New obfuscation and anti-analysis mechanisms have been added

Nov 11, 2014 14:00 GMT  ·  By

The threat actors behind the Uroburos malware campaign have created a new tool for carrying out cyber-espionage activities, which shares part of the code from the previous threats.

Security researchers at G Data have uncovered ComRAT, a remote access Trojan (RAT) that can execute commands, download files, collect information from the affected computers and exfiltrate it to a remote server.

Improved RAT tries to hide connection with Uroburos

The experts caught two versions of the malware, with very little differences between them, mostly in the way files are obfuscated and how the details of the command and control (C&C) server are stored, which happens to be one that has been used with Uroburos campaigns.

However, the most recent version of the malware comes with improved obfuscation and anti-analysis mechanisms, which Paul Rascagneres of G Data believes is also an attempt to hide the connection with the previously used tools.

Rascagneres says that the threat achieves persistency by creating a registry key for an installed payload (shdocvw.tlp – dynamic library); the key is used to associate the library with a specific object (42aedc87-2188-41fd-b9a3-0c966feabec1). “The purpose is to load the library into each and every process executed on the infected system,” the researcher says in a blog post.

In order to evade detection, ComRAT communicates with the command and control server through the browser process, which is less likely to be picked up by security solutions available on the compromised computer, such as a firewall or an antivirus product.

During the analysis process it has been determined that the domain the malware connects to is “weather-online.hopto.org,” which has also been encountered in previous campaigns of the threat actor.

The security expert observed that the code used in ComRAT is partially the same as the one used by a previous tool associated with Uroburos, named Agent.BTZ by G Data. Because of this, the new RAT is currently detected as Uroburos by security products.

ComRAT relies on strong persistence mechanism

The compilation date of the more recent version of the threat is January 3, 2013. However, Rascagneres believes that the datestamp has been spoofed because an earlier sample, which does not feature the improvements observed recently, has the compilation date of February 6, 2014.

“The persistence mechanism discovered in October 2014 makes it possible to intrude into a system in a really discreet manner and we estimate that other actors will use the same persistence mechanism in the near future,” said the security researcher.

Uroburos is also known as Turla and Snake, and the campaigns it has been involved in have been documented by experts at Symantec, Kaspersky and CrySyS Lab.

Previous analyses of the tools used by the threat actor point at hackers of Russian origin.