Three-year-old Uroburos rootkit likely created by Russian state-sponsored hackers

Researchers from German antivirus company G Data have discovered and analyzed a complex rootkit with spying capabilities and believe that it has been created and employed by Russian-speaking hackers working for a nation-state.

The rootkit – dubbed Uroburos due to a string found in its code – has a driver and two encrypted virtual file systems – one NTFS and the other FAT.

“The virtual file systems are used as a work space by the attackers. They can store third party tools, post-exploitation tools, temporary files and binary output,” the researchers shared.

The rootkit is capable of:

• Taking control of the infected machine and execute commands on it
• Hiding on it
• Stealing files
• Capturing network traffic
• Working on both 32-bit and 64-bit Microsoft Windows systems
• Working in P2P mode
• Infect other machines on the same network, even if they are not connected to the Internet
• Forward all the stolen data from those machines to the one that does have an Internet connection, and then send it to a remote server operated by the attackers.

“Due to many technical details (file name, encryption keys, behavior and more details mentioned in this report), we assume that the group behind Uroburos is the same group that performed a cyberattack against the United States of America in 2008 with a malware called Agent.BTZ,” the researchers pointed out.

“Uroburos checks for the presence of Agent.BTZ and remains inactive if it is installed. It appears that the authors of Uroburos speak Russian (the language appears in a sample), which corroborates the relation to Agent.BTZ. Furthermore, according to public newspaper articles, this fact, the usage of Russian, also applied for the authors of Agent.BTZ.”

Uroburos’ complexity and sophistication, and the fact that it seems to be aimed at enterprises, intelligence and other government agencies, seems to imply that a nation-state is behind the attacks.

“The investment to develop a complete framework such as Uroburos is extremely high. The developer team behind the development and the design of such an enhanced framework is really skilled. We believe that, until today, the team behind Uroburos has developed an even more sophisticated framework, which still remains undiscovered,” the researchers noted.

Also still undiscovered is the way the rootkit infiltrates target networks. The possibilities are many – spear-phishing emails, drive-by infections, infected USB sticks. The latter approach is how the aforementioned Agent.BTZ was propagated in 2008.

Another worrying thing is that while the rootkit has only now been discovered, the compilation date of one of the discovered drivers implies that it has been in use (at least) since 2011.