Project Sauron: One Bug To Rule Them All

The internet is going gaga over a new stealthy bug unearthed by Kaspersky Labsand Symantec. The bug named Project Sauron has attracted a lot of attention mostly because of its name which has been picked up from the famous J.R.R Tolkien’s series Lord of the Rings. However, there is much more to it than just a sensational name. It has been discovered after 5 years since it infected the devices in targeted government organizations across the globe. The stealth features and sophistication of this malware has dazzled security experts. This article will explain everything you need to know about Project Sauron.

What is Project Sauron?

Project Sauron is a new bug unearthed by Kaspersky Labs and Symantec. As per Kaspersky, they first discovered the malware in September 2015 on an unspecified “government organization” network. The firm claims that Sauron has infected more than 30 government organizations in Russia, Iran and Rwanda. Most of these organizations lie in the domain of military, telecom, and finance. As per Symantec, they have found the malware in 36 computers in 7 organizations in countries China, Sweden, Belgium and Russia. The bug is identified as Remsec by Symantec and Norton. However, since the code of the malware has a reference to Sauron; the main antagonist in Tolkien’s “Lord of the Rings”.

Who is behind the Bug?

According to experts at Symantec, an unknown group named as Strider is behind the development of the bug. The Symantec report says that the group has been active since atleast October 2011. The report further says that Strider’s attacks have tentative links with a previously uncovered group Flamer because of similarity in use of Lua Modules; a technique previously used by Flamer. However, both Kaspersky and Symantec have pointed out the fact that development of the Sauron would have required state sponsorship. This is because the operation costs and design development of this highly sophisticated and advanced malware would be quite high which no random hackers group can afford. Secondly, all the targeted organizations are those of governments which makes it clear that the bug is used for the purpose of spying by a State.

How does Project Sauron Work?

As per Symantec, Sauron has a modular design. The modules work together as a framework. This provides the attackers with complete control over an infected computer, allowing them to move across a network, exfiltrate data, and deploy custom modules as required.

Remsec is a highly sophisticated and advanced malware containing a number of stealth features that help it to avoid detection. Some of its components are in the form of executable blobs (Binary Large Objects), which are quite difficult for traditional antivirus software to detect.Additionaly, much of the malware’s functionality is deployed over the network. Therefore it resides only in a computer’s memory and is never stored on disk which makes the malware more difficult to detect and indicates that the Strider group are technically competent attackers.

Symantec has identified many modules which make up the bug. Some of the important ones are:

• Lua modules: Several examples of Remsec use modules written in the Lua programming language. Remsec uses a Lua interpreter to run Lua modules which perform various functions. These Lua modules are stored in the same executable blob format as the loader. Lua modules include:

• Host loader – This is used to decrypt and load at least three other Lua modules into running processes. It references three named modules: ilpsend, updater (neither of which has been discovered to date), and, kblog (likely the Keylogger module detailed below).
• Keylogger – This logs keystrokes and exfiltrates this data to a server under the attackers’ control. This is the module that contains a string named “Sauron” in its code. Given its capabilities, it is possible the attackers have nicknamed the module after the all-seeing villain in Lord of the Rings.

• Network listener: A number of examples of Remsec implement different techniques for opening a network connection based on monitoring for specific types of traffic. These include ICMP, PCAP, and RAW network sockets.
• Basic pipe back door: This is a minimal back door module, controlled over named pipes. It can execute data in the format of the executable blob or a standard executable.
• Advanced pipe back door: This offers several more commands than the basic version, including sending the executable blob, listing files, and reading/writing/deleting files.

How did it avoid detection for so many years?

It was designed not to use patterns which security experts usually look for when searching for a malware. It is able to disguise itself in a variety of ways including using names which Microsoft files use. Moreover it doesn’t send back data to the attacker in traditional ways but uses out of the box sophisticated techniques. This is how it avoided detection. Moreover most of its framework is stored over network and thus the malware resides in memory and not hard disk which makes it difficult to discover. Kaspersky discovered it only after a government organization asked it to look into its network for weird activities.

What is the purpose of Sauron?

Sauron can create steal data, log all keystrokes and create backdoors allowing the attacker to take complete control of the infected device. Another hallmark of its sophistication is that it can perform ” jumping the air-gap”. It involves stealing sensitive data such as encryption keys from computers that are not actually connected to the internet. It is done by insertion of infected USB drives into the unconnected computers. These devices carry a cache of malware which gets loaded into the computer which may be probably exploited by a zero day vulnerability.

There is no doubt among security experts that Project Sauron represents one of the most advance malware and also they believe it is characteristic state-sponsored malware because of the target organizations, purpose, stealth features and sophistication.