Skip to main content

Powerful malware infected governments in Russia, Iran, and Rwanada, stayed hidden for five years

projectsauron malware stayed hidden five years project sauron header
Image used with permission by copyright holder
An incredibly sophisticated piece of malware infected government computers in Russia, Iran, and Rwanda, and evaded detection for five years. The malware, called “ProjectSauron” by Kaspersky and “Remsec” by Symantec, has been active since 2011, or longer, infecting computers on the computers of government entities, military operations, research institutions, banks, and telecommunication companies.

The malware used all kinds of tricks to stay hidden, including living mostly in system memory. But a huge part of ProjectSauron’s success, Ars Technica is reporting, is the virus’ ability to avoid leaving patterns.

“The attackers clearly understand that we as researchers are always looking for patterns,” a Kaspersky report said. “Remove the patterns and the operation will be harder to discover. We are aware of more than 30 organizations attacked, but we are sure that this is just a tiny tip of the iceberg.”

This pattern avoidance is crucial to the malware’s success, and also downright impressive. For example: executables had different names on different machines, all of them designed to look innocuous. Here are a few example filenames from Kaspersky’s report:

Vendor that uses similar filenames Disguised malware filename
Kaspersky Lab kavupdate.exe, kavupd.exe
Symantec SsaWrapper.exe, symnet32.dll
Microsoft KB2931368.exe
Hewlett-Packard hptcpprnt.dll
VmWare VMwareToolsUpgr32.exe

As you can see, the malware took on seemingly mundane filenames that users would not find out-of-place.

But things get even crazier. This malware had a plugin system, meaning custom Lua code could be configured to grab data from specific machines. There are 50 different kinds of plugin possible.

The malware can infect computers in a number of different ways. Even if a target is air-gapped, the malware can hop over on USB drives.

Information can be gleaned from targets in all sorts of different ways too, some of them quite novel. For example: the malware has been shown to send metadata over DNS.

What’s the point of all this? According to Kaspersky, the malware is “designed to perform specific functions like stealing documents, recording keystrokes, and hijacking encryption keys from both infected computers and attached USB sticks.”

What isn’t known is who made this malware. The sophistication suggests a state sponsor, but nothing can be said for sure at this point. We’ll be watching closely as security researchers try to learn more.

Editors' Recommendations

Justin Pot
Former Digital Trends Contributor
Justin's always had a passion for trying out new software, asking questions, and explaining things – tech journalism is the…
Hackers are using fake WordPress DDoS pages to launch malware
A digital depiction of a laptop being hacked by a hacker.

Hackers are pushing the distribution of dangerous malware via WordPress websites through bogus Cloudflare distributed denial of service (DDoS) protection pages, a new report has found.

As reported by PCMag and Bleeping Computer, websites based on the WordPress format are being hacked by threat actors, with NetSupport RAT and a password-stealing trojan (RaccoonStealer) being installed if victims fall for the trick.

Read more
This malware infects your motherboard and is almost impossible to remove
A digital encrypted lock with data multilayers.

Researchers have discovered malware that has been secretly infecting systems featuring Asus and Gigabyte motherboards for at least six years.

Since 2016, Chinese-speaking hackers have been infiltrating machines with the CosmicStrand malware, according to a report from Bleeping Computer.

Read more
Last chance to get the Dell XPS 17 laptop while it’s $500 off
Dell XPS 17 9370 front angled view showing display and keyboard deck.

If you want to buy a thin and light laptop but don't want to go for something like the MacBook Air, which is both expensive and puts you into the Apple ecosystem, the Dell XPS lineup is a great alternative. The XPS laptops are Dell's answer to the need for thin laptops that aren't from Apple, and, even better, there are a lot more configurations and sizes you can pick from. While this XPS 17 is bigger than a MacBook Air, there's a great deal on it from Dell that brings it down to $1,699 from $2,199, which is a significant $500 discount and well worth grabbing if you want a thin and light laptop with a large screen.

Why you should buy the Dell XPS 17
This configuration of the Dell XPS 17 has a lot of standout features, the most interesting of which is likely the inclusion of the RTX 4050 graphics card. While the XPS 17 is not really meant as a thin gaming laptop, the fact that it includes an entry-level GPU means you can certainly get a bit of gaming out of it, although don't expect to be playing the latest AAA games. More importantly, it comes with a mid-to-high end 13th Gen Intel Core i7-13700H processor, which will easily handle most productivity and day-to-day tasks without an issue, and you might even be able to get some editing done.

Read more