Security Experts:

New RAT Shows 'Snake' Campaign Still Active: Researchers

Researchers at security firm G Data have uncovered a new remote access Trojan (RAT) that appears to have been developed by the group behind the notorious Snake (also known as Turla or Uroburos) espionage toolkit.

After analyzing the new threat, which they have dubbed "ComRAT," experts have determined that it's actually a successor of the notorious Agent.BTZ, the existence of which came to light in 2008 after it was used in what's called the "worst breach of U.S. military computers in history."

Earlier this year, G Data, BAE Systems and Kaspersky Lab published reports detailing the connections between Snake, which is said to have Russian roots, and Agent.BTZ.

While numerous aspects of the cyber espionage campaign were exposed by researchers, the existence of ComRAT demonstrates that the operation is still active, G Data said.

Trojan Malware Experts have discovered two variants of ComRAT: v3.25 and v3.26. ComRAT 3.25 uses the same encoding key and installation log file name as Agent.BTZ and Snake. However, with the release of version 3.26, the malware developers seem to have attempted to make it more difficult to analyze the threat. They have also tried to mask the connection between ComRAT and Agent.BTZ.

In addition to the same encoding key and installation log file names, there are two other similarities between Snake, Agent.BTZ and ComRAT. First, the threats share some command and control (C&C) domain names. Secondly, some parts of the ComRAT code appear to have been copied from Snake and Agent.BTZ. In fact, the sample analyzed by G Data is detected as a variant of Snake because of the shared code.

With the release of ComRAT 3.26, the malware developers have changed the encoding key and eliminated the creation of an installation log file, most likely in an effort to disguise the connection between the espionage toolkits.

However, the most significant difference is in the design. Researchers say ComRAT is far more sophisticated than Agent.BTZ.

"The malware is loaded into each and every process of the infected machine and the main part (payload) of the malware is only executed in explorer.exe. Furthermore, the C&C communication blends into the usual browser traffic and the malware communicates to the browser by named pipe. It is by far a more complex userland design than Agent.BTZ," G Data's Paul Rascagnères wrote in a blog post.

The persistence mechanism used by ComRAT was seen recently in a different RAT called COMpfun. Both threats hijack Component Object Model (COM) objects to stay persistent on infected systems.

According to G Data, version 3.25 was compiled in February 2014. Version 3.26 appears to have been compiled in January 2013, but experts believe the date has been spoofed possibly to hide the fact that it's a newer version of ComRAT.

"This analysis shows that even after the Uroburos publication in February 2014, the group behind this piece of malware seems to be still active. In any case, the ComRAT developers implemented new mechanisms, changed keys, removed log files to hide their activities and tried to disguise the connections between the RAT ComRAT, the rootkit Uroburos and the RAT Agent.BTZ as much as possible," Rascagnères noted.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.