APT CYBER ESPIONAGE NATION STATE SPONSORED ESPIONAGE PROJECTSAURON

SPYWARE TARGETED ATTACKS

Download the full report (PDF)

Technical analysis

Indicators of compromise (IOC)

Download YARA rules

More information about ProjectSauron is available to customersof Kaspersky Intelligence Reporting Service. Contact:intelreports@kaspersky.com

Introduction:Over the last few years, the number of “APT­related” incidentsdescribed in the media has grown significantly. For many ofthese, though, the designation “APT”, indicating an “AdvancedPersistent Threat”, is usually an exaggeration. With some notableexceptions, few of the threat actors usually described in themedia are advanced. These exceptions, which in our opinionrepresent the pinnacle of cyberespionage tools: the truly“advanced” threat actors out there, are Equation, Regin, Duqu or

ProjectSauron: top levelcyber-espionage platformcovertly extractsencrypted governmentcommsBy GReAT on August 8, 2016. 2:03 pm

PUBLICATIONS

Careto. Another such an exceptional espionage platform is“ProjectSauron”, also known as “Strider”.

What differentiates a truly advanced threat actor from a wannabeAPT? Here are a few features that characterize the ‘top’cyberespionage groups:

The use of zero day exploitsUnknown, never identified infection vectorsHave compromised multiple government organizations inseveral countriesHave successfully stolen information for many years beforebeing discoveredHave the ability to steal information from air gapped networksSupport multiple covert exfiltration channels on variousprotocolsMalware modules which can exist only in memory withouttouching the diskUnusual persistence techniques which sometime useundocumented OS features

“ProjectSauron” easily covers many of these points.

From discovery to detection:When talking about long­standing cyber­espionage campaigns,many people wonder why it took so long to catch them. Perhapsone of the explanations is having the right tools for the right job.Trying to catch government or military grade malware requiresspecialized technologies and products. One such product isKaspersky’s AntiTargeted Attacks Platform, KATA(http://www.kaspersky.com/enterprise­security/anti­targeted­attack­platform). In September 2015, our anti­targeted attacktechnologies caught a previously unknown attack. The suspiciousmodule was an executable library, loaded in the memory of aWindows domain controller (DC). The library was registered as aWindows password filter and had access to sensitive data incleartext. Additional research revealed signs of massive activityfrom a new threat actor that we codenamed ‘ProjectSauron’,responsible for large­scale attacks against key governmentalentities in several countries.

“SAURON” – internal name used in the Lua scripts

ProjectSauron comprises a top­of­the­top modular cyber­espionage platform in terms of technical sophistication, designedto enable long­term campaigns through stealthy survivalmechanisms coupled with multiple exfiltration methods. Technicaldetails show how attackers learned from other extremelyadvanced actors in order to avoid repeating their mistakes. Forexample, all artifacts are customized per given target, reducingtheir value as indicators of compromise for any other victim.

Some other key features of ProjectSauron:

It is a modular platform designed to enable long­term cyber­espionage campaigns.All modules and network protocols use strong encryptionalgorithms, such as RC6, RC5, RC4, AES, Salsa20, etc.It uses a modified Lua scripting engine to implement the coreplatform and its plugins.There are upwards of 50 different plugin types.The actor behind ProjectSauron has a high interest incommunication encryption software widely used by targetedgovernmental organizations. It steals encryption keys,configuration files, and IP addresses of the key infrastructureservers related to the encryption software.It is able to exfiltrate data from air­gapped networks by usingspecially­prepared USB storage drives where data is stored inan area invisible to the operation system.The platform makes extensive use of the DNS protocol fordata exfiltration and real­time status reporting.The APT was operational as early as June 2011 andremained active until April 2016.The initial infection vector used to penetrate victim networksremains unknown.The attackers utilize legitimate software distribution channelsfor lateral movement within infected networks.

To help our readers better understand the ProjectSauron attackplatform, we’ve prepared an FAQ which brings together some of

the most important points about this attacker and its tools. A brieftechnical report is also available, including IOCs and Yara rules.

Our colleagues from Symantec have also released their analysison ProjectSauron / Strider. You can read it here:http://www.symantec.com/connect/blogs/strider­cyberespionage­group­turns­eye­sauron­targets

ProjectSauron FAQ:

1. What is ProjectSauron?

ProjectSauron is the name for a top level modular cyber­espionage platform, designed to enable and manage long­termcampaigns through stealthy survival mechanisms coupled withmultiple exfiltration methods.

