Actu
G DATA: The Uroburos case: new sophisticated RAT identified
November 2014 by G DATA
In February 2014, the experts of the G DATA SecurityLabs published an analysis of Uroburos, the rootkit with Russian roots. We explained that a link exists between Uroburos and the Agent.BTZ malware. Nine months later, after the buzz around Uroburos, aka Snake or Turla, we now identified a new generation of Agent.BTZ We dubbed it ComRAT and, by now, analyzed two versions of the threat (v3.25 and v3.26).
As reported earlier this year, Agent.BTZ used the same encoding key and the installation log file name as Uroburos. ComRAT, in its version 3.25, shows the same behavior. Furthermore, the attackers also shared a C&C domain. The latest version of ComRAT known to us (v3.26) uses a new key and does not create the installation log file, in order to complicate the analysis and to disguise the link between the two cases.
This analysis shows that even after the Uroburos publication in February 2014, the group behind this piece of malware seems to be still active. In any case, the ComRAT developers implemented new mechanisms, changed keys, removed log files to hide their activities and tried to disguise the connections between the RAT ComRAT, the rootkit Uroburos and the RAT Agent.BTZ as much as possible. However, we can still follow the evolution of the malware by comparing the versions.
The persistence mechanism discovered in October 2014 makes it possible to intrude into a system in a really discreet manner and we estimate that other actors will use the same persistence mechanism in the near future.
Read the entire analysis at https://blog.gdatasoftware.com/blog/article/the-uroburos-case-new-sophisticated-rat-identified.html/.
