I’ll keep you my dirty little secret
Symantec and Kaspersky Lab simultaneously released information yesterday on “Strider” and “ProjectSauron” respectively. Strider, the attacker group, has reportedly been using a stealthy piece of malware called “Remsec” (Backdoor.Remsec) as part of ProjectSauron to spy on a small number of highly valuable targets in China, Russia, Belgium, and Sweden.
The focused scope and targeted industries—government, military, finance, aviation, telecommunications providers—suggests that Strider may be linked to nation state espionage. Remsec, which trails roots as far back as 2011 and is considered sophisticated by both research groups, can open a backdoor on an infected computer, log keystrokes, move laterally across a network and load executables, deploy custom modules, open network connections to listen for specific types of network traffic, and steal files from victims.
A reference to “Sauron,” the all-seeing antagonist in the Lord of the Rings films, found in a keylogger module in the malware may be Strider’s way of craftily communicating the group’s intent to launch even more devastating and large-scale attacks.
Let me know that I’ve done wrong
Kaspersky detected evidence of ProjectSauron as early as September 2015, according to its blog post. The researcher says Remsec qualifies as a bona fide APT (advanced persistent threat), as opposed to media’s propensity to label attacks as such (most reported attacks are neither advanced nor persistent, but a byproduct of poor security or the difficulty in protecting all the things, all the time).
As evidence of the APT statements, both posts include details about Remsec; the custom malware used by Strider as part of ProjectSauron is a modular design, leveraging the little-used Lua programming language. The modules, which Kaspersky calls, “a top-of-the-top modular cyber-espionage platform in terms of technical sophistication, designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods,” include a number of features that make it difficult to detect. Indeed, both research groups agree that Strider is likely to have been operating covertly for at least five years, to date. The use of binary large objects (“blobs”) have enabled the attackers to remain under the radar for this extended period. Kaspersky also writes that the malware has been able to remain stealthy due to its use of strong encryption algorithms (RC6, RC5, RC4, AES, etc.), more than 50 different plugin types, and the modified scripting engine. Remsec is also primarily deployed over the network, meaning it resides only on a computer’s memory and isn’t stored to disk, a savvy technique rarely used by attackers.
Another feature that displays a well-conceived plan by the attackers is their use of specially prepared USBs which, upon use, allow the attackers to access data from air-gapped networks. The same technique was used in the Stuxnet attack in 2010 (and in Mr. Robot, season 1).
Don’t tell anyone or you’ll be just another regret
While Symantec writes that, “Strider has been highly selective in its choice of target,” having found only 36 infections across seven organizations, the Kaspersky post says their team found evidence of infections at “more than 30 organizations in Russia, Iran, Rwanda, and possibly Italian-speaking countries as well.”
It isn’t clear how Remsec is initially deployed, though now known, both research groups/vendors says their products can help organizations identify whether the malware is present on companies’ systems. Symantec, along with the blog post, published a document containing indicators of compromise including hashes associated with Backdoor.Remsec and Yara signatures, which may come in handy for companies that want a comprehensive guide to sniffing out this dirty little piece of malware.