Russian intelligence services could be responsible for a new piece of malware known as “Uroburos” that is remarkably similar to a previous piece of malware from the same country.
A blog post from GData explains that the complex nature of the malware as well as the presence of Cyrillic language, files names, encryption keys and the behaviour of Urobonus as proof that Russia has something to do with it.
The piece of malware also checks for the presence of Agent.BTZ, which was used to carry out an extensive cyber-attack against United States in 2008 and at the time an article by Reuters mentioned that the “attack was crafted by Russian intelligence.”
“The development of a framework like Uroburos is a huge investment. The development team behind this malware obviously comprises highly skilled computer experts, as you can infer from the structure and the advanced design of the rootkit. We believe that the team behind Uroburos has continued working on even more advanced variants, which are still to be discovered,” stated GData Software.
Uroborus works as a rootkit that is comprised of two files, a driver and an encrypted virtual file system. The rootkit can take control of an infected machine, carry out arbitrary commands and make system activities invisible. It is then able to steal information and take over network traffic.
It operates by infecting a machine that is connected to the Internet and can then access other computers on the same network even if they aren’t connected to the Internet. The malware hoovers up all the data it requires before returning it to the malware authors by moving from machine to machine until it finds one connected to the Internet.
GData has stated that the malware is "one of the most advanced rootkits we have ever analyzed" and thinks it was born in 2011, lying undiscovered up until now.