Skip to content

Hide Navigation Hide TOC

ProjectSauron (f3179cfb-9c86-4980-bd6b-e4fa74adaaa7)

ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the Lua scripts.

Cluster A Galaxy A Cluster B Galaxy B Level
ProjectSauron (f3179cfb-9c86-4980-bd6b-e4fa74adaaa7) Threat Actor 索伦之眼 - APT-C-16 (24ce266c-1860-5e04-a107-48d1d39f8ebf) 360.net Threat Actors 1
ProjectSauron (f3179cfb-9c86-4980-bd6b-e4fa74adaaa7) Threat Actor Strider - G0041 (277d2f87-2ae5-4730-a3aa-50c1fdff9656) Intrusion Set 1
索伦之眼 - APT-C-16 (24ce266c-1860-5e04-a107-48d1d39f8ebf) 360.net Threat Actors Strider - G0041 (277d2f87-2ae5-4730-a3aa-50c1fdff9656) Intrusion Set 2
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Strider - G0041 (277d2f87-2ae5-4730-a3aa-50c1fdff9656) Intrusion Set 2
Strider - G0041 (277d2f87-2ae5-4730-a3aa-50c1fdff9656) Intrusion Set Password Filter DLL - T1556.002 (3731fbcd-0e43-47ae-ae6c-d15e510f0d42) Attack Pattern 2
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern Strider - G0041 (277d2f87-2ae5-4730-a3aa-50c1fdff9656) Intrusion Set 2
Hidden File System - T1564.005 (dfebc3b7-d19d-450b-81c7-6dafe4184c04) Attack Pattern Strider - G0041 (277d2f87-2ae5-4730-a3aa-50c1fdff9656) Intrusion Set 2
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Password Filter DLL - T1556.002 (3731fbcd-0e43-47ae-ae6c-d15e510f0d42) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Device Driver Discovery - T1652 (215d9700-5881-48b8-8265-6449dbb7195d) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Remsec (6a3c3fbc-97ec-4938-b64e-2679e4b73db9) Malpedia 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Lua - T1059.011 (afddee82-3385-4682-ad90-eeced33f2d07) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 3
Remsec - S0125 (69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8) Malware Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec) Attack Pattern 3
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern Password Filter DLL - T1556.002 (3731fbcd-0e43-47ae-ae6c-d15e510f0d42) Attack Pattern 3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden File System - T1564.005 (dfebc3b7-d19d-450b-81c7-6dafe4184c04) Attack Pattern 3
Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829) Attack Pattern Exfiltration Over Physical Medium - T1052 (e6415f09-df0e-48de-9aba-928c902b7549) Attack Pattern 4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 4
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 4
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 4
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 4
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 4
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 4
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b) Attack Pattern 4
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Lua - T1059.011 (afddee82-3385-4682-ad90-eeced33f2d07) Attack Pattern 4
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 4