Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент Uroburos
Сертификаты СЗИ
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
Uroburos
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Uroburos

Uroburos is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the Turla toolset to collect intelligence on sensitive targets worldwide. Uroburos has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. Uroburos is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. Uroburos has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)(Citation: Kaspersky Turla)
ID: S0022
Associated Software: Snake
Type: MALWARE
Platforms: Windows
Version: 2.1
Created: 31 May 2017
Last Modified: 10 Apr 2024

Associated Software Descriptions
Name Description
Snake (Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Uroburos can use a custom HTTP-based protocol for large data communications that can blend with normal network traffic by riding on top of standard HTTP.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
.003 Application Layer Protocol: Mail Protocols

Uroburos can use custom communications protocols that ride over SMTP.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)

.004 Application Layer Protocol: DNS

Uroburos has encoded outbound C2 communications in DNS requests consisting of character strings made to resemble standard domain names. The actual information transmitted by Uroburos is contained in the part of the character string prior to the first ‘.’ character.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Uroburos has the ability to use the command line for execution on the targeted system.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Uroburos has registered a service, typically named `WerFaultSvc`, to decrypt and find a kernel driver and kernel driver loader to maintain persistence.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
Enterprise T1132 .002 Data Encoding: Non-Standard Encoding

Uroburos can use a custom base62 and a de-facto base32 encoding that uses digits 0-9 and lowercase letters a-z in C2 communications.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
Enterprise T1001 .001 Data Obfuscation: Junk Data

Uroburos can add extra characters in encoded strings to help mimic DNS legitimate requests.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
.003 Data Obfuscation: Protocol or Service Impersonation

Uroburos can use custom communication methodologies that ride over common protocols including TCP, UDP, HTTP, SMTP, and DNS in order to blend with normal network traffic. (Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Uroburos can encrypt the data beneath its http2 or tcp encryption at the session layer with CAST-128, using a different key for incoming and outgoing data.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
.002 Encrypted Channel: Asymmetric Cryptography

Uroburos has used a combination of a Diffie-Hellman key exchange mixed with a pre-shared key (PSK) to encrypt its top layer of C2 communications.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)

Enterprise T1564 .005 Hide Artifacts: Hidden File System

Uroburos can use concealed storage mechanisms including an NTFS or FAT-16 filesystem encrypted with CAST-128 in CBC mode.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
Enterprise T1070 .004 Indicator Removal: File Deletion

Uroburos can run a `Clear Agents Track` command on an infected machine to delete Uroburos-related logs.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Uroburos has registered a service named `WerFaultSvc`, likely to spoof the legitimate Windows error reporting service.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Uroburos uses a custom packer.(Citation: Symantec Waterbug)(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
.009 Obfuscated Files or Information: Embedded Payloads

The Uroburos Queue file contains embedded executable files along with key material, communication channels, and modes of operation.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)

.011 Obfuscated Files or Information: Fileless Storage

Uroburos can store configuration information for the kernel driver and kernel driver loader components in an encrypted blob typically found at `HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds.`(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)

.013 Obfuscated Files or Information: Encrypted/Encoded File

Uroburos can use AES and CAST-128 encryption to obfuscate resources.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Uroburos can use DLL injection to load embedded files and modules.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
Enterprise T1090 .003 Proxy: Multi-hop Proxy

Uroburos can use implants on multiple compromised machines to proxy communications through its worldwide P2P network.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)

Groups That Use This Software
ID Name References
G0010 Turla

(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023) (Citation: Kaspersky Turla)

References

  1. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  2. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  3. Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.