Researchers crack open unusually advanced malware that hid for 5 years

The name "Project Sauron" came from code contained in one of the malware's configuration files. (credit: Kaspersky Lab)

Security experts have discovered a malware platform that's so advanced in its design and execution that it could probably have been developed only with the active support of a nation state.

The malware—known alternatively as "ProjectSauron" by researchers from Kaspersky Lab and "Remsec" by their counterparts from Symantec—has been active since at least 2011 and has been discovered on 30 or so targets. Its ability to operate undetected for five years is a testament to its creators, who clearly studied other state-sponsored hacking groups in an attempt to replicate their advances and avoid their mistakes. State-sponsored groups have been responsible for malware like the Stuxnet- or National Security Agency-linked Flame, Duqu, and Regin. Much of ProjectSauron resides solely in computer memory and was written in the form of Binary Large Objects, making it hard to detect using antivirus.

Because of the way the software was written, clues left behind by ProjectSauron in so-called software artifacts are unique to each of its targets. That means that clues collected from one infection don't help researchers uncover new infections. Unlike many malware operations that reuse servers, domain names, or IP addresses for command and control channels, the people behind ProjectSauron chose a different one for almost every target.

Read 8 remaining paragraphs | Comments

Stuxnet spawn infected Kaspersky using stolen Foxconn digital certificates

Some of the malware that infected the corporate network of antivirus provider Kaspersky Lab concealed itself using digital certificates belonging to Foxconn, the electronics manufacturing giant and maker of the iPhone, Xbox, and other well-known products.

Cryptographically generated credentials are required to install drivers on newer, 64-bit versions of Windows. Foxconn used one such certificate when installing several legitimate drivers on Dell laptop computers in 2013. Somehow, the attackers who infected the Kaspersky Lab network appropriated the digital seal and used it to sign their own malicious drivers. As Ars explained last week, the drivers were the sole part of the entire Duqu 2.0 malware platform that resided on local hard drives. These drivers were on Kaspersky firewalls, gateways, or other servers that had direct Internet access and were used to surreptitiously marshal sensitive information in and out of the Kaspersky network.

Not the first time

The Foxconn certificate is the third one used to sign malware that has been linked to the same advanced persistent threat (APT) attackers. The Stuxnet malware, which reportedly was developed by the US and Israel to sabotage Iran's nuclear program, used a digital certificate from Realtek, a hardware manufacturer in the Asia Pacific region. A second driver from Jmicron, another hardware maker in the Asia Pacific, was used several years ago to sign Stuxnet-related malware developed by some of the same engineers. Like the previous two certificates, the one belonging to Foxconn had never been found signing any other malicious software.

Read 9 remaining paragraphs | Comments

The Mask


The Mask 1.png

Modern cyberespionage campaigns are regularly defined by their level of sophistication and professionalism. “The Mask”, a cyberespionage group unveiled by Kaspersky earlier today, is no exception. Symantec’s research into this group shows that The Mask has been in operation since 2007, using highly-sophisticated tools and techniques to compromise, monitor, and exfiltrate data from infected targets. The group uses high-end exploits and carefully crafted emails to lure unsuspecting victims. The Mask has payloads available for all major operating systems including Windows, Linux, and Macintosh.

An interesting aspect of The Mask is the fact that they are targeting the Spanish-speaking world and their tools have been specifically designed for this. The targets appear to reside mainly in Europe and South America.

The longevity of the operation, the access to highly sophisticated tools, and the precise and targeted nature of the victims indicate this is a very professional, well organized team with substantial resources.

Targeting the victim
The Mask typically infects the victim with a highly targeted email. Using the lure of a CV (resume) or political content, the attachments observed have been in the form of malicious PDF or Microsoft Word documents. The following is a sample of some of the attachment names used:

  • Inspired By Iceland.doc
  • DanielGarciaSuarez_cv_es.pdf
  • cv-edward-horgan.pdf

Upon opening the document, the recipient is presented with what looks like a legitimate document, however a malicious remote access Trojan (RAT) is also installed, allowing full remote access to the compromised computer. Once compromised, The Mask can then install additional tools for enhanced persistence and cyberespionage activities.

Cyberespionage – a professional suite
The Mask has a suite of tools at its disposal. One tool in particular distinguishes this group from typical cyber operations. Backdoor.Weevil.B, a sophisticated cyberespionage tool that is modular in nature, has a plugin architecture and has a myriad of configuration options. This tool is reminiscent of those associated with other sophisticated campaigns such as Duqu, Flamer, and MiniDuke. However there is no evidence that The Mask is associated with these campaigns.

The default install boasts nearly 20 modules purpose built for intercommunication, network sniffing, activity monitoring, exfiltration, and rootkit capabilities.

The Mask 2.png

Figure. Some of The Mask’s modules

The plugin architecture allows for additional modules to be downloaded and loaded on the fly. The Trojan can log activity in all the major browsers and has a comprehensive list of file extensions to gather information on. The types of documents targeted by the Trojan are:

  • Word, PDF, Excel
  • Encrypted files, PGP keys, encryption keys
  • Mobile backup files
  • Email archives

The information can then be securely exfiltrated to attacker controlled servers using the HTTPS protocol.

The data-stealing component provides clues as to The Mask’s targets. It searches for documents in Spanish-language pathnames, for example “archivos de programa”, indicating that their targets are running Spanish-language operating systems.

Cyberespionage campaigns conducted by professional teams are increasingly common. Numerous espionage operations spanning years have been highlighted over the last few years. Examples include Flamer, MiniDuke, and Hidden Lynx. The Mask joins this notorious list but also shows how the targets of these sophisticated campaigns are becoming increasingly diverse. Coinciding with these campaigns has been the emergence of companies who develop tools for use in espionage campaigns. Companies such as Hacking Team and Gamma International provide remote access suites that offer sophisticated surveillance capabilities. All of this serves to highlight how the geographical and technical boundaries of cyberespionage are expanding.

Symantec has the following detection in place for this threat.

We also provide network protection with the following Intrusion Prevention Signature:

System Infected: Backdoor.Weevil Activity