Skip to main content

Powerful malware infected governments in Russia, Iran, and Rwanada, stayed hidden for five years

projectsauron malware stayed hidden five years project sauron header
An incredibly sophisticated piece of malware infected government computers in Russia, Iran, and Rwanda, and evaded detection for five years. The malware, called “ProjectSauron” by Kaspersky and “Remsec” by Symantec, has been active since 2011, or longer, infecting computers on the computers of government entities, military operations, research institutions, banks, and telecommunication companies.

The malware used all kinds of tricks to stay hidden, including living mostly in system memory. But a huge part of ProjectSauron’s success, Ars Technica is reporting, is the virus’ ability to avoid leaving patterns.

“The attackers clearly understand that we as researchers are always looking for patterns,” a Kaspersky report said. “Remove the patterns and the operation will be harder to discover. We are aware of more than 30 organizations attacked, but we are sure that this is just a tiny tip of the iceberg.”

This pattern avoidance is crucial to the malware’s success, and also downright impressive. For example: executables had different names on different machines, all of them designed to look innocuous. Here are a few example filenames from Kaspersky’s report:

Vendor that uses similar filenames Disguised malware filename
Kaspersky Lab kavupdate.exe, kavupd.exe
Symantec SsaWrapper.exe, symnet32.dll
Microsoft KB2931368.exe
Hewlett-Packard hptcpprnt.dll
VmWare VMwareToolsUpgr32.exe

As you can see, the malware took on seemingly mundane filenames that users would not find out-of-place.

But things get even crazier. This malware had a plugin system, meaning custom Lua code could be configured to grab data from specific machines. There are 50 different kinds of plugin possible.

The malware can infect computers in a number of different ways. Even if a target is air-gapped, the malware can hop over on USB drives.

Information can be gleaned from targets in all sorts of different ways too, some of them quite novel. For example: the malware has been shown to send metadata over DNS.

What’s the point of all this? According to Kaspersky, the malware is “designed to perform specific functions like stealing documents, recording keystrokes, and hijacking encryption keys from both infected computers and attached USB sticks.”

What isn’t known is who made this malware. The sophistication suggests a state sponsor, but nothing can be said for sure at this point. We’ll be watching closely as security researchers try to learn more.

Editors' Recommendations