing real-time user status updates. It exfiltrated data stealthily, while incorporating strong encryption algorithms such as RC6, RC5, RC4, AES, and Salsa20.^[17] Forensic analysts stated that the malware had been active since June 2011 and remained so until its discovery in April 2016.^[17] As part of the malware itself, a Lua script^[18] running on a modified Lua interpreter is used to execute the malware’s internal scripts and modules.^[19] The use of Lua in malware is highly uncommon, with only two known cases prior to this: the Flame and Animal Farm attacks.^[18] Since the Lua script included the term "Sauron", the malware was codenamed "ProjectSauron" or "Project Sauron" by Kaspersky.^[14] HEUR:Trojan.Multi.Remsec.gen, a variant of ProjectSauron is also detected by Kaspersky Lab.^[20] The term "Remsec" of the variant led to the codenamed "Remsec", which is used as an alternative name for the malware.

Technical

In several cases, forensic analysts discovered that ProjectSauron's droppers, residing on compromised administrator systems and registering as a password filter service, were distributed alongside legitimate software updates within the network. The dropper then downloaded additional payload of the malware from its designated external IP address.^[21] Once fully downloaded, ProjectSauron started working as a backdoor.^[11] If the system that the dropper is on doesn't have Internet access, that dropper can communicate with the others one on the local network that are connected to the Internet in order to download the full malware payload. All fully functional malware on infected systems within the network eventually begins silent data collection and exfiltration, blending their activities into the legitimate network traffic of the entire system.^[16] If not all systems in the network have Internet access, those that do will act as intermediary servers, helping the others send collected data to the malware’s command-and-control (C&C) server.^[16]

Infections of ProjectSauron also came from storage media, in which it disguised itself under filenames of legitimate software.^[21] This approach was extremely efficient for systems that lack Internet access entirely. In that case, the malware reformatted the infected USB drive, adding a new partition of several hundred megabytes at the end of the device’s memory layout for its own purposes. This newly created partition is an encrypted virtual file system (VFS), which makes it unrecognizable by Windows.^[22] By that method, an in-system permitted USB drive is free to carry out malicious actions on the system as long as it remains plugged in. With the collected data, whenever the infected USB is plugged into an Internet-connected system, it will begin transmitting the data to the C&C server. This process enables the transfer of data from air-gapped networks—i.e., those without Internet access—to Internet-connected systems, allowing the data to eventually reach the C&C server.^[22] Forensic analysts stated that the encrypted VFS partition created by the malware doesn't facilitate data collection within the air gapped system, leading to the hypothesis that zero-day exploits might have been involved in the main partition of the USB drive. However, following the malware's public disclosure, no zero-day exploits associated with it have been found.^[23]

The malware stole document with common file extensions, such as *.txt, *.doc, *.docx, *.ppt, *.pptx, *.xls, *.xlsx, and *.pdf; it also exfiltrated login credentials and user configuration files matching patterns like .*account, *login, *user, *name, .*pass, *email, mailaddress, *.conf, *.cfg, and others. The exfiltrated encryption keys were found to have file extensions including *.ppk, *.rsa, and *.key.^[24]

For communication protocols, forensic analysts discovered that the malware used a wide range of well-known protocols, including HTTP, DNS, SMTP, TCP, UDP, and ICMP. The malware uses DNS for both real-time system reporting and data exfiltration.^[25] The communication between the malware and its C&C server is carried out using its own protocol,^[26] but forensic analysis has not determined its protocol suite, whether it operates at the transport layer or the application layer.

Aftermath

Upon its public disclosure, ProjectSauron was reported to have been ceased by Kaspersky Lab. However, the damaged caused by the malware has neither been reported nor estimated. Kaspersky Lab initially reported infection cases in Russia, Iran, and Rwanda, while Symantec identified cases in other countries, including China, Sweden, and Belgium.^[8] Forensic analysts even discovered file extensions in Italian among the malware’s targets, suggesting that Italian-speaking countries might also have been targeted, although no infections have been reported in those countries.^[24]

There is no conclusive evidence identifying who was behind ProjectSauron,^[27] but it can be inferred that it was a nation-state-sponsored operation due to its complexity and well-defined structure.^[28] Although forensic analysis uncovered 28 domains linked to 11 IP addresses based in the United States and several European countries,^[12] there is still no definitive evidence to conclude that those countries were behind the attack. This could be a deliberate attempt by the malware author to plant fraudulent evidence and mislead investigators.^[27] The initial infection case of the malware has not yet been identified^[10] or disclosed. There is still no guarantee that systems without Kaspersky Lab solutions can protect themselves from ProjectSauron following its public disclosure.

See also

• Flame (malware)
• Duqu
• Stuxnet