Anti-virus firm finds alleged Kremlin cyberweapon, undetected for at least three years

UroborosSecurity experts at G Data, the German anti-virus firm, have discovered a “very complex and sophisticated piece of malware, designed to steal confidential data”.

So far that sounds reasonably interesting, but (frankly) not that extraordinary in these days of targeted attacks against organisations.

But what makes the Uroburos rootkit stand out from the crowd is that G Data’s detailed report into the malware reveals that their researchers believe it to have been created by a country’s intelligence agency, and drops some heavy hints that Russia are to blame.

The Uroburos rootkit takes its name from a mythical serpent or dragon that ate its own tail, and a sequence of characters concealed deep within the malware’s code: Ur0bUr()sGotyOu#

Uroburos code

Uroburos steals files from infected computers and captures network traffic, and has some sophisticated tricks up its sleeve to help hackers exfiltrate information from targeted organisations.

For instance, it’s designed to work in peer-to-peer mode, with infected PCs communicating amongst each other. The remote attackers only need to command one infected computer which has an internet connection, in order to infect, control and steal from other infected computers on the network which may not have net access.

Sign up to our free newsletter.
Security news, advice, and tips.

Another interesting feature of the malware is that it uses two virtual file systems to disguise its activities from observers:

The Uroburos rootkit uses two virtual file systems – one NTFS file system and one FAT file system. They are stored locally, on the infected machine. This means that the victim’s computer contains an encrypted file, which, in reality, hosts another file system.

The virtual file systems are used as a work space by the attackers. They can store third party tools, post-exploitation tools, temporary files and binary output. The virtual file systems can be accessed through the devices DeviceRawDisk1 and DeviceRawDisk2 and the volume \.Hd1 and \.Hd2.

According to G Data, the Uroburos malware’s technical complexity suggests connections to intelligence agencies:

The development of a framework like Uroburos is a huge investment. The development team behind this malware obviously comprises highly skilled computer experts, as you can infer from the structure and the advanced design of the rootkit. We believe that the team behind Uroburos has continued working on even more advanced variants, which are still to be discovered.

Due to many technical details (file name, encryption keys, behavior and more details mentioned in this report), we assume that the group behind Uroburos is the same group that performed a cyberattack against the United States of America in 2008 with a malware called Agent.BTZ. Uroburos checks for the presence of Agent.BTZ and remains inactive if it is installed. It appears that the authors of Uroburos speak Russian (the language appears in a sample), which corroborates the relation to Agent.BTZ. Furthermore, according to public newspaper articles, this fact, the usage of Russian, also applied for the authors of Agent.BTZ.

In 2008, the spread of Agent.BTZ worm resulted in the US Army banning the use of USB and removable media devices. At the time it was claimed that the Agent.BTZ attack was initiated after an infected USB stick was deliberately “lost” in the US Department of Defense’s car park.

All of this adds up, in the opinion of G Data’s report, to one conclusion – whoever was responsible for creating Uroburos wasn’t the common-or-garden malware author.

According to all indications we gathered from the malware analyses and the research, we are sure of the fact that attacks carried out with Uroburos are not targeting John Doe but high profile enterprises, nation states, intelligence agencies and similar targets.

Of course, we’ve been here before. Not a month goes by without someone accusing country X or country Y of being responsible for a malware attack.

As always, we need to be careful about jumping to conclusions.

KremlinAlthough it’s easy to piece together pieces of “evidence” from malware code such as snippets of language, or resources which have been compiled with certain language settings that *isn’t* necessarily proof beyond reasonable doubt that citizens of a particular country were responsible, let alone that the attack has the backing of the country’s government.

The truth is that attribution when it comes to malware attacks is extremely difficult.

At the same time, we would be naive to think that many countries around the world are not taking advantage of malware, vulnerabilities and hacks to spy upon other nations.

Meanwhile, details are still frustratingly missing. No light has been shined on how Uroburos might infect victim computers (although USB infection and targeted email attacks seem plausible), or who the victims might have been, or what data might have been stolen.

What’s perhaps most embarrassing for all concerned is G Data’s claim that one of the oldest drivers identified in the Uroburos rootkit was compiled in 2011, meaning that it has gone undetected by everyone for at least three years.

You can learn more about Uroburos in G Data’s report on the malware.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “Anti-virus firm finds alleged Kremlin cyberweapon, undetected for at least three years”

  1. wondrous

    Thanks for the information about this gruesome piece of malware, but is there any clue yet how to determine an infection?

    I read trough the article of G Data, but all I was able to extract was that it really well covers up its activities, and that you wont find any obvious entries like Ultra3 in the registry whatsoever.

    Any clues how else to find out?

    Big thanksies in advance,

  2. Peter Ferrie

    The date of the driver is not necessarily related to the date of the campaign. It sounds like they jumped to another conclusion.

  3. David Dickinson

    So this thing has roots going back to 2011, and A/V vendors still don't detect it. What seems diabolical may be allowed by mere ineptitude.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.