UROBUROS
In 2008, malicious code known as Agent.BTZ was placed on USB drives that were dropped in the parking lots of defense facilities, such as a United States Department of Defense in the Middle East, in what was considered the “worst breach of U.S. military computers in history” at the time. Agent.BTZ infected systems running Microsoft Windows and allowed attackers to log personal information, cached credentials, and user keystrokes. The infection propagated and lasted in United States government systems for over a year. The Agent.btz infection led to the creation of the United States Cyber Command. The Uroburos group malware, which appeared in 2011 (or earlier) and was discovered in 2014, scans for the presence of Agent.BTZ on target systems and remains inactive if Agent.BTZ is installed. Comments and code itself indicate that the authors of both Agent.BTZ and Uroburos are proficient in Russian. Some file names, encryption keys, and other technical indicators are shared between the Agent.btz and Uroburos malwares. Although other possibilities exist, Agent.BTZ and Uroburos were likely developed by the same group or associated groups.
The Uroburos rootkit is a very advanced and very sophisticated modular malware designed to infect entire networks and exfiltrate confidential data. The sophistication and flexibility of the Uroburos malware suggests that a highly skilled team, who had access to considerable resources, developed it. The significant monetary investment necessary to develop the Uroburos platform suggests that it was developed to target businesses, nation states, and intelligence agencies, rather than average citizens. Based on the exploit kit, the Uroburos group likely has a political or espionage agenda. The Uroburos malware typically infects 32-bit and 64-bit Microsoft Windows systems that belong to governments, embassies, defense industries, pharmaceutical companies, research and education facilities, and other large companies.
When Energetic Bear was discovered in 2011, the group targeted aviation and defense companies in the United States and Canada; however, in 2013, energy firms in the United States and Europe became the primary targets of Energetic Bear. In particular, the exploit kit targets the systems of ICS equipment manufacturers and petroleum pipeline operators. Energy grid operators, electricity generation facilities, and industrial equipment providers are also susceptible to compromise. By ingeniously targeting the smaller, less protected ICS manufacturing companies and antiquated SCADA systems, Energetic Bear is able to circumnavigate the massive state-sponsored cyber-security systems that typically protect critical infrastructure systems.
The Uroburos group uses spear phishing campaigns, drive-by-infections, watering hole attacks, and social engineering attacks to push their malware onto target networks. In spear phishing campaigns, the target receives a tailored email containing an executable RAR self-extracting archive (SFX). If opened, then the malware unpacks and installs itself (a .SCR executable) on the user system. When the Uroburos rootkit infects a machine, it can: execute arbitrary code, hide its activity on a system, identify and exfiltrate information such as files, capture network traffic, and infect other systems on the network. Uroburos consists of a driver (.sys file) and an encrypted virtual file system (.dat file). The complex driver seems to be specifically designed to be discrete and difficult to identify.
Remote attackers use Uroburos to infect other machines on the network and to communicate between infected hosts using a peer-to-peer architecture. Uroburos opportunistically propagates through the network. If Uroburos infects at least one system on a network that has an active internet connection and that host is connected to other systems within the network, then the attacker can infect as many systems as their resources allow. The malware spies on each system for useful information and uses the P2P architecture to relay information to the attackers. As such, information can be retrieved from air-gapped systems, transferred from infected host to infected host until it reaches a host with an active internet connection, and then exfiltrated to the adversary. This methodology allows the malware to bypass many security controls.
The Uroburos rootkit aspires to hide its elements and remain undetected and persistent on the compromised system. Upon installation, the malware establishes a service (usually Ultra3.sys) that automatically executes during the startup of the system. This driver is necessary to decrypt the malware’s virtual file systems, create additional hooks, inject code into user libraries and applications, and manage communication between the adversary and the malware. The driver hooks the malware into the system by injecting code into a running process and then redirecting the rest of the running code to execute at the end of the malicious code. As non-technical simplification, this process, known as inline patching, can be visualized as inserting an extension cord (the malicious code) between another cord and a wall socket. By doing this, the malware can better remain undiscovered because malicious activity is attached to legitimate processes.
The rootkit consists of two virtual file systems (a NTFS file system and a FAT file system) that are encrypted with CAST-128 and stored locally on the user system. The encryption key is hardcoded in the driver file. The virtual file system (a .dat file) has a random name and it is stored with the driver file. The encrypted file systems function as a work environment for the attackers. Third party tools, post-exploitation tools, temporary files, and binary output are stored in the file systems. The NTFS file contains bat scripts which enable the attacker to map remote servers, execute netstat commands, gather system information, log output of tools, tools to steal documents, encrypt stolen documents, and RAR tools to compress and archive stolen documents for exfiltration. A queue and library injection tool, which acts as a buffer between the queue and the user system, can pcap or snapshot network traffic.
The virtual file system contains protocol information to exfiltrate information through HTTP (external website with GET and POST requests), through ICMP (ping), through SMTP (email), and through named pipe to another infected system. New libraries and tools can be added by adjusting the built in queue, without reinstalling the malware. Airgapped systems can be infected through named pipe connections or through USB infection devices. In the former case, an infected system serves as a proxy node and it appears passive as it spreads the infection to other systems on the network. Any infected system can serve as a proxy node, so even if one point of infection is discovered, a tangential system can continue to infect the network as the new proxy node. The peer-to-peer modular design is resilient to removal, scalable on any network, and reliable. Further, the framework can be extended to include new features and perform further attacks against the infected host or networks associated with the infected network. The design of the malware as a driver and a multi-file virtual file system that can only work in combination is an elegant, but sophisticated design that complicates analysis efforts. Without the driver, the other two files cannot be decrypted. Without the files systems, the driver is innocuous. The design is too sophisticated and too expensive to develop to be common spyware.
