Security researchers from G Data have analyzed a piece of malware that appears to have been used by a Russian intelligence agency for espionage operations. The company says this is one of the most advanced threats they’ve analyzed so far.
The rootkit, dubbed Uroburos, enables its masters to take control of infected computers. The threat, which works on both 32-bit and 64-bit Windows systems, can execute arbitrary commands, hide system activities, steal files, and capture network traffic. It’s designed in a way that allows its creators to extend its functionality by adding new modules.
The Uroburos driver is also highly sophisticated, being difficult to identify. This is demonstrated by the fact that the oldest driver was compiled in 2011. The attackers managed to conduct their operations for at least three years without being discovered.
So why does G Data believe Uroburos is connected to a Russian spy agency?
Firstly, because of how sophisticated the threat is. Experts say the development of such a framework is a major investment.
“The development team behind this malware obviously comprises highly skilled computer experts, as you can infer from the structure and the advanced design of the rootkit. We believe that the team behind Uroburos has continued working on even more advanced variants, which are still to be discovered,” the researchers noted.
Another interesting aspect of Uroburos is that it’s designed to work in P2P mode. This means that, if it manages to infect one device that’s connected to the Internet, it can spread to other machines that are on the same network, even ones that aren’t wired to the Web.
It can steal data from any of the infected computers by relaying it until it reaches the device that’s connected to the Internet. Given its complexity, experts believe the rootkit is designed to target governments, research institutions, and other major organizations.
The Russian connection is indicated by two pieces of evidence. One of them is the fact that Uroburos authors appear to speak Russian. The second clue linking the threat to Russia is its similarity to Agent.BTZ, a piece of malware used in cyberattacks against the United States back in 2008.
Researchers believe that the group that developed Uroburos is the same one that created Agent.BTZ. The creators of Agent.BTZ are reportedly Russian.
“According to all indications we gathered from the malware analyses and the research, we are sure of the fact that attacks carried out with Uroburos are not targeting John Doe but high profile enterprises, nation states, intelligence agencies and similar targets,” G Data experts said.
G Data has published a technical paper of Uroburos. It is available on the company’s website.