Top two electronic security firms Kaspersky Lab and Remsec by their counterparts from Symantec have discovered a sophisticated malware, ProjectSauron which went undetected for five years at a string of organizations.
The malware active since 2011 is so advanced in its design and execution that it gives a possibility of having been developed only with the active support of a nation-state. It is being used to target dozens of high-value targets around the world.
State-sponsored groups have been responsible for malware like the Stuxnet- or National Security Agency-linked Flame, Duqu, and Regin.
Project Sauron resides only in computer memory and was written in Binary Large Objects form. It can disguise itself as benign files and does not operate in predictable ways, making it harder to detect.
Researchers said it allows the attacker to spy on infected computers.
The California-based Symantec has labeled the group behind the attack Strider, while Moscow-based Kaspersky Labs dubbed it ProjectSauron.
The software is designed in such a way that the clues left behind are unique to each of its targets. That means that clues collected from one infection don't help researchers uncover new infections. Unlike many malware operations that reuse servers, domain names, or IP addresses for command and control channels, the people behind ProjectSauron chose a different one for almost every target. Project Sauron is made up of at least 50 modules that can be mixed and matched to suit the objectives of each individual infection.
The team behind the project has been collecting data illegally since at least October 2011. It had been fooling even the most sophisticated detection systems until last year when Kaspersky in September detected the malware on an unspecified government organization network.
The researchers discovered that at least 30 organisations were attacked by the malware. The group has maintained a low profile until now and its targets have been mainly organizations and individuals that would be of interest to a nation state’s intelligence services like government, scientific, military, telecoms and financial organisations. It is highly selective in its choice of targets. The group’s targets include a number of organizations and individuals located in Russia, Iran, Rwanda , China, Sweden and Belgium.
The malware is special or its ability to collect data from computers considered so sensitive by their operators that they have no Internet connection. To do this, the malware uses specially prepared USB storage drives that have a virtual file system that isn't viewable by the Windows operating system. To infected computers, the removable drives appear to be approved devices, but behind the scenes are several hundred megabytes reserved for storing data that is kept on the air-gapped machines. The arrangement works even against computers in which data-loss prevention software blocks the use of unknown USB drives.
Kaspersky Lab compared the threat of the malware to Flame and Duqu, which famously helped Stuxnet, disable Iranian nuclear centrifuges, leading to a shutdown of a uranium enrichment facility in Natanz in 2010.
Over the last few years, the number of APT-related incidents described in the media has grown significantly.