Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Kaspersky Lab Details Connections Between ‘Snake’ and Agent.BTZ Malware

Security researchers from BAE Systems and G-Data recently shared research on a cyber-espionage toolkit called Snake (also referred to as Turla or Uroburos) that was used in attacks against targets in the

Security researchers from BAE Systems and G-Data recently shared research on a cyber-espionage toolkit called Snake (also referred to as Turla or Uroburos) that was used in attacks against targets in the Ukraine, Lithuania, Great Britain, the United States and other nations.

According to BAE Systems, the malware is the work of a technically sophisticated and well-organized group. However, BAE did not say exactly who is behind the campaign or who might be paying them despite evidence linking these tools to previous breaches connected to Russian threat actors.

While BAE determined there was a connection between the authors of Snake and Agent.BTZ, Kaspersky Lab has dug a little deeper and found some interesting pieces.

As background, Agent.btz was highlighted by the media in late 2008 after it was found being used it was used to infect US military networks.

According to Wikipedia, the 2008 cyberattack on the United States was the “worst breach of U.S. military computers in history” and led to the creation of the United States Cyber Command.

Some reports say that it took the Pentagon roughly 14 months to fully eradicate Agent.BTZ from military networks.

Kaspersky Lab said that it first became aware of the cyber espionage campaign in March 2013, when the company’s experts were investigating an incident involving a highly sophisticated rootkit.

Originally known as the “Sun rootkit”, based on a filename used as a virtual file system “sunstore.dmp”, it is also accessible as “.Sundrive1” and “.Sundrive2”. The “Sun rootkit” and Snake are in fact one and the same, Kaspersky says.

Advertisement. Scroll to continue reading.

Kaspersky Lab experts say the Agent.btz worm has “served as an inspiration” for the creation of a range of sophisticated cyber weapons, including Red October, Turla and Flame/Gauss:

· Red October developers clearly knew about Agent.btz’s functionality as their USB Stealer module (created in 2010-2011) searches for the worm’s data containers (“mssysmgr.ocx” and “thumb.dd” files) which hold information about infected systems and activity logs, and then steal it from the connected USB drives.

· Turla uses the same file names for its logs (“mswmpdat.tlb”, “winview.ocx” and “wmcache.nld”) whilst stored in the infected system, and the same XOR key for encrypting its log files as Agent.btz.

· Flame/Gauss use similar naming conventions such as “*.ocx” files and “thumb*.db”. Also, they use the USB drive as a container for stolen data.

Do these examples mean that there is a direct link between developers of these cyber espionage tools?

“It is not possible to draw such a conclusion based on these facts alone,” said Aleks Gostev, Chief Security Expert
 at Kaspersky Lab. “The information used by developers was publicly known at the time of Red October and Flame/Gauss’ creation.”

“It is no secret that Agent.btz used “thumb.dd” as a container file to collect information from infected systems,” he said. “In addition, the XOR key used by the developers of Turla and Agent.btz to encrypt their log files was also published in 2008.” 

Map of infections caused by different modifications of “Agent.btz” in 2011-2013

According to data collected by Kaspersky Lab, Agent.btz was discovered on 13,800 systems across 100 countries in 2013.

More details are available in a blog post to Kaspersky Lab’s Securelist.

Sergey Shevchenko also published an interesting report on the modus operandi of Agent.btz in November 2008. 

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The City of Phoenix has promoted Mitch Kohlbecker to the role of Chief Information Security Officer.

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.