Technical details show how attackers learned from otherextremely advanced actors in order to avoid repeating theirmistakes. As such, all artifacts are customized per given target,reducing their value as indicators of compromise for any othervictim.

Usually APT campaigns have a geographical nexus, aimed atextracting information within a specific region or from a givenindustry. That usually results in several infections in countrieswithin that region, or in the targeted industry around the world.Interestingly, ProjectSauron seems to be dedicated to just acouple of countries, focused on collecting high value intelligenceby compromising almost all key entities it could possibly reachwithin the target area.

The name, ProjectSauron reflects the fact that the code authorsrefer to ‘Sauron’ in the Lua scripts.

2. Who are the victims?

Using our telemetry, we found more than 30 infectedorganizations in Russia, Iran, Rwanda and possibly in Italian­speaking countries as well. Many more organizations andgeographies are likely to be affected.

The attacked organizations are key entities that provide corestate functions:

Government

Scientific research centersMilitaryTelecommunication providersFinance

3. Have you notified victims?

As usual, Kaspersky Lab actively collaborates with industrypartners, CERTs and law enforcement agencies to notify victimsand help to mitigate the threat. We also rely on public awarenessto spread information about it. If you need more information aboutthis actor, please contact intelreports@kaspersky.com.

4. For how long have the attackers beenactive?

Forensic analysis indicates that the APT has been operationalsince at least June 2011 and was still active in 2016. Although itappears to have largely ceased, there is a chance that it is stillactive on computer systems that are not covered by KasperskyLab solutions.

5. Did the attackers use interesting oradvanced techniques?

The attackers used multiple interesting and unusual techniques,including:

Data exfiltration and real­time status reporting using DNSrequests.

Implant deployment using legitimate software update scripts.Data exfiltration from air­gapped networks through the use ofspecially prepared USB storage drives where the stolen datais stored in the area unused by standard tools of theoperating system.Using a modified Lua scripting engine to implement the coreplatform and its plugins. The use of Lua components inmalware is very rare – it was previously spotted in the Flameand Animal Farm attacks.

6. How did you discover this malware?

In September 2015, Kaspersky Lab’s Anti­Targeted AttackPlatform discovered anomalous network traffic in a clientorganization’s network. Analysis of this incident led to thediscovery of a strange executable program library loaded into thememory of the domain controller server. The library wasregistered as a Windows password filter and had access tosensitive data such as administrative passwords in cleartext.Additional research revealed signs of activity of a previouslyunknown threat actor.

7. How does ProjectSauron operate?

ProjectSauron usually registers its persistence module on domaincontrollers as a Windows LSA (Local Security Authority)password filter. This feature is typically used by systemadministrators to enforce password policies and validate newpasswords to match specific requirements, such as length andcomplexity. This way, the ProjectSauron passive backdoormodule starts every time any network or local user (including anadministrator) logs in or changes a password, and promptlyharvests the password in plaintext.

In cases where domain controllers lack direct Internet access, theattackers install additional implants on other local servers whichhave both local network and Internet access and may passthrough significant amount of network traffic, i.e. proxy­servers,web­servers, or software update servers. After that, theseintermediary servers are used by ProjectSauron as internal proxynodes for silent and inconspicuous data exfiltration, blending inwith high volumes of legitimate traffic.

Once installed, the main ProjectSauron modules start working as‘sleeper cells’, displaying no activity of their own and waiting for‘wake­up’ commands in the incoming network traffic. This methodof operation ensures ProjectSauron’s extended persistence on

the servers of targeted organizations.

8. What kind of implants doesProjectSauron use?

Most of ProjectSauron’s core implants are designed to work asbackdoors, downloading new modules or running commandsfrom the attacker purely in memory. The only way to capturethese modules is by making a full memory dump of the infectedsystems.

Almost all of ProjectSauron’s core implants are unique, havedifferent file names and sizes, and are individually built for eachtarget. Each module’s timestamp, both in the file system and in itsown headers, is tailored to the environment on which it isinstalled.

Secondary ProjectSauron modules are designed to performspecific functions like stealing documents, recording keystrokes,and stealing encryption keys from both infected computers andattached USB sticks.

