1. Home
  2. Software
  3. Uroburos

Uroburos

Uroburos is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the Turla toolset to collect intelligence on sensitive targets worldwide. Uroburos has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. Uroburos is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. Uroburos has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.[1][2]

ID: S0022
Associated Software: Snake
Type: MALWARE
Platforms: Linux, Windows, macOS
Version: 2.1
Created: 31 May 2017
Last Modified: 10 April 2024

Associated Software Descriptions

Name Description
Snake

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1014 Rootkit

Uroburos can use its kernel module to prevent its host components from being listed by the targeted system's OS and to mediate requests between user mode and concealed components.[2][1]
Enterprise T1005 从本地系统获取数据

Uroburos can use its Get command to exfiltrate specified files from the compromised system.[1]
Enterprise T1090 .003 代理: Multi-hop Proxy

Uroburos can use implants on multiple compromised machines to proxy communications through its worldwide P2P network.[1]
Enterprise T1036 .004 伪装: Masquerade Task or Service

Uroburos has registered a service named WerFaultSvc, likely to spoof the legitimate Windows error reporting service.[1]
Enterprise T1112 修改注册表

Uroburos can store configuration information in the Registry including the initialization vector and AES key needed to find and decrypt other Uroburos components.[1]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

Uroburos has registered a service, typically named WerFaultSvc, to decrypt and find a kernel driver and kernel driver loader to maintain persistence.[1]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

Uroburos can encrypt the data beneath its http2 or tcp encryption at the session layer with CAST-128, using a different key for incoming and outgoing data.[1]
.002 加密通道: Asymmetric Cryptography

Uroburos has used a combination of a Diffie-Hellman key exchange mixed with a pre-shared key (PSK) to encrypt its top layer of C2 communications.[1]
Enterprise T1572 协议隧道

Uroburos has the ability to communicate over custom communications methodologies that ride over common network protocols including raw TCP and UDP sockets, HTTP, SMTP, and DNS.[1]
Enterprise T1620 反射性代码加载

Uroburos has the ability to load new modules directly into memory using its Load Modules Mem command.[1]
Enterprise T1140 反混淆/解码文件或信息

Uroburos can decrypt command parameters sent through C2 and use unpacking code to extract its packed executable.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Uroburos has the ability to use the command line for execution on the targeted system.[1]
Enterprise T1008 回退信道

Uroburos can use up to 10 channels to communicate between implants.[1]
Enterprise T1104 多阶段信道

Individual Uroburos implants can use multiple communication channels based on one of four available modes of operation.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

Uroburos can use a custom HTTP-based protocol for large data communications that can blend with normal network traffic by riding on top of standard HTTP.[1]
.003 应用层协议: Mail Protocols

Uroburos can use custom communications protocols that ride over SMTP.[1]
.004 应用层协议: DNS

Uroburos has encoded outbound C2 communications in DNS requests consisting of character strings made to resemble standard domain names. The actual information transmitted by Uroburos is contained in the part of the character string prior to the first ‘.’ character.[1]
Enterprise T1001 .001 数据混淆: Junk Data

Uroburos can add extra characters in encoded strings to help mimic DNS legitimate requests.[1]
.003 数据混淆: Protocol or Service Impersonation

Uroburos can use custom communication methodologies that ride over common protocols including TCP, UDP, HTTP, SMTP, and DNS in order to blend with normal network traffic. [1]
Enterprise T1132 .002 数据编码: Non-Standard Encoding

Uroburos can use a custom base62 and a de-facto base32 encoding that uses digits 0-9 and lowercase letters a-z in C2 communications.[1]
Enterprise T1083 文件和目录发现

Uroburos can search for specific files on a compromised system.[1]
Enterprise T1106 本机API

Uroburos can use native Windows APIs including GetHostByName.[1]
Enterprise T1012 查询注册表

Uroburos can query the Registry, typically HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds, to find the key and path to decrypt and load its kernel driver and kernel driver loader.[1]
Enterprise T1205 流量激活

Uroburos can intercept the first client to server packet in the 3-way TCP handshake to determine if the packet contains the correct unique value for a specific Uroburos implant. If the value does not match, the packet and the rest of the TCP session are passed to the legitimate listening application.[1]
Enterprise T1027 .002 混淆文件或信息: Software Packing

Uroburos uses a custom packer.[3][1]
.009 混淆文件或信息: Embedded Payloads

The Uroburos Queue file contains embedded executable files along with key material, communication channels, and modes of operation.[1]
.011 混淆文件或信息: Fileless Storage

Uroburos can store configuration information for the kernel driver and kernel driver loader components in an encrypted blob typically found at HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds.[1]
.013 混淆文件或信息: Encrypted/Encoded File

Uroburos can use AES and CAST-128 encryption to obfuscate resources.[1]
Enterprise T1070 .004 移除指标: File Deletion

Uroburos can run a Clear Agents Track command on an infected machine to delete Uroburos-related logs.[1]
Enterprise T1082 系统信息发现

Uroburos has the ability to gather basic system information and run the POSIX API gethostbyname.[1]
Enterprise T1105 输入工具传输

Uroburos can use a Put command to write files to an infected machine.[1]
Enterprise T1057 进程发现

Uroburos can use its Process List command to enumerate processes on compromised hosts.[1]
Enterprise T1055 .001 进程注入: Dynamic-link Library Injection

Uroburos can use DLL injection to load embedded files and modules.[1]
Enterprise T1559 进程间通信

Uroburos has the ability to move data between its kernel and user mode components, generally using named pipes.[1]
Enterprise T1564 .005 隐藏伪装: Hidden File System

Uroburos can use concealed storage mechanisms including an NTFS or FAT-16 filesystem encrypted with CAST-128 in CBC mode.[1]
Enterprise T1095 非应用层协议

Uroburos can communicate through custom methodologies for UDP, ICMP, and TCP that use distinct sessions to ride over the legitimate protocols.[1]

Groups That Use This Software

ID Name References
G0010 Turla

[2][1]

References

  1. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  2. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  1. Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.