Researchers at Kaspersky Lab and Symantec have discover a malware platform that is highly advanced in design and execution. Experts determined that it is so capable that it could probably have been developed only with the support of a nation-state.
The malware is named “ProjectSauron”, as a reflection of the code “Sauron” researchers found in configuration files. It is also alternatively referred to as “Remsec” by experts from Symantec. The malware platform has been active since at least 2011 and has been discovered on roughly 30 targets.
Unlike many other malware programs, “ProjectSauron” is able to operate undetected for five years, which indicates that its creator(s) may have studied other state-sponsored hacking groups to advance their technology and avoid similar mistakes. State-sponsored groups have been responsible for malware like the Stuxnet- or National Security Agency-linked Flame, Duqu, and Regin. Much of ProjectSauron resides solely in computer memory and was written in the form of Binary Large Objects, making it hard to detect using antivirus.
“Remsec is primarily designed to spy on targets. It opens a back door on an infected computer, can log keystrokes, and steal files.” In a report earlier this week, Symantec identified Strider as one of the groups that have been using the malware platform to target a number of organizations and individuals located in Russia, an airline in China, an organization in Sweden, and an embassy in Belgium.
In a separate report by the Kaspersky Lab, authors concluded that “The threat actor behind ProjectSauron commands a top-of-the-top modular cyber-espionage platform in terms of technical sophistication, designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods.”