SYMBOLCOMMON_NAMEaka. SYNONYMS
win.uroburos (Back to overview)

Uroburos

aka: Snake

Actor(s): Turla Group


There is no description at this point.

References
2020SecureworksSecureWorks
@online{secureworks:2020:iron:de2007f, author = {SecureWorks}, title = {{IRON HUNTER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hunter}, language = {English}, urldate = {2020-05-23} } IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla Group
2018-11-22nccgroupBen Humphrey
@online{humphrey:20181122:turla:de7f30a, author = {Ben Humphrey}, title = {{Turla PNG Dropper is back}}, date = {2018-11-22}, organization = {nccgroup}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/}, language = {English}, urldate = {2019-11-21} } Turla PNG Dropper is back
Uroburos Turla Group
2018-03CrySyS LabBoldizsar Bencsath
@techreport{bencsath:201803:territorial:04343bb, author = {Boldizsar Bencsath}, title = {{Territorial Dispute – NSA’s perspective on APT landscape}}, date = {2018-03}, institution = {CrySyS Lab}, url = {https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf}, language = {English}, urldate = {2020-05-07} } Territorial Dispute – NSA’s perspective on APT landscape
9002 RAT Agent.BTZ DuQu EYService Flame FlowerShop Stuxnet Uroburos
2017-08-18vmwareJared Myers
@online{myers:20170818:threat:6ee2607, author = {Jared Myers}, title = {{Threat Analysis: Carbon Black Threat Research Dissects PNG Dropper}}, date = {2017-08-18}, organization = {vmware}, url = {https://www.carbonblack.com/2017/08/18/threat-analysis-carbon-black-threat-research-dissects-png-dropper/}, language = {English}, urldate = {2020-01-09} } Threat Analysis: Carbon Black Threat Research Dissects PNG Dropper
Uroburos
2014-11-11G DataG Data
@online{data:20141111:uroburos:8dce097, author = {G Data}, title = {{The Uroburos case: new sophisticated RAT identified}}, date = {2014-11-11}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified}, language = {English}, urldate = {2020-01-08} } The Uroburos case: new sophisticated RAT identified
Agent.BTZ Uroburos
2014-06-02G DataG Data
@online{data:20140602:analysis:1038a5f, author = {G Data}, title = {{Analysis of Uroburos, using WinDbg}}, date = {2014-06-02}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/06/23953-analysis-of-uroburos-using-windbg}, language = {English}, urldate = {2020-01-09} } Analysis of Uroburos, using WinDbg
Uroburos
2014-05-13G DataG Data
@online{data:20140513:uroburos:a8b1175, author = {G Data}, title = {{Uroburos rootkit: Belgian Foreign Ministry stricken}}, date = {2014-05-13}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken}, language = {English}, urldate = {2019-10-27} } Uroburos rootkit: Belgian Foreign Ministry stricken
Uroburos
2014-03-07G DataG Data
@online{data:20140307:uroburos:22ddc69, author = {G Data}, title = {{Uroburos – Deeper travel into kernel protection mitigation}}, date = {2014-03-07}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation}, language = {English}, urldate = {2019-11-23} } Uroburos – Deeper travel into kernel protection mitigation
Uroburos
2014-02-28G Data BlogG Data
@online{data:20140228:uroburos:f6fdb48, author = {G Data}, title = {{Uroburos - highly complex espionage software with Russian roots}}, date = {2014-02-28}, organization = {G Data Blog}, url = {https://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots}, language = {English}, urldate = {2019-11-28} } Uroburos - highly complex espionage software with Russian roots
Uroburos
2014circl.luCIRCL
@online{circl:2014:tr25:97f9b0e, author = {CIRCL}, title = {{TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos}}, date = {2014}, organization = {circl.lu}, url = {https://www.circl.lu/pub/tr-25/}, language = {English}, urldate = {2020-07-01} } TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos
Cobra Carbon System Uroburos Turla Group
Yara Rules
[TLP:WHITE] win_uroburos_auto (20200831 | autogenerated rule brought to you by yara-signator)
rule win_uroburos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.uroburos"
        malpedia_rule_date = "20200817,20200831"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200831"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7503 21450c 837d0c00 7411 a1???????? 09c0 7408 }
            // n = 7, score = 300
            //   7503                 | test                ch, 1
            //   21450c               | mov                 eax, esp
            //   837d0c00             | mov                 dword ptr [esp + 0x38], eax
            //   7411                 | mov                 eax, dword ptr [esp + 0xe0]
            //   a1????????           |                     
            //   09c0                 | inc                 ecx
            //   7408                 | mov                 edx, ebp