ProjectSauron implements a modular architecture using its ownvirtual file system to store additional modules (plugins) and amodified Lua interpreter to execute internal scripts. There areupwards of 50 different plugin types.

9. What is the initial infection vector?

To date, the initial infection vector used by ProjectSauron topenetrate victim networks remains unknown.

10. How were the ProjectSauronimplants deployed within the targetnetwork?

In several cases, ProjectSauron modules were deployed throughthe modification of scripts used by system administrators tocentrally deploy legitimate software updates within the network.

In essence, the attackers injected a command to start themalware by modifying existing software deployment scripts. Theinjected malware is a tiny module that works as a simpledownloader.

Once started under a network administrator account, this smalldownloader connects to a hard­coded internal or external IPaddress and downloads the bigger ProjectSauron payload fromthere.

In cases where the ProjectSauron persistence container is storedon disk in EXE file format, it disguises the files with legitimatesoftware file names.

11. What C&C infrastructure did theattackers use?

The ProjectSauron actor is extremely well prepared when itcomes to operational security. Running an expensivecyberespionage campaign like ProjectSauron requires vastdomain and server infrastructure uniquely assigned to each victimorganization and never reused again. This makes traditionalnetwork­based indicators of compromise almost useless becausethey won’t be reused in any other organization.

We collected 28 domains linked to 11 IPs located in the UnitedStates and several European countries that might be connectedto ProjectSauron campaigns. Even the diversity of ISPs selectedfor ProjectSauron operations makes it clear that the actor dideverything possible to avoid creating patterns.

12. Does ProjectSauron target isolated(air-gapped) networks?

Yes. We registered a few cases where ProjectSauronsuccessfully penetrated air­gapped networks.

The ProjectSauron toolkit contains a special module designed tomove data from air­gapped networks to Internet­connectedsystems. To achieve this, removable USB devices are used.Once networked systems are compromised, the attackers wait fora USB drive to be attached to the infected machine.

These USBs are specially formatted to reduce the size of thepartition on the USB disk, reserving an amount of hidden data(several hundred megabytes) at the end of the disk for maliciouspurposes. This reserved space is used to create a new custom­encrypted partition that won’t be recognized by a common OS,such as Windows. The partition has its own semi­filesystem (orvirtual file system, VFS) with two core directories: ‘In’ and ‘Out’.

This method also bypasses many DLP products, since softwarethat disables the plugging of unknown USB devices based onDeviceID wouldn’t prevent an attack or data leakage, because agenuine recognized USB drive was used.

13. Does ProjectSauron target criticalinfrastructure?

Some of the entities infected by ProjectSauron can be classifiedas critical infrastructure. However, we haven’t registeredProjectSauron infections inside industrial control system networksthat have SCADA systems in place.

Also, we have not yet seen a ProjectSauron module targeting anyspecific industrial hardware or software.

14. Did ProjectSauron use any specialcommunication methods?

For network communication, the ProjectSauron toolkit hasextensive abilities, leveraging the stack of the most commonlyused protocols: ICMP, UDP, TCP, DNS, SMTP and HTTP.

One of the ProjectSauron plugins is the DNS data exfiltration tool.To avoid generic detection of DNS tunnels at network level, theattackers use it in low­bandwidth mode, which is why it is usedsolely to exfiltrate target system metadata.

Another interesting feature in ProjectSauron malware thatleverages the DNS protocol is the real­time reporting of theoperation progress to a remote server. Once an operationalmilestone is achieved, ProjectSauron issues a DNS­request to aspecial subdomain unique to each target.

15. What is the most sophisticatedfeature of the ProjectSauron APT?

In general, the ProjectSauron platform is very advanced andreaches the level of complexity of Regin, Equation and similarthreat actors we have reported on in the past. Some of the mostinteresting things in the ProjectSauron platform include:

Multiple exfiltration mechanisms, including piggybacking onknown protocols.Bypassing air­gaps using hidden data partitions on USB

sticks.Hijacking Windows LSA to control network domain servers.Implementing an extended Lua engine to write custommalicious scripts to control the entire malware platform with ahigh­level language.

16. Are the attackers using any zero-dayvulnerabilities?

To date we have not found any 0­day exploits associated withProjectSauron.

However, when penetrating isolated systems, the creation of theencrypted storage area in the USB does not in itself enableattackers to get control of the air­gapped machines. There has tobe another component such as a 0 day exploit placed on the mainpartition of the USB drive.

So far we have not found any 0­day exploit embedded in the bodyof the malware we analyzed, and we believe it was probablydeployed in rare, hard­to­catch instances.

17. Is this a Windows-only threat? Whatversions of Windows are targeted?

ProjectSauron works on all modern Microsoft Windows operatingsystems – both x64 and x86. We have witnessed infectionsrunning on Windows XP x86 as well as Windows 2012 R2 ServerEdition x64.

To date, we haven’t found a non­Windows version ofProjectSauron.

18. Were the attackers hunting forspecific information?

ProjectSauron actively searches for information related to ratheruncommon, custom network encryption software. This client­server software is widely adopted by many of the targetorganizations to secure communications, voice, email, anddocument exchange.

In a number of the cases we analyzed, ProjectSauron deployedmalicious modules inside the custom network encryption’ssoftware directory, disguised under similar filenames and

accessing the data placed beside its own executable. Some ofextracted Lua scripts show that the attackers have a high interestin the software components, keys, configuration files, and thelocation of servers that relay encrypted messages between thenodes.

Also, one of the embedded ProjectSauron configurations containsa special unique identifier for the targeted network encryptionsoftware’s server within its virtual network. The behavior of thecomponent that searches for the server IP address is unusual.After getting the IP, the ProjectSauron component tries tocommunicate with the remote server using its own(ProjectSauron) protocol as if it was yet another C&C server. Thissuggests that some communication servers running thementioned network encryption software could also be infectedwith ProjectSauron.

19. What exactly is being stolen from thetargeted machines?

The ProjectSauron modules we found are able to stealdocuments, record keystrokes and steal encryption keys frominfected computers and attached USB sticks.

The fragment of configuration block below, extracted fromProjectSauron, shows the kind of information and file extensionsthe attackers were looking for:

.*account.*|.*acct.*|.*domain.*|.*login.*|.*member.*|.*user.*|.*name|.*email|.*_id|id|uid|mn|mailaddress|.*nick.*|alias|codice|uin|sign­in|strCodUtente|.*pass.*|.*pw|pw.*|additional_info|.*secret.*|.*segreto.*

[^\$]$

^.*\.(doc|xls|pdf)$

*.txt;*.doc;*.docx;*.ppt;*.pptx;*.xls;*.xlsx;*.vsd;*.wab;*.pdf;*.dst;*.ppk;*.rsa;*.rar;*.one;*.rtf;~WPL*.tmp;*.FTS;*.rpt;*.conf;*.cfg;*.pk2;*.nct;*.key;*.psw

Interestingly, while most of the words and extensions above are in

the English language, several of them point to Italian, such as:‘codice’, ‘strCodUtente’ and ‘segreto’.

Keywords / filenames targeted by ProjectSauron data theftmodules:

Italian keyword Translation

Codice code

CodUtente Usercode

Segreto Secret

This suggests the attackers had prepared to attack Italian­speaking targets as well. However, we are not aware of anyItalian victims of ProjectSauron at the moment.

20. Have you observed any artifactsindicating who is behind theProjectSauron APT?

Attribution is hard and reliable attribution is rarely possible incyberspace. Even with confidence in various indicators andapparent attacker mistakes, there is a greater likelihood thatthese are smoke and mirrors created by an attacker with agreater vantage point and vast resources. When dealing with themost advanced threat actors, as is the case with ProjectSauron,attribution becomes an unsolvable problem.

21. Is this a nation-state sponsoredattack?

We think an operation of such complexity, aimed at stealingconfidential and secret information, can only be executed withsupport from a nation­state.

22. What would ProjectSauron have costto set up and run?

Kaspersky Lab has no exact data on this, but estimates that thedevelopment and operation of ProjectSauron is likely to haverequired several specialist teams and a budget probably runninginto millions of dollars.

23. How does the ProjectSauronplatform compare to other top-level

platform compare to other top-levelthreat actors?

The actor behind ProjectSauron is very advanced, comparableonly to the top­of­the­top in terms of sophistication: alongsideDuqu, Flame, Equation, and Regin. Whether related or unrelatedto these advanced actors, the ProjectSauron attackers havedefinitely learned from them.

As a reminder, here are some features of other APT attackerswhich we discovered that the ProjectSauron attackers hadcarefully learned from or emulated:

Duqu:

Use of intranet C&Cs (where compromised target serversmay act as independent C&Cs)Running only in memory (persistence on a few gateway hostsonly)Use of different encryption methods per victimUse of named pipes for LAN communicationMalware distribution through legitimate software deploymentchannels

Flame:

Lua­embedded codeSecure file deletion (through data wiping)Attacking air­gapped systems via removable devices

Equation and Regin:

Usage of RC5/RC6 encryptionVirtual Filesystems (VFS)

Attacking air­gapped systems via removable devicesHidden data storage on removable devices

These other actors also showed what made them vulnerable topotential exposure, and ProjectSauron did its best to addressthese issues:

Vulnerable or persistent C&C locationsISP name, IP, domain, and tools reuse across differentcampaignsCrypto­algorithm reuse (as well as encryption keys)Forensic footprint on diskTimestamps in various componentsLarge volumes of exfiltrated data, alarming unknownprotocols or message formats

In addition, it appears that the attackers took special care withwhat we consider as indicators of compromise and implementeda unique pattern for each and every target they attacked, so thatthe same indicators would have little value for anyone else. Thisis a summary of the ProjectSauron strategy as we see it. Theattackers clearly understand that we as researchers are alwayslooking for patterns. Remove the patterns and the operation willbe harder to discover. We are aware of more than 30organizations attacked, but we are sure that this is just a tiny tipof the iceberg.

24. Do Kaspersky Lab products detectall variants of this malware?

All Kaspersky Lab products detect ProjectSauron samples asHEUR:Trojan.Multi.Remsec.gen

25. Are there Indicators of Compromise(IOCs) to help victims identify theintrusion?

ProjectSauron’s tactics are designed to avoid creating patterns.Implants and infrastructure are customized for each individualtarget and never re­used – so the standard security approach ofpublishing and checking for the same basic indicators ofcompromise (IOC) is of little use.

However, structural code similarities are inevitable, especially fornon­compressed and non­encrypted code. This opens up thepossibility of recognizing known code in some cases.

THERE ARE 3 COMMENTSIf you would like to comment on this article you must first login

That’s why, alongside the formal IOCs, we have added relevantYARA rules. While the IOCs have been listed mainly to giveexamples of what they look like, the YARA rules are likely to be ofgreater use and could detect real traces of ProjectSauron.

For background: YARA is a tool for uncovering malicious files orpatterns of suspicious activity on systems or networks that sharesimilarities. YARA rules—basically search strings—help analyststo find, group, and categorize related malware samples and drawconnections between them in order to build malware families anduncover groups of attacks that might otherwise go unnoticed.

We have prepared our YARA rules based on tiny similarities andoddities that stood out in the attackers’ techniques. These rulescan be used to scan networks and systems for the same patternsof code. If some of these oddities appear during such a scan,there is a chance that the organizations has been hit by the sameactor.

More information about ProjectSauron is available to customersof Kaspersky Intelligence Reporting Service. Contact:intelreports@kaspersky.com

Related Articles

PatrickPosted on August 8, 2016. 6:28 pm

I left a similar comment on Facebook, but I thought I’d point it out here aswell: The scripting language’s name is Lua, not LUA. Here’s what they haveto say about it:

“Lua” (pronounced LOO­ah) means “Moon” in Portuguese. As such, it is

IT THREAT

EVOLUTION INQ2 2016.STATISTICS

IT THREAT

EVOLUTION INQ2 2016.OVERVIEW

THE DROPPING

ELEPHANT –AGGRESSIVECYBER-ESPIONAGE IN

neither an acronym nor an abbreviation, but a noun. More specifically, “Lua”is a name, the name of the Earth’s moon and the name of the language. Likemost names, it should be written in lower case with an initial capital, that is,“Lua”. Please do not write it as “LUA”, which is both ugly and confusing,because then it becomes an acronym with different meanings for differentpeople. So, please, write “Lua” right!

Nolan BerryPosted on August 9, 2016. 5:03 pm

I gave a talk this week at DefCon Skytalks on more advanced DNS Exfil andC&C interesting to see this come up so soon.

Shachar2Posted on August 10, 2016. 11:18 am

can’t wait for the documentary about the project in 50 years time…

Reply

Reply

Reply