Advanced malware has been targeting European and U.S. government computers.
G Data Security, a security and antivirus company based in Germany, has detected a new and highly sophisticated piece of malware. Dubbed as “Uroburos,” after the ancient symbol of a serpent eating its own tail, G Data alleges that this malware was also created by the Russian government. This is based on Cyrillic words in the malware sample, behavior, encryption keys and file names.
Uroburos works on both 32-bit and 64-bit Windows machines. Its complexity indicates an active, highly skilled, and well-funded development team.
Another sophisticated piece of malware was also recently uncovered. Known as “Turla,” the malware is widely believed by intelligence agencies to be of Russian origin and has been targeting government machines across Europe and the US. Although it is impossible to confirm that the malware is Russian, signatures and behavior point to a Russian origin.
Both Turla and Uroburos have been secretly monitored for years. They both begin by looking for Agent.BTZ on machines, a piece of malware that the Russians used to infiltrate the Pentagon network. Agent.BTZ was uncovered in 2008 in a cyber-espionage scandal that affected US CENTCOM. Russia never formally took credit for Agent.BTZ, nor were they ever officially blamed by the US government. But experts agree that the level of sophistication and behavior of the malware points to a Russian state-sponsored attack. Russian state-sponsored attacks are known for being sophisticated and tactful, choosing their targets carefully and going dormant when they suspect detection.
The development team behind Turla has been active. Symantec reports that the development team behind Turla has several command and control servers located throughout the world. As soon as one is shut down, another pops up. The Turla team has also been quick to modify their code to prevent detection. Both Uroburos and Turla seek to infect government computers and transmit data back to servers.
In a red paper, G Data explains that Uroburos can “take control of an infected machine, execute arbitrary commands and hide system activities. It can steal information (most notably: files) and it is also able to capture network traffic. Its modular structure allows extending it with new features easily, which makes it not only highly sophisticated but also highly flexible and dangerous. Uroburos’ driver part is extremely complex and is designed to be very discrete and very difficult to identify.”