Skip to content

Hide Navigation Hide TOC

ProjectSauron (f3179cfb-9c86-4980-bd6b-e4fa74adaaa7)

ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the Lua scripts.

Cluster A Galaxy A Cluster B Galaxy B Level
索伦之眼 - APT-C-16 (24ce266c-1860-5e04-a107-48d1d39f8ebf) 360.net Threat Actors ProjectSauron (f3179cfb-9c86-4980-bd6b-e4fa74adaaa7) Threat Actor 1
Strider - G0041 (277d2f87-2ae5-4730-a3aa-50c1fdff9656) Intrusion Set ProjectSauron (f3179cfb-9c86-4980-bd6b-e4fa74adaaa7) Threat Actor 1
索伦之眼 - APT-C-16 (24ce266c-1860-5e04-a107-48d1d39f8ebf) 360.net Threat Actors Strider - G0041 (277d2f87-2ae5-4730-a3aa-50c1fdff9656) Intrusion Set 2
Strider - G0041 (277d2f87-2ae5-4730-a3aa-50c1fdff9656) Intrusion Set Password Filter DLL - T1556.002 (3731fbcd-0e43-47ae-ae6c-d15e510f0d42) Attack Pattern 2
Hidden File System - T1564.005 (dfebc3b7-d19d-450b-81c7-6dafe4184c04) Attack Pattern Strider - G0041 (277d2f87-2ae5-4730-a3aa-50c1fdff9656) Intrusion Set 2
Strider - G0041 (277d2f87-2ae5-4730-a3aa-50c1fdff9656) Intrusion Set Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 2
Strider - G0041 (277d2f87-2ae5-4730-a3aa-50c1fdff9656) Intrusion Set Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 2
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern Password Filter DLL - T1556.002 (3731fbcd-0e43-47ae-ae6c-d15e510f0d42) Attack Pattern 3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden File System - T1564.005 (dfebc3b7-d19d-450b-81c7-6dafe4184c04) Attack Pattern 3
Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829) Attack Pattern Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 3
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Password Filter DLL - T1556.002 (3731fbcd-0e43-47ae-ae6c-d15e510f0d42) Attack Pattern 3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 3
Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b) Attack Pattern Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 3
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 3
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 3
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 3
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839) Attack Pattern Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 3
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 3
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 3
Device Driver Discovery - T1652 (215d9700-5881-48b8-8265-6449dbb7195d) Attack Pattern Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern 3
Remsec (6a3c3fbc-97ec-4938-b64e-2679e4b73db9) Malpedia Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 3
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Lua - T1059.011 (afddee82-3385-4682-ad90-eeced33f2d07) Attack Pattern 3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 3
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 3
Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec) Attack Pattern Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware 3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 3
Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829) Attack Pattern Exfiltration Over Physical Medium - T1052 (e6415f09-df0e-48de-9aba-928c902b7549) Attack Pattern 4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b) Attack Pattern 4
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 4
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 4
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 4
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern 4
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Lua - T1059.011 (afddee82-3385-4682-ad90-eeced33f2d07) Attack Pattern 4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 4
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 4
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4