        $sequence_1 = { 53 e8???????? 83fe01 89450c 750c 09c0 }
            // n = 6, score = 300
            //   53                   | or                  eax, eax
            //   e8????????           |                     
            //   83fe01               | jne                 7
            //   89450c               | and                 dword ptr [ebp + 0xc], eax
            //   750c                 | cmp                 dword ptr [ebp + 0xc], 0
            //   09c0                 | je                  0x1a

        $sequence_2 = { 09c0 750e 3905???????? 7e2c ff0d???????? 83f801 }
            // n = 6, score = 300
            //   09c0                 | jne                 0x35
            //   750e                 | cmp                 esi, 0x7fffffff
            //   3905????????         |                     
            //   7e2c                 | jbe                 0x2d
            //   ff0d????????         |                     
            //   83f801               | inc                 eax

        $sequence_3 = { 09c0 7537 57 50 53 e8???????? 09f6 }
            // n = 7, score = 300
            //   09c0                 | cmp                 dword ptr [ebp + 0xc], 0
            //   7537                 | jmp                 0x15
            //   57                   | mov                 ecx, dword ptr [ecx]
            //   50                   | or                  ecx, ecx
            //   53                   | je                  0xd
            //   e8????????           |                     
            //   09f6                 | call                ecx

        $sequence_4 = { 09c9 7407 ffd1 a1???????? 832d????????04 3905???????? 73de }
            // n = 7, score = 300
            //   09c9                 | mov                 esi, esp
            //   7407                 | dec                 eax
            //   ffd1                 | mov                 ecx, edi
            //   a1????????           |                     
            //   832d????????04       |                     
            //   3905????????         |                     
            //   73de                 | dec                 eax

        $sequence_5 = { 7526 85d2 7411 8b493c 8bc2 }
            // n = 5, score = 300
            //   7526                 | jne                 0x28
            //   85d2                 | test                edx, edx
            //   7411                 | je                  0x13
            //   8b493c               | mov                 ecx, dword ptr [ecx + 0x3c]
            //   8bc2                 | mov                 eax, edx

        $sequence_6 = { e8???????? 50 5f 09ff 59 }
            // n = 5, score = 300
            //   e8????????           |                     
            //   50                   | push                ebx
            //   5f                   | or                  eax, eax
            //   09ff                 | jne                 7
            //   59                   | and                 dword ptr [ebp + 0xc], eax

        $sequence_7 = { 09c0 7503 21450c 837d0c00 }
            // n = 4, score = 300
            //   09c0                 | mov                 ebp, ecx
            //   7503                 | dec                 eax
            //   21450c               | dec                 eax
            //   837d0c00             | mov                 dword ptr [eax - 0x20], edi

        $sequence_8 = { 8b0d???????? 8b09 09c9 7407 }
            // n = 4, score = 300
            //   8b0d????????         |                     
            //   8b09                 | je                  0x17
            //   09c9                 | or                  eax, eax
            //   7407                 | je                  0x12          

        $sequence_10 = { 418bcc 4889442420 e8???????? 8bd8 488bcf e8???????? 8bc3 }
            // n = 7, score = 200
            //   418bcc               | jne                 9
            //   4889442420           | mov                 eax, 0x21590004
            //   e8????????           |                     
            //   8bd8                 | jmp                 0x42
            //   488bcf               | inc                 ecx
            //   e8????????           |                     
            //   8bc3                 | mov                 eax, 0x104

        $sequence_12 = { 89742420 e8???????? 85c0 750a }
            // n = 4, score = 200
            //   89742420             | jne                 0x28
            //   e8????????           |                     
            //   85c0                 | test                edx, edx
            //   750a                 | je                  0x15

        $sequence_13 = { ff15???????? bb08005921 f7d8 1bc9 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   bb08005921           | mov                 ebx, 0x21590008
            //   f7d8                 | neg                 eax
            //   1bc9                 | sbb                