Skip to content

G0041 Strider

Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.12

Item Value
ID G0041
Associated Names ProjectSauron
Version 1.1
Created 31 May 2017
Last Modified 29 June 2020
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
ProjectSauron ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. 2 3

Techniques Used

Domain ID Name Use
enterprise T1564 Hide Artifacts -
enterprise T1564.005 Hidden File System Strider has used a hidden file system that is stored as a file on disk.3
enterprise T1556 Modify Authentication Process -
enterprise T1556.002 Password Filter DLL Strider has registered its persistence module on domain controllers as a Windows LSA (Local System Authority) password filter to acquire credentials any time a domain, local user, or administrator logs in or changes a password.3
enterprise T1090 Proxy -
enterprise T1090.001 Internal Proxy Strider has used local servers with both local network and Internet access to act as internal proxy nodes to exfiltrate data from other parts of the network without direct Internet access.2

Software

ID Name References Techniques
S0125 Remsec 12 Local Account:Account Discovery DNS:Application Layer Protocol Mail Protocols:Application Layer Protocol Web Protocols:Application Layer Protocol Data from Removable Media Device Driver Discovery Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Exfiltration over USB:Exfiltration Over Physical Medium Exploitation for Privilege Escalation File and Directory Discovery Disable or Modify System Firewall:Impair Defenses File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Match Legitimate Name or Location:Masquerading Password Filter DLL:Modify Authentication Process Network Service Discovery Non-Application Layer Protocol Obfuscated Files or Information Security Account Manager:OS Credential Dumping Process Discovery Dynamic-link Library Injection:Process Injection Remote System Discovery Scheduled Task/Job Security Software Discovery:Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery

References

  1. Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016. 

  2. Kaspersky Lab’s Global Research & Analysis Team. (2016, August 8). ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms. Retrieved August 17, 2016. 

  3. Kaspersky Lab’s Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.