Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

G DATA publishes analysis of cyber-espionage programmes

January 2015 by G DATA

Targeted cyber-attacks on government institutions, businesses and international organisations have increased in recent years. Malware is the weapon of choice. For seven years, G DATA has followed the development of one of the most well-known malicious programmes: Agent.BTZ. In 2008, the malware strain was deployed in a cyber attack on the Pentagon in the USA. In 2014, it was noted that the Uroburos spyware programme had attacked both the Belgian and the Finnish Foreign Ministries. In November 2014, ComRAT (Agent.BTZ’s successor) was discovered and analysed in detail, revealing technical similarities with the Uroburos rootkit. In all malware samples, G DATA security experts found similarities and cumulative programming code. But how do perpetrators approach the concept of cyber-espionage weapons? To illustrate how a highly complex spyware program is developed, the experts investigated Agent.BTZ and ComRAT more closely - in total 46 different samples from a seven year period were analysed.

"As a result of the analysis, we now have data on seven years of development of malware that was used by one group for targeted attacks on extremely sensitive targets such as the US Pentagon in 2008, the Belgian Foreign Ministry in 2014 and the Finnish Foreign Ministry," explains Ralf Benzmüller, head of G DATA SecurityLabs.

Minor changes to the software

Until version 3.00 in 2012, the G DATA security experts detected only minor changes to the software over the years. Modifications for Windows versions were made, programming errors were eliminated and disguising methods were added. The biggest update took place in version 3.00 of the RAT. However, the attackers’ methods are not completely clear. The security experts suspect that well-trained developers, who know how to cover their tracks, are behind the malware.

The G DATA analysts are sure that the group behind Uroburos, Agent.BTZ and ComRAT continues to be active in the malware and APT (Advanced Persistent Threat) area. The latest disclosures and links lead to speculation that even more attacks can be expected in the future.

The detailed analysis of the complex spyware program is described:

https://blog.gdatasoftware.com/blog/article/evolution-of-sophisticated-spyware-from-agentbtz-to-comrat.html

G DATA experts have analysed the successor to Agent.BTZ, ComRAT: https://blog.gdatasoftware.com/blog/article/the-uroburos-case-new-sophisticated-rat-identified.html

The hijacking of COM objects is investigated in more detail at the G DATA SecurityBlog: https://blog.gdatasoftware.com/blog/article/com-object-hijacking-the-discreet-way-of-persistence.html

The analysis of Uroburos can be found at the G DATA SecurityBlog (https://blog.gdatasoftware.com/blog/article/uroburos-highly-complex-espionage-software-with-russian-roots.html), along with a detailed technical review of the malware’s functionality. (https://blog.gdatasoftware.com/blog/article/uroburos-deeper-travel-into-kernel-protection-mitigation.html)


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts