- Unique footprint: Core implants that have different file names and sizes and are individually built for each target – making it very difficult to detect since the same basic indicators of compromise would have little value for any other target.
- Running in memory: The core implants make use of legitimate software update scripts and work as backdoors, downloading new modules or running commands from the attacker purely in memory.
- A bias towards crypto-communicatins: ProjectSauron actively searches for information related to fairly rare, custom network encryption software. This client-server software is widely adopted by many of the target organizations to secure communications, voice, email, and document exchange. The attackers are particularly interested in encryption software components, keys, configuration files, and the location of servers that relay encrypted messages between the nodes.
- Script-based flexibility: ProjectSauron has implemented a set of low-level tools which are orchestrated by high-level LUA scripts. The use of LUA components in malware is very rare - it has previously only been spotted in the Flame and Animal Farm attacks.
- Bypassing air-gaps: ProjectSauron makes use of specially-prepared USB drives to jump across air-gapped networks. These USB drives carry hidden compartments in which stolen data is concealed.
- Multiple exfiltration mechanisms: ProjectSauron implements a number of routes for data exfiltration, including legitimate channels such as email and DNS, with stolen information copied from the victim disguised in day-to-day traffic.
http://www.symantec.com/connect/blogs/s ... on-targets
http://www.symantec.com/content/en/us/e ... c_IOCs.pdf
https://www.virustotal.com/en/file/a66b ... /analysis/
The included sample is currently all I can download, there's is more on VT if you search for remsec but I don't have a key