1. Home
  2. Groups
  3. Strider

Strider

Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.[1][2]

ID: G0041
Associated Groups: ProjectSauron
Version: 1.1
Created: 31 May 2017
Last Modified: 29 June 2020

Associated Group Descriptions

Name Description
ProjectSauron

ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. [2] [3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1090 .001 代理: Internal Proxy

Strider has used local servers with both local network and Internet access to act as internal proxy nodes to exfiltrate data from other parts of the network without direct Internet access.[2]
Enterprise T1556 .002 修改身份验证过程: Password Filter DLL

Strider has registered its persistence module on domain controllers as a Windows LSA (Local System Authority) password filter to acquire credentials any time a domain, local user, or administrator logs in or changes a password.[3]
Enterprise T1564 .005 隐藏伪装: Hidden File System

Strider has used a hidden file system that is stored as a file on disk.[3]

Software

ID Name References Techniques
S0125 Remsec [1][2] 从可移动介质获取数据, 伪装: Match Legitimate Name or Location, 修改身份验证过程: Password Filter DLL, 命令与脚本解释器: Lua, 妨碍防御: Disable or Modify System Firewall, 应用层协议: Mail Protocols, 应用层协议: Web Protocols, 应用层协议: DNS, 操作系统凭证转储: Security Account Manager, 文件和目录发现, 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol, 权限提升漏洞利用, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 系统网络连接发现, 系统网络配置发现, 网络服务发现, 设备驱动程序探测, 账号发现: Local Account, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 远程系统发现, 通过物理介质渗出: Exfiltration over USB, 非应用层协议, 预定任务/作业

References

  1. Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016.
  2. Kaspersky Lab's Global Research & Analysis Team. (2016, August 8). ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms. Retrieved August 17, 2016.
  1. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.