Upload
vanxuyen
View
213
Download
1
Embed Size (px)
Citation preview
APT CYBER ESPIONAGE NATION STATE SPONSORED ESPIONAGE PROJECTSAURON
SPYWARE TARGETED ATTACKS
Download the full report (PDF)
Technical analysis
Indicators of compromise (IOC)
Download YARA rules
More information about ProjectSauron is available to customersof Kaspersky Intelligence Reporting Service. Contact:[email protected]
Introduction:Over the last few years, the number of “APTrelated” incidentsdescribed in the media has grown significantly. For many ofthese, though, the designation “APT”, indicating an “AdvancedPersistent Threat”, is usually an exaggeration. With some notableexceptions, few of the threat actors usually described in themedia are advanced. These exceptions, which in our opinionrepresent the pinnacle of cyberespionage tools: the truly“advanced” threat actors out there, are Equation, Regin, Duqu or
ProjectSauron: top levelcyber-espionage platformcovertly extractsencrypted governmentcommsBy GReAT on August 8, 2016. 2:03 pm
PUBLICATIONS
Careto. Another such an exceptional espionage platform is“ProjectSauron”, also known as “Strider”.
What differentiates a truly advanced threat actor from a wannabeAPT? Here are a few features that characterize the ‘top’cyberespionage groups:
The use of zero day exploitsUnknown, never identified infection vectorsHave compromised multiple government organizations inseveral countriesHave successfully stolen information for many years beforebeing discoveredHave the ability to steal information from air gapped networksSupport multiple covert exfiltration channels on variousprotocolsMalware modules which can exist only in memory withouttouching the diskUnusual persistence techniques which sometime useundocumented OS features
“ProjectSauron” easily covers many of these points.
From discovery to detection:When talking about longstanding cyberespionage campaigns,many people wonder why it took so long to catch them. Perhapsone of the explanations is having the right tools for the right job.Trying to catch government or military grade malware requiresspecialized technologies and products. One such product isKaspersky’s AntiTargeted Attacks Platform, KATA(http://www.kaspersky.com/enterprisesecurity/antitargetedattackplatform). In September 2015, our antitargeted attacktechnologies caught a previously unknown attack. The suspiciousmodule was an executable library, loaded in the memory of aWindows domain controller (DC). The library was registered as aWindows password filter and had access to sensitive data incleartext. Additional research revealed signs of massive activityfrom a new threat actor that we codenamed ‘ProjectSauron’,responsible for largescale attacks against key governmentalentities in several countries.
“SAURON” – internal name used in the Lua scripts
ProjectSauron comprises a topofthetop modular cyberespionage platform in terms of technical sophistication, designedto enable longterm campaigns through stealthy survivalmechanisms coupled with multiple exfiltration methods. Technicaldetails show how attackers learned from other extremelyadvanced actors in order to avoid repeating their mistakes. Forexample, all artifacts are customized per given target, reducingtheir value as indicators of compromise for any other victim.
Some other key features of ProjectSauron:
It is a modular platform designed to enable longterm cyberespionage campaigns.All modules and network protocols use strong encryptionalgorithms, such as RC6, RC5, RC4, AES, Salsa20, etc.It uses a modified Lua scripting engine to implement the coreplatform and its plugins.There are upwards of 50 different plugin types.The actor behind ProjectSauron has a high interest incommunication encryption software widely used by targetedgovernmental organizations. It steals encryption keys,configuration files, and IP addresses of the key infrastructureservers related to the encryption software.It is able to exfiltrate data from airgapped networks by usingspeciallyprepared USB storage drives where data is stored inan area invisible to the operation system.The platform makes extensive use of the DNS protocol fordata exfiltration and realtime status reporting.The APT was operational as early as June 2011 andremained active until April 2016.The initial infection vector used to penetrate victim networksremains unknown.The attackers utilize legitimate software distribution channelsfor lateral movement within infected networks.
To help our readers better understand the ProjectSauron attackplatform, we’ve prepared an FAQ which brings together some of
the most important points about this attacker and its tools. A brieftechnical report is also available, including IOCs and Yara rules.
