Security experts recently identified a highly advanced malware attack with the mysterious name ProjectSauron. Its features and level of complexity, as well as scripts, indicate that it might be the work of a government agency. Some researchers suggest that the NSA could be the perpetrator. Known damage so far include the extraction of secured communications from various governments and organizations.
The malware was first spotted in September 2015 in a suspicious executable library. The threat was disguised in a Windows password filter and therefore had access to sensitive information on the target machine. The security researchers comment that the malware is a top-of-the-top modular cyber espionage platform regarding technical sophistication. Its developers have designed it for the execution of long-term espionage campaigns and complex scenarios. ProjectSauron uses advanced methods that prove the complexity of the software.
The core platform and its plugins are written in the Lua scripting engine which presents the malicious users the ability to further customize the attacks. The developers of ProjectSauron seem to have a deep understanding of how the encryption software is used by government agencies around the world. The malware can acquire encryption keys, system configuration files and IP addresses of key infrastructure systems of the target victims.
The advanced features also give the malicious users the ability to infiltrate air-gapped networks by using prepared USB devices. The core system uses complex DNS protocol features to provide seamless reports of the campaign progress.
The security researchers state that the modules of ProjectSauron are modular in nature and use their own virtual file system. So far over 50 different plugin types have been identified. Code examination reveals that the malware has been developed for a very long time. Its high level of complexity has given several security experts the sense that ProjectSauron is an NSA tool.
The intrusions are committed only in memory which makes the malware very difficult to detect in real time. It takes over control of critical system components and spreads over the network quickly to manipulate the relevant log files. Such behavior is typical for advanced malware that doesn’t want to leave traces. ProjectSauron has multiple mechanisms to extract data using various protocols to remote locations.
ProjectSauron Malware Behavior and Known Targets
Initial infection vectors are still unknown to the security researchers to this date as the malware uses complex methods to gain access to the critical infrastructure. In several study cases, the ProjectSauron modules were deployed through modified scripts that affected legitimate software updates within a network. One of the known paths of infiltration is through a code injection that starts the malware scripts by invoking existing software deployment schemes.
Operational security is preserved at a maximum level. The perpetrators of the malware have developed vast server infrastructures that communicate with the malware. Specific servers are assigned to each target host for a given infiltration campaign. So far 28 domains linked to 11 IP locations in the United States and Europe are presumed to have been used in ProjectSauron attacks. Several cases with successful campaigns against air-gapped networks have been identified.
ProjectSauron targets all modern Microsoft Windows operating systems. The malware steals document files, records keystrokes and extracts encryption keys from the infected hosts.
So far victims of ProjectSauron include government agencies, military organizations, scientific research centers, telecom providers and financial organizations operating in countries like Russia, Iran and Italy.
If this is truly an NSA tool, then foreign powers have a lot to fear as ProjectSauron has some of the most advanced malware capabilities to date.