Symantec and Kaspersky Lab last week separately announced the discovery of a highly sophisticated advanced persistent threat that had eluded security researchers for at least five years.
A previously unknown group called “Strider” has been using Remsec, an advanced tool that seems to be designed primarily for spying. Its code contains a reference to Sauron, the main villain in The Lord of the Rings, according to Symantec.
The APT spyware is called “ProjectSauron” or “Strider” in Kaspersky’s report.
The malware has been active since at least October 2011, Symantec said. It obtained a sample after its behavioral engine detected it on a customer’s systems.
Kaspersky found out about ProjectSauron when its software caught an executable library registered as a Windows password filter loaded in the memory of a Windows domain controller. The library had access to sensitive data in cleartext.
“Learning that some sophisticated malware has been running in your infrastructure for half a decade without detection is certainly painful,” said Sndor Blint, security lead for applied data science at Balabit.
“Installing antivirus software and running a personal firewall provide only a bare minimum of protection,” he told TechNewsWorld.
The spyware is modular, and it includes a network monitor. It can deploy custom modules as required. It opens backdoors on infected computers, and it can log keystrokes and steal files.
Its modules create a framework that provides complete control over an infected computer, Symantec said, moving across a network and stealing data.
Encryption is heavily used to prevent detection, as are stealth features. Several components are in the form of executable Binary Large OBjects, or blobs, which are difficult for traditional antivirus software to detect, according to Symantec.
Further, much of the spyware’s functionality is deployed over the network, so it resides only in a computer’s memory and not on disk — again, making detection difficult.
Symantec has found evidence of infections in 36 computers across seven separate organizations. It has detected it in individuals’ PCs in Russia, in an airline in China, in an organization in Sweden, and in an embassy in Belgium.
Kaspersky has found more than 30 infected organizations in Russia, Iran and Rwanda, and it suspects that Italy also have might been targeted.
Kaspersky collected 28 domains linked to 11 IP addresses in the United States and several European countries, which might be connected to ProjectSauron campaigns.
The targets could be considered minor players, but “the fact that they’re not the typical targets of APT campaigns makes this more interesting,” said Jon DiMaggio, senior threat intelligence analyst at Symantec.
The Great Game?
A nation-state might be behind the APT, both Symantec and Kaspersky have suggested.
The malware is comparable to Flame, Duqu and Regin, according to Kaspersky, which also mentioned the Equation Group, suspected of having NSA backing and ties to Flame and Duqu.
The spyware recently appears to have gone dark, but “we cannot comment on whether or not the operations have ceased,” Symantec’s DiMaggio told TechNewsWorld.
If Strider is indeed a nation-state attacker, “it is likely only a matter of time before new Strider attacks begin against new victims and targets,” he added.
Mitigating a breach is akin to treating cancer, observed Brian Beyer, CEO at Red Canary.
“Even after extensive and successful treatment, the patient is in remission — not cured,” he told TechNewsWorld, and “needs more intensive health checks for life to identify any troubling activity early.”
Antimalware systems “stop 99.999 percent of known attacks,” claimed Balabit CEO Zoltn Gyrkő.
However, the Strider APT mimicked a password filter module, which “is yet another clear sign that passwords are dead and behavior is the new authentication,” he told TechNewsWorld. “The only way to catch these attacks is to spot changes in the behavior of users at the end points.”