S0022 Uroburos
Uroburos is a sophisticated cyber espionage tool written in C that has been used by units within Russia’s Federal Security Service (FSB) associated with the Turla toolset to collect intelligence on sensitive targets worldwide. Uroburos has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. Uroburos is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. Uroburos has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.12
| Item | Value |
|---|---|
| ID | S0022 |
| Associated Names | Snake |
| Type | MALWARE |
| Version | 2.1 |
| Created | 31 May 2017 |
| Last Modified | 10 April 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Snake | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Uroburos can use a custom HTTP-based protocol for large data communications that can blend with normal network traffic by riding on top of standard HTTP.1 |
| enterprise | T1071.003 | Mail Protocols | Uroburos can use custom communications protocols that ride over SMTP.1 |
| enterprise | T1071.004 | DNS | Uroburos has encoded outbound C2 communications in DNS requests consisting of character strings made to resemble standard domain names. The actual information transmitted by Uroburos is contained in the part of the character string prior to the first ‘.’ character.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Uroburos has the ability to use the command line for execution on the targeted system.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Uroburos has registered a service, typically named WerFaultSvc, to decrypt and find a kernel driver and kernel driver loader to maintain persistence.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.002 | Non-Standard Encoding | Uroburos can use a custom base62 and a de-facto base32 encoding that uses digits 0-9 and lowercase letters a-z in C2 communications.1 |
| enterprise | T1005 | Data from Local System | Uroburos can use its Get command to exfiltrate specified files from the compromised system.1 |
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.001 | Junk Data | Uroburos can add extra characters in encoded strings to help mimic DNS legitimate requests.1 |
| enterprise | T1001.003 | Protocol or Service Impersonation | Uroburos can use custom communication methodologies that ride over common protocols including TCP, UDP, HTTP, SMTP, and DNS in order to blend with normal network traffic. 1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Uroburos can decrypt command parameters sent through C2 and use unpacking code to extract its packed executable.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Uroburos can encrypt the data beneath its http2 or tcp encryption at the session layer with CAST-128, using a different key for incoming and outgoing data.1 |
| enterprise | T1573.002 | Asymmetric Cryptography | Uroburos has used a combination of a Diffie-Hellman key exchange mixed with a pre-shared key (PSK) to encrypt its top layer of C2 communications.1 |
| enterprise | T1008 | Fallback Channels | Uroburos can use up to 10 channels to communicate between implants.1 |
| enterprise | T1083 | File and Directory Discovery | Uroburos can search for specific files on a compromised system.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.005 | Hidden File System | Uroburos can use concealed storage mechanisms including an NTFS or FAT-16 filesystem encrypted with CAST-128 in CBC mode.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Uroburos can run a Clear Agents Track command on an infected machine to delete Uroburos-related logs.1 |
| enterprise | T1105 | Ingress Tool Transfer | Uroburos can use a Put command to write files to an infected machine.1 |
| enterprise | T1559 | Inter-Process Communication | Uroburos has the ability to move data between its kernel and user mode components, generally using named pipes.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | Uroburos has registered a service named WerFaultSvc, likely to spoof the legitimate Windows error reporting service.1 |
| enterprise | T1112 | Modify Registry | Uroburos can store configuration information in the Registry including the initialization vector and AES key needed to find and decrypt other Uroburos components.1 |
| enterprise | T1104 | Multi-Stage Channels | Individual Uroburos implants can use multiple communication channels based on one of four available modes of operation.1 |
| enterprise | T1106 | Native API | Uroburos can use native Windows APIs including GetHostByName.1 |
| enterprise | T1095 | Non-Application Layer Protocol | Uroburos can communicate through custom methodologies for UDP, ICMP, and TCP that use distinct sessions to ride over the legitimate protocols.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | Uroburos uses a custom packer.31 |
| enterprise | T1027.009 | Embedded Payloads | The Uroburos Queue file contains embedded executable files along with key material, communication channels, and modes of operation.1 |
| enterprise | T1027.011 | Fileless Storage | Uroburos can store configuration information for the kernel driver and kernel driver loader components in an encrypted blob typically found at HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds.1 |
| enterprise | T1027.013 | Encrypted/Encoded File | Uroburos can use AES and CAST-128 encryption to obfuscate resources.1 |
| enterprise | T1057 | Process Discovery | Uroburos can use its Process List command to enumerate processes on compromised hosts.1 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | Uroburos can use DLL injection to load embedded files and modules.1 |
| enterprise | T1572 | Protocol Tunneling | Uroburos has the ability to communicate over custom communications methodologies that ride over common network protocols including raw TCP and UDP sockets, HTTP, SMTP, and DNS.1 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.003 | Multi-hop Proxy | Uroburos can use implants on multiple compromised machines to proxy communications through its worldwide P2P network.1 |
| enterprise | T1012 | Query Registry | Uroburos can query the Registry, typically HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds, to find the key and path to decrypt and load its kernel driver and kernel driver loader.1 |
| enterprise | T1620 | Reflective Code Loading | Uroburos has the ability to load new modules directly into memory using its Load Modules Mem command.1 |
| enterprise | T1014 | Rootkit | Uroburos can use its kernel module to prevent its host components from being listed by the targeted system’s OS and to mediate requests between user mode and concealed components.21 |
| enterprise | T1082 | System Information Discovery | Uroburos has the ability to gather basic system information and run the POSIX API gethostbyname.1 |
| enterprise | T1205 | Traffic Signaling | Uroburos can intercept the first client to server packet in the 3-way TCP handshake to determine if the packet contains the correct unique value for a specific Uroburos implant. If the value does not match, the packet and the rest of the TCP session are passed to the legitimate listening application.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0010 | Turla | 21 |
References
-
FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Kaspersky Lab’s Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014. ↩↩↩
-
Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015. ↩