Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New RAT Shows ‘Snake’ Campaign Still Active: Researchers

Researchers at security firm G Data have uncovered a new remote access Trojan (RAT) that appears to have been developed by the group behind the notorious Snake (also known as Turla or Uroburos) espionage toolkit.

Researchers at security firm G Data have uncovered a new remote access Trojan (RAT) that appears to have been developed by the group behind the notorious Snake (also known as Turla or Uroburos) espionage toolkit.

After analyzing the new threat, which they have dubbed “ComRAT,” experts have determined that it’s actually a successor of the notorious Agent.BTZ, the existence of which came to light in 2008 after it was used in what’s called the “worst breach of U.S. military computers in history.”

Earlier this year, G Data, BAE Systems and Kaspersky Lab published reports detailing the connections between Snake, which is said to have Russian roots, and Agent.BTZ.

While numerous aspects of the cyber espionage campaign were exposed by researchers, the existence of ComRAT demonstrates that the operation is still active, G Data said.

Trojan Malware Experts have discovered two variants of ComRAT: v3.25 and v3.26. ComRAT 3.25 uses the same encoding key and installation log file name as Agent.BTZ and Snake. However, with the release of version 3.26, the malware developers seem to have attempted to make it more difficult to analyze the threat. They have also tried to mask the connection between ComRAT and Agent.BTZ.

In addition to the same encoding key and installation log file names, there are two other similarities between Snake, Agent.BTZ and ComRAT. First, the threats share some command and control (C&C) domain names. Secondly, some parts of the ComRAT code appear to have been copied from Snake and Agent.BTZ. In fact, the sample analyzed by G Data is detected as a variant of Snake because of the shared code.

With the release of ComRAT 3.26, the malware developers have changed the encoding key and eliminated the creation of an installation log file, most likely in an effort to disguise the connection between the espionage toolkits.

However, the most significant difference is in the design. Researchers say ComRAT is far more sophisticated than Agent.BTZ.

“The malware is loaded into each and every process of the infected machine and the main part (payload) of the malware is only executed in explorer.exe. Furthermore, the C&C communication blends into the usual browser traffic and the malware communicates to the browser by named pipe. It is by far a more complex userland design than Agent.BTZ,” G Data’s Paul Rascagnères wrote in a blog post.

The persistence mechanism used by ComRAT was seen recently in a different RAT called COMpfun. Both threats hijack Component Object Model (COM) objects to stay persistent on infected systems.

According to G Data, version 3.25 was compiled in February 2014. Version 3.26 appears to have been compiled in January 2013, but experts believe the date has been spoofed possibly to hide the fact that it’s a newer version of ComRAT.

“This analysis shows that even after the Uroburos publication in February 2014, the group behind this piece of malware seems to be still active. In any case, the ComRAT developers implemented new mechanisms, changed keys, removed log files to hide their activities and tried to disguise the connections between the RAT ComRAT, the rootkit Uroburos and the RAT Agent.BTZ as much as possible,” Rascagnères noted.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.