Espionage Rootkit has Russian Roots

Tuesday, March 4, 2014 @ 05:03 PM gHale


A Russian intelligence agency appears to be using a piece of malware for espionage operations, researchers said.

This is one of the most advanced threats researchers at G Data has analyzed so far.

RELATED STORIES
Xtreme RAT Targets Governments
Energy Sector Under Attack
Report: Security Needs Proactive Approach
Report: Execs Still Lack Security Understanding

The rootkit, dubbed Uroburos, enables its masters to take control of infected computers. The threat, which works on 32-bit and 64-bit Windows systems, can execute arbitrary commands, hide system activities, steal files, and capture network traffic.

The way the developers designed the malware is it allows its creators to extend its functionality by adding new modules.

The Uroburos driver is also highly sophisticated and difficult to identify. This is demonstrated by the fact the oldest driver ended up compiled in 2011. The attackers managed to conduct their operations for at least three years without being discovered.

G Data believes Uroburos is a part of a Russian spy agency because of how sophisticated the threat is. The researchers said the development of such a framework is a major investment.

“The development team behind this malware obviously comprises highly skilled computer experts, as you can infer from the structure and the advanced design of the rootkit. We believe that the team behind Uroburos has continued working on even more advanced variants, which are still to be discovered,” the researchers said.

Another interesting aspect of Uroburos is it can work in P2P mode. This means that, if it manages to infect one device that’s connected to the Internet, it can spread to other machines that are on the same network, even ones that aren’t wired to the Web.

It can steal data from any of the infected computers by relaying it until it reaches the device connected to the Internet. Given its complexity, experts believe the rootkit is all about targeting governments, research institutions, and other major organizations.

The Russian connection is indicated by two pieces of evidence. One of them is Uroburos’ authors appear to speak Russian. The second clue linking the threat to Russia is its similarity to Agent.BTZ, a piece of malware used in cyber attacks against the United States back in 2008.

Researchers believe the group that developed Uroburos is the same one that created Agent.BTZ. The creators of Agent.BTZ are reportedly Russian.

“According to all indications we gathered from the malware analyses and the research, we are sure of the fact that attacks carried out with Uroburos are not targeting John Doe but high profile enterprises, nation states, intelligence agencies and similar targets,” G Data researches said.

G Data published a technical paper of Uroburos.



Leave a Reply

You must be logged in to post a comment.