Our colleagues from Symantec have also released their analysison ProjectSauron / Strider. You can read it here:http://www.symantec.com/connect/blogs/stridercyberespionagegroupturnseyesaurontargets
ProjectSauron FAQ:
1. What is ProjectSauron?
ProjectSauron is the name for a top level modular cyberespionage platform, designed to enable and manage longtermcampaigns through stealthy survival mechanisms coupled withmultiple exfiltration methods.
Technical details show how attackers learned from otherextremely advanced actors in order to avoid repeating theirmistakes. As such, all artifacts are customized per given target,reducing their value as indicators of compromise for any othervictim.
Usually APT campaigns have a geographical nexus, aimed atextracting information within a specific region or from a givenindustry. That usually results in several infections in countrieswithin that region, or in the targeted industry around the world.Interestingly, ProjectSauron seems to be dedicated to just acouple of countries, focused on collecting high value intelligenceby compromising almost all key entities it could possibly reachwithin the target area.
The name, ProjectSauron reflects the fact that the code authorsrefer to ‘Sauron’ in the Lua scripts.
2. Who are the victims?
Using our telemetry, we found more than 30 infectedorganizations in Russia, Iran, Rwanda and possibly in Italianspeaking countries as well. Many more organizations andgeographies are likely to be affected.
The attacked organizations are key entities that provide corestate functions:
Government
Scientific research centersMilitaryTelecommunication providersFinance
3. Have you notified victims?
As usual, Kaspersky Lab actively collaborates with industrypartners, CERTs and law enforcement agencies to notify victimsand help to mitigate the threat. We also rely on public awarenessto spread information about it. If you need more information aboutthis actor, please contact [email protected].
4. For how long have the attackers beenactive?
Forensic analysis indicates that the APT has been operationalsince at least June 2011 and was still active in 2016. Although itappears to have largely ceased, there is a chance that it is stillactive on computer systems that are not covered by KasperskyLab solutions.
5. Did the attackers use interesting oradvanced techniques?
The attackers used multiple interesting and unusual techniques,including:
Data exfiltration and realtime status reporting using DNSrequests.
Implant deployment using legitimate software update scripts.Data exfiltration from airgapped networks through the use ofspecially prepared USB storage drives where the stolen datais stored in the area unused by standard tools of theoperating system.Using a modified Lua scripting engine to implement the coreplatform and its plugins. The use of Lua components inmalware is very rare – it was previously spotted in the Flameand Animal Farm attacks.
6. How did you discover this malware?
In September 2015, Kaspersky Lab’s AntiTargeted AttackPlatform discovered anomalous network traffic in a clientorganization’s network. Analysis of this incident led to thediscovery of a strange executable program library loaded into thememory of the domain controller server. The library wasregistered as a Windows password filter and had access tosensitive data such as administrative passwords in cleartext.Additional research revealed signs of activity of a previouslyunknown threat actor.
7. How does ProjectSauron operate?
ProjectSauron usually registers its persistence module on domaincontrollers as a Windows LSA (Local Security Authority)password filter. This feature is typically used by systemadministrators to enforce password policies and validate newpasswords to match specific requirements, such as length andcomplexity. This way, the ProjectSauron passive backdoormodule starts every time any network or local user (including anadministrator) logs in or changes a password, and promptlyharvests the password in plaintext.
In cases where domain controllers lack direct Internet access, theattackers install additional implants on other local servers whichhave both local network and Internet access and may passthrough significant amount of network traffic, i.e. proxyservers,webservers, or software update servers. After that, theseintermediary servers are used by ProjectSauron as internal proxynodes for silent and inconspicuous data exfiltration, blending inwith high volumes of legitimate traffic.
Once installed, the main ProjectSauron modules start working as‘sleeper cells’, displaying no activity of their own and waiting for‘wakeup’ commands in the incoming network traffic. This methodof operation ensures ProjectSauron’s extended persistence on
the servers of targeted organizations.
8. What kind of implants doesProjectSauron use?
Most of ProjectSauron’s core implants are designed to work asbackdoors, downloading new modules or running commandsfrom the attacker purely in memory. The only way to capturethese modules is by making a full memory dump of the infectedsystems.
Almost all of ProjectSauron’s core implants are unique, havedifferent file names and sizes, and are individually built for eachtarget. Each module’s timestamp, both in the file system and in itsown headers, is tailored to the environment on which it isinstalled.
Secondary ProjectSauron modules are designed to performspecific functions like stealing documents, recording keystrokes,and stealing encryption keys from both infected computers andattached USB sticks.
ProjectSauron implements a modular architecture using its ownvirtual file system to store additional modules (plugins) and amodified Lua interpreter to execute internal scripts. There areupwards of 50 different plugin types.
9. What is the initial infection vector?
To date, the initial infection vector used by ProjectSauron topenetrate victim networks remains unknown.
10. How were the ProjectSauronimplants deployed within the targetnetwork?
In several cases, ProjectSauron modules were deployed throughthe modification of scripts used by system administrators tocentrally deploy legitimate software updates within the network.
In essence, the attackers injected a command to start themalware by modifying existing software deployment scripts. Theinjected malware is a tiny module that works as a simpledownloader.
Once started under a network administrator account, this smalldownloader connects to a hardcoded internal or external IPaddress and downloads the bigger ProjectSauron payload fromthere.
In cases where the ProjectSauron persistence container is storedon disk in EXE file format, it disguises the files with legitimatesoftware file names.
11. What C&C infrastructure did theattackers use?
The ProjectSauron actor is extremely well prepared when itcomes to operational security. Running an expensivecyberespionage campaign like ProjectSauron requires vastdomain and server infrastructure uniquely assigned to each victimorganization and never reused again. This makes traditionalnetworkbased indicators of compromise almost useless becausethey won’t be reused in any other organization.
We collected 28 domains linked to 11 IPs located in the UnitedStates and several European countries that might be connectedto ProjectSauron campaigns. Even the diversity of ISPs selectedfor ProjectSauron operations makes it clear that the actor dideverything possible to avoid creating patterns.
12. Does ProjectSauron target isolated(air-gapped) networks?
Yes. We registered a few cases where ProjectSauronsuccessfully penetrated airgapped networks.
The ProjectSauron toolkit contains a special module designed tomove data from airgapped networks to Internetconnectedsystems. To achieve this, removable USB devices are used.Once networked systems are compromised, the attackers wait fora USB drive to be attached to the infected machine.
These USBs are specially formatted to reduce the size of thepartition on the USB disk, reserving an amount of hidden data(several hundred megabytes) at the end of the disk for maliciouspurposes. This reserved space is used to create a new customencrypted partition that won’t be recognized by a common OS,such as Windows. The partition has its own semifilesystem (orvirtual file system, VFS) with two core directories: ‘In’ and ‘Out’.
This method also bypasses many DLP products, since softwarethat disables the plugging of unknown USB devices based onDeviceID wouldn’t prevent an attack or data leakage, because agenuine recognized USB drive was used.
13. Does ProjectSauron target criticalinfrastructure?
Some of the entities infected by ProjectSauron can be classifiedas critical infrastructure. However, we haven’t registeredProjectSauron infections inside industrial control system networksthat have SCADA systems in place.
Also, we have not yet seen a ProjectSauron module targeting anyspecific industrial hardware or software.
14. Did ProjectSauron use any specialcommunication methods?
For network communication, the ProjectSauron toolkit hasextensive abilities, leveraging the stack of the most commonlyused protocols: ICMP, UDP, TCP, DNS, SMTP and HTTP.
One of the ProjectSauron plugins is the DNS data exfiltration tool.To avoid generic detection of DNS tunnels at network level, theattackers use it in lowbandwidth mode, which is why it is usedsolely to exfiltrate target system metadata.
Another interesting feature in ProjectSauron malware thatleverages the DNS protocol is the realtime reporting of theoperation progress to a remote server. Once an operationalmilestone is achieved, ProjectSauron issues a DNSrequest to aspecial subdomain unique to each target.
15. What is the most sophisticatedfeature of the ProjectSauron APT?
In general, the ProjectSauron platform is very advanced andreaches the level of complexity of Regin, Equation and similarthreat actors we have reported on in the past. Some of the mostinteresting things in the ProjectSauron platform include:
Multiple exfiltration mechanisms, including piggybacking onknown protocols.Bypassing airgaps using hidden data partitions on USB
sticks.Hijacking Windows LSA to control network domain servers.Implementing an extended Lua engine to write custommalicious scripts to control the entire malware platform with ahighlevel language.
16. Are the attackers using any zero-dayvulnerabilities?
To date we have not found any 0day exploits associated withProjectSauron.
However, when penetrating isolated systems, the creation of theencrypted storage area in the USB does not in itself enableattackers to get control of the airgapped machines. There has tobe another component such as a 0 day exploit placed on the mainpartition of the USB drive.
So far we have not found any 0day exploit embedded in the bodyof the malware we analyzed, and we believe it was probablydeployed in rare, hardtocatch instances.
17. Is this a Windows-only threat? Whatversions of Windows are targeted?
ProjectSauron works on all modern Microsoft Windows operatingsystems – both x64 and x86. We have witnessed infectionsrunning on Windows XP x86 as well as Windows 2012 R2 ServerEdition x64.
To date, we haven’t found a nonWindows version ofProjectSauron.
18. Were the attackers hunting forspecific information?
ProjectSauron actively searches for information related to ratheruncommon, custom network encryption software. This clientserver software is widely adopted by many of the targetorganizations to secure communications, voice, email, anddocument exchange.
In a number of the cases we analyzed, ProjectSauron deployedmalicious modules inside the custom network encryption’ssoftware directory, disguised under similar filenames and
accessing the data placed beside its own executable. Some ofextracted Lua scripts show that the attackers have a high interestin the software components, keys, configuration files, and thelocation of servers that relay encrypted messages between thenodes.
Also, one of the embedded ProjectSauron configurations containsa special unique identifier for the targeted network encryptionsoftware’s server within its virtual network. The behavior of thecomponent that searches for the server IP address is unusual.After getting the IP, the ProjectSauron component tries tocommunicate with the remote server using its own(ProjectSauron) protocol as if it was yet another C&C server. Thissuggests that some communication servers running thementioned network encryption software could also be infectedwith ProjectSauron.
19. What exactly is being stolen from thetargeted machines?
The ProjectSauron modules we found are able to stealdocuments, record keystrokes and steal encryption keys frominfected computers and attached USB sticks.
The fragment of configuration block below, extracted fromProjectSauron, shows the kind of information and file extensionsthe attackers were looking for:
.*account.*|.*acct.*|.*domain.*|.*login.*|.*member.*|.*user.*|.*name|.*email|.*_id|id|uid|mn|mailaddress|.*nick.*|alias|codice|uin|signin|strCodUtente|.*pass.*|.*pw|pw.*|additional_info|.*secret.*|.*segreto.*
[^\$]$
^.*\.(doc|xls|pdf)$
*.txt;*.doc;*.docx;*.ppt;*.pptx;*.xls;*.xlsx;*.vsd;*.wab;*.pdf;*.dst;*.ppk;*.rsa;*.rar;*.one;*.rtf;~WPL*.tmp;*.FTS;*.rpt;*.conf;*.cfg;*.pk2;*.nct;*.key;*.psw
Interestingly, while most of the words and extensions above are in
the English language, several of them point to Italian, such as:‘codice’, ‘strCodUtente’ and ‘segreto’.
Keywords / filenames targeted by ProjectSauron data theftmodules:
Italian keyword Translation
Codice code
CodUtente Usercode
Segreto Secret
This suggests the attackers had prepared to attack Italianspeaking targets as well. However, we are not aware of anyItalian victims of ProjectSauron at the moment.
20. Have you observed any artifactsindicating who is behind theProjectSauron APT?
Attribution is hard and reliable attribution is rarely possible incyberspace. Even with confidence in various indicators andapparent attacker mistakes, there is a greater likelihood thatthese are smoke and mirrors created by an attacker with agreater vantage point and vast resources. When dealing with themost advanced threat actors, as is the case with ProjectSauron,attribution becomes an unsolvable problem.
21. Is this a nation-state sponsoredattack?
We think an operation of such complexity, aimed at stealingconfidential and secret information, can only be executed withsupport from a nationstate.
22. What would ProjectSauron have costto set up and run?
Kaspersky Lab has no exact data on this, but estimates that thedevelopment and operation of ProjectSauron is likely to haverequired several specialist teams and a budget probably runninginto millions of dollars.
23. How does the ProjectSauronplatform compare to other top-level
platform compare to other top-levelthreat actors?
The actor behind ProjectSauron is very advanced, comparableonly to the topofthetop in terms of sophistication: alongsideDuqu, Flame, Equation, and Regin. Whether related or unrelatedto these advanced actors, the ProjectSauron attackers havedefinitely learned from them.
As a reminder, here are some features of other APT attackerswhich we discovered that the ProjectSauron attackers hadcarefully learned from or emulated:
Duqu:
Use of intranet C&Cs (where compromised target serversmay act as independent C&Cs)Running only in memory (persistence on a few gateway hostsonly)Use of different encryption methods per victimUse of named pipes for LAN communicationMalware distribution through legitimate software deploymentchannels
Flame:
Luaembedded codeSecure file deletion (through data wiping)Attacking airgapped systems via removable devices
Equation and Regin:
Usage of RC5/RC6 encryptionVirtual Filesystems (VFS)
Attacking airgapped systems via removable devicesHidden data storage on removable devices
These other actors also showed what made them vulnerable topotential exposure, and ProjectSauron did its best to addressthese issues:
Vulnerable or persistent C&C locationsISP name, IP, domain, and tools reuse across differentcampaignsCryptoalgorithm reuse (as well as encryption keys)Forensic footprint on diskTimestamps in various componentsLarge volumes of exfiltrated data, alarming unknownprotocols or message formats
In addition, it appears that the attackers took special care withwhat we consider as indicators of compromise and implementeda unique pattern for each and every target they attacked, so thatthe same indicators would have little value for anyone else. Thisis a summary of the ProjectSauron strategy as we see it. Theattackers clearly understand that we as researchers are alwayslooking for patterns. Remove the patterns and the operation willbe harder to discover. We are aware of more than 30organizations attacked, but we are sure that this is just a tiny tipof the iceberg.
24. Do Kaspersky Lab products detectall variants of this malware?
All Kaspersky Lab products detect ProjectSauron samples asHEUR:Trojan.Multi.Remsec.gen
25. Are there Indicators of Compromise(IOCs) to help victims identify theintrusion?
ProjectSauron’s tactics are designed to avoid creating patterns.Implants and infrastructure are customized for each individualtarget and never reused – so the standard security approach ofpublishing and checking for the same basic indicators ofcompromise (IOC) is of little use.
However, structural code similarities are inevitable, especially fornoncompressed and nonencrypted code. This opens up thepossibility of recognizing known code in some cases.
THERE ARE 3 COMMENTSIf you would like to comment on this article you must first login
That’s why, alongside the formal IOCs, we have added relevantYARA rules. While the IOCs have been listed mainly to giveexamples of what they look like, the YARA rules are likely to be ofgreater use and could detect real traces of ProjectSauron.
For background: YARA is a tool for uncovering malicious files orpatterns of suspicious activity on systems or networks that sharesimilarities. YARA rules—basically search strings—help analyststo find, group, and categorize related malware samples and drawconnections between them in order to build malware families anduncover groups of attacks that might otherwise go unnoticed.
We have prepared our YARA rules based on tiny similarities andoddities that stood out in the attackers’ techniques. These rulescan be used to scan networks and systems for the same patternsof code. If some of these oddities appear during such a scan,there is a chance that the organizations has been hit by the sameactor.
More information about ProjectSauron is available to customersof Kaspersky Intelligence Reporting Service. Contact:[email protected]
Related Articles
PatrickPosted on August 8, 2016. 6:28 pm
I left a similar comment on Facebook, but I thought I’d point it out here aswell: The scripting language’s name is Lua, not LUA. Here’s what they haveto say about it:
“Lua” (pronounced LOOah) means “Moon” in Portuguese. As such, it is
IT THREAT
EVOLUTION INQ2 2016.STATISTICS
IT THREAT
EVOLUTION INQ2 2016.OVERVIEW
THE DROPPING
ELEPHANT –AGGRESSIVECYBER-ESPIONAGE IN
neither an acronym nor an abbreviation, but a noun. More specifically, “Lua”is a name, the name of the Earth’s moon and the name of the language. Likemost names, it should be written in lower case with an initial capital, that is,“Lua”. Please do not write it as “LUA”, which is both ugly and confusing,because then it becomes an acronym with different meanings for differentpeople. So, please, write “Lua” right!
Nolan BerryPosted on August 9, 2016. 5:03 pm
I gave a talk this week at DefCon Skytalks on more advanced DNS Exfil andC&C interesting to see this come up so soon.
Shachar2Posted on August 10, 2016. 11:18 am
can’t wait for the documentary about the project in 50 years time…
Reply
Reply
Reply