SYMBOLCOMMON_NAMEaka. SYNONYMS

ProjectSauron  (Back to overview)

aka: Strider, Sauron, Project Sauron

ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the Lua scripts.


Associated Families
win.remsec_strider

References
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:project:dec873e, author = {Cyber Operations Tracker}, title = {{Project Sauron}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/project-sauron}, language = {English}, urldate = {2019-12-20} } Project Sauron
ProjectSauron
2019MITREMITRE ATT&CK
@online{attck:2019:strider:e8991a7, author = {MITRE ATT&CK}, title = {{Group description: Strider}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0041/}, language = {English}, urldate = {2019-12-20} } Group description: Strider
ProjectSauron
2016-10-11Artem Baranov
@online{baranov:20161011:remsec:02eae63, author = {Artem Baranov}, title = {{Remsec driver analysis - Part 3}}, date = {2016-10-11}, url = {https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-3.html}, language = {English}, urldate = {2020-03-28} } Remsec driver analysis - Part 3
Remsec
2016-10-10Artem Baranov
@online{baranov:20161010:remsec:9ed5754, author = {Artem Baranov}, title = {{Remsec driver analysis - Part 2}}, date = {2016-10-10}, url = {https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-2.html}, language = {English}, urldate = {2020-03-28} } Remsec driver analysis - Part 2
Remsec
2016-10-03Artem Baranov
@online{baranov:20161003:remsec:3877dab, author = {Artem Baranov}, title = {{Remsec driver analysis}}, date = {2016-10-03}, url = {https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis.html}, language = {English}, urldate = {2020-03-28} } Remsec driver analysis
Remsec
2016-09-09Kaspersky LabsGReAT
@techreport{great:20160909:projectsauron:9114f84, author = {GReAT}, title = {{THE PROJECTSAURON APT}}, date = {2016-09-09}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf}, language = {English}, urldate = {2019-11-02} } THE PROJECTSAURON APT
ProjectSauron
2016-08-08Kaspersky LabsGReAT
@online{great:20160808:projectsauron:503a441, author = {GReAT}, title = {{ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms}}, date = {2016-08-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/}, language = {English}, urldate = {2019-12-20} } ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms
ProjectSauron
2016-08-08SymantecSymantec
@techreport{symantec:20160808:backdoorremsec:870dbc3, author = {Symantec}, title = {{Backdoor.Remsec indicators of compromise}}, date = {2016-08-08}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf}, language = {English}, urldate = {2019-07-11} } Backdoor.Remsec indicators of compromise
Remsec
2016-08-08SymantecA L Johnson
@online{johnson:20160808:strider:49d9d44, author = {A L Johnson}, title = {{Strider: Cyberespionage group turns eye of Sauron on targets}}, date = {2016-08-08}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Strider: Cyberespionage group turns eye of Sauron on targets
Flame Regin Remsec ProjectSauron
2016-08-07SymantecSymantec Security Response
@online{response:20160807:strider:1602e25, author = {Symantec Security Response}, title = {{Strider: Cyberespionage group turns eye of Sauron on targets}}, date = {2016-08-07}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets}, language = {English}, urldate = {2020-01-07} } Strider: Cyberespionage group turns eye of Sauron on targets
ProjectSauron

Credits: MISP Project