German Firm Uncovers Russian Cyberespionage Spyware


A rootkit designed to take complete control of an infected system is believed to be one of the tools used in a cyberespionage campaign conducted by intelligence-gatherers in Russia against U.S. organizations and their allies.

Bochum, Germany-based G Data Software AG said it detected Uroburos, a tool designed to remain stealthy on an infected machine and spy on its targeted victims. It captures network traffic and is flexible enough so the attackers behind the threat can easily add other capabilities to steal information, G Data said in a paper outlining the discovery (.pdf). 

"The development team behind this malware obviously comprises highly skilled computer experts, as you can infer from the structure and the advanced design of the rootkit," G Data said. "We believe that the team behind this has continued working on even more advanced variants, which are still to be discovered."

[Related: Attacks Linked To China APT Supplier Target Channel Providers]

The authors of the malware speak Russian, G Data said, adding that the malware appears to have been created in 2011 and may have gone undetected until now. Uroburos runs on both 32-bit and 64-bit Windows systems and is believed to have been targeting governments, research organizations, defense contractors and other large companies. Reuters Friday reported that Western intelligence officials call the threat Turla. The malware has been linked to a 2008 attack infiltrating some U.S. government agencies, including the Department of Defense and U.S. defense contractors. It gives an attacker the ability to gain back-door access to sensitive systems to maintain persistence over time.

Solution providers told CRN that many small and midsize businesses feel they are immune to advanced persistent threats. Cybercriminals and even nation-state-sponsored attackers are taking advantage of the misconception, they say, and target businesses lower in the partner chain to get to the ultimate target. The initial attack vector associated with Uroburos isn't completely known but appears to be spearphishing and drive-by infections, both common attack methods that rely on social engineering to trick targeted users into downloading the malicious file, said Shaq Kahn, CEO of Fremont, Calif.-based security service provider Fortifire. While Kahn said he has not seen details about Uroburos, the threat appears to be consistent with other targeted attacks against both public and private sector organizations.

"There is a general feeling that hacking leads to losing data and money and, in this case, we're talking about losing everything because your reputation will be ruined with your partners," Kahn said. "Businesses large and small need to understand that advanced persistent threats impact the entire partner supply chain."

In its report, G Data said it named the malware due to a string found in the malware's code and following an ancient symbol depicting a serpent or dragon eating its own tail. The malware appears to be designed to use the Internet connection as the initial infection point to spread to other systems on a large network, G Data said.

The malware authors appear to be sophisticated and well-funded, designing malware that is heavily protected against analysis, G Data said. The network design is efficient and uses peer-to-peer infrastructure to communicate and spread, the firm said.

"The design is highly professional; the fact that the attackers use a driver and a virtual file system in two separate files, which can only work in combination, makes the analysis really complicated," G Data said in its report. "This kind of data stealing software is too expensive to be used as common spyware."

PUBLISHED MARCH 7, 2014