ProjectSauron: spy Platform letter sophisticated mission to penetrate government communications encrypted information




Anti spotted platform-Targeted Attack Platform subsidiary of Kaspersky Lab in September 2015 , it is a normal activity in one of the customers ‘ networks, led this dubious situation to enable researchers to discover “ProjectSauron”.

The “ProjectSauron” malicious campaign spread widely targeted local institutions through the use of a unique set of tools designed according to the characteristics of each victim individually, making the traditional function on security breaches indicators often useless.

It seems that the goal of these attacks is mainly centered on espionage-mail, “ProjectSauron” malicious campaign is focusing in particular on the break and phishing encrypted communications using typical letter sophisticated spy platform includes a set of tools and techniques is unprecedented.

Among the most prominent characteristics used in Tktaat campaign “ProjectSauron” malignant is the deliberate avoidance of the adoption of frequent and familiar patterns, where the “ProjectSauron” campaign to prepare special forms of malicious baits “implants” and infrastructure in line with each individual target.

Not resort to re-use any of them at all, and help this tactic associated with various multiple methods to load the stolen data, such as e-mail and regular channels DNS “ProjectSauron” campaign to launch a long-term spy secret letter campaigns on targeted networks.

And give “ProjectSauron” the impression of being an electronic band seasoned and traditional has made ​​great efforts to learn from highly sophisticated piracy campaigns, including ” Duqu ” and ” Flame ” and “Equation” and “Regin”, and used some of the techniques the most innovative and always keen to improve its methods offensive to remain undercover constantly.

Key features

Tools and techniques malicious campaign “ProjectSauron” that have Khasalh including the importance of the following:

Unique styles: The malicious grafts (implants basic) in the form of files that have different names and sizes, and are prepared individually according to the nature of the targeted victim, making it very difficult to detect because of such basic indicators of cases of penetration may not have to remember in any target value else.
Operating out of memory: exploiting malicious grafts (implants) the texts of the regular software updates and is in the form of an electronic piracy allows sneak out the back door (backdoor), and then download the new modules or implementing orders attackers in memory.
Focus on access to encrypted communications: Searching campaign “ProjectSauron” malicious actively for information on available networks designed encryption programs on a small scale is somewhat designed according to specific purposes.
It uses this type of server programs for customers on a large scale by several institutions to secure voice communications, e-mail and share documents and conversations.

It pays special attention to the attackers in the encryption software and encryption keys definition files and the location of servers that send encrypted messages between nodes in the network components.
Existing flexibility on the basis of the programming language text: “ProjectSauron” malicious campaign used a series of low – level tools are managed through texts “LUA” high – level programming.
The use of texts “LUA” components in the malware is very rare, where not previously being observed only in the “Flame” attacks and “Animal Farm”.
Skip the security fence devices completely isolated from the external communications: “ProjectSauron” campaign of malicious USB drives using specially equipped for this purpose in order to skip entirely isolated networks for external communications, and be equipped with USB drives hidden cabins are stolen data is stored therein.
Use multiple mechanisms to collect data and information from the target organs: the “ProjectSauron” campaign malignant by following a number of ways to collect data from target organs, including the regular channels, such as e – mail and (DNS), and then is hidden copies of the stolen information from the victim in daily traffic data movement.
Geographic areas and victims targeted

Have been identified so far more than 30 companies and institutions have fallen victim to a campaign “ProjectSauron” malicious, most of which are in Russia, Iran and Rwanda, there are more than speaking in Italian, institutions and geographic areas that are likely to be affected by those attacks states.

Based on the results of our analysis it was reached that target institutions generally play a major role in providing good services across the state, including:

goverment Authorities
Military institutions
Scientific research centers
Telecommunications companies
financial institutions
According to the criminal analysis that “ProjectSauron” malicious campaign is active since June of 2011, which is still well even in 2016, and is still the initial infection by the user agent campaign “ProjectSauron” malware to penetrate the victim is unknown networks yet.

It recommends security experts at Kaspersky Lab institutions to conduct a comprehensive audit of IT networks and endpoints and to apply the following procedures:

Use one of the counter-attacks directed solutions as well as protection of new endpoints or existing programs. Protecting endpoints alone programs are not enough to prevent the next generation attacks from malicious campaigns.
The use of experts in the event of the emergence of warning signals from the IT devices. The most sophisticated security solutions will be able to discover the piracy attacks even as they occur, and specialists in the field of security are often the only ones who are able to prevent such attacks effectively and mitigate its consequences and analysis of major attacks.
Have completed the above steps to add intelligence threats services: and this in turn will help security teams to learn about the latest developments in the threat landscape and knowledge of trends and indicators of piracy attacks, which shows them to take appropriate precautions.
Because many of the major attacks usher mail phishing messages or other means of seducing employees, should work to educate and guide the employee to follow the officer’s behavior during the use of the Internet.


In: A Technology & Gadgets Asked By: [23616 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »