Skip to main content

Powerful malware infected governments in Russia, Iran, and Rwanada, stayed hidden for five years

projectsauron malware stayed hidden five years project sauron header
Image used with permission by copyright holder
An incredibly sophisticated piece of malware infected government computers in Russia, Iran, and Rwanda, and evaded detection for five years. The malware, called “ProjectSauron” by Kaspersky and “Remsec” by Symantec, has been active since 2011, or longer, infecting computers on the computers of government entities, military operations, research institutions, banks, and telecommunication companies.

The malware used all kinds of tricks to stay hidden, including living mostly in system memory. But a huge part of ProjectSauron’s success, Ars Technica is reporting, is the virus’ ability to avoid leaving patterns.

Recommended Videos

“The attackers clearly understand that we as researchers are always looking for patterns,” a Kaspersky report said. “Remove the patterns and the operation will be harder to discover. We are aware of more than 30 organizations attacked, but we are sure that this is just a tiny tip of the iceberg.”

Please enable Javascript to view this content

This pattern avoidance is crucial to the malware’s success, and also downright impressive. For example: executables had different names on different machines, all of them designed to look innocuous. Here are a few example filenames from Kaspersky’s report:

Vendor that uses similar filenames Disguised malware filename
Kaspersky Lab kavupdate.exe, kavupd.exe
Symantec SsaWrapper.exe, symnet32.dll
Microsoft KB2931368.exe
Hewlett-Packard hptcpprnt.dll
VmWare VMwareToolsUpgr32.exe

As you can see, the malware took on seemingly mundane filenames that users would not find out-of-place.

But things get even crazier. This malware had a plugin system, meaning custom Lua code could be configured to grab data from specific machines. There are 50 different kinds of plugin possible.

The malware can infect computers in a number of different ways. Even if a target is air-gapped, the malware can hop over on USB drives.

Information can be gleaned from targets in all sorts of different ways too, some of them quite novel. For example: the malware has been shown to send metadata over DNS.

What’s the point of all this? According to Kaspersky, the malware is “designed to perform specific functions like stealing documents, recording keystrokes, and hijacking encryption keys from both infected computers and attached USB sticks.”

What isn’t known is who made this malware. The sophistication suggests a state sponsor, but nothing can be said for sure at this point. We’ll be watching closely as security researchers try to learn more.

Justin Pot
Former Digital Trends Contributor
Justin's always had a passion for trying out new software, asking questions, and explaining things – tech journalism is the…
Hackers can now sneak malware into the GIFs you share
A video call in progress on Microsoft Teams.

How low will malware go to get onto your device? We thought using Minecraft to gain access to your computer was the most nefarious method hackers have produced, but there's a new, even lower type of attack that uses Microsoft Teams and GIFs to mount phishing attacks on your computer.

The new attack is called GIFShell and it installs malware on your computer to steal data. It does so by sneaking itself into innocent-looking GIFs and then waiting for you to share the GIF with your colleagues via Microsoft Teams.

Read more
Hackers are using fake WordPress DDoS pages to launch malware
A digital depiction of a laptop being hacked by a hacker.

Hackers are pushing the distribution of dangerous malware via WordPress websites through bogus Cloudflare distributed denial of service (DDoS) protection pages, a new report has found.

As reported by PCMag and Bleeping Computer, websites based on the WordPress format are being hacked by threat actors, with NetSupport RAT and a password-stealing trojan (RaccoonStealer) being installed if victims fall for the trick.

Read more
This malware infects your motherboard and is almost impossible to remove
A digital encrypted lock with data multilayers.

Researchers have discovered malware that has been secretly infecting systems featuring Asus and Gigabyte motherboards for at least six years.

Since 2016, Chinese-speaking hackers have been infiltrating machines with the CosmicStrand malware, according to a report from Bleeping Computer.

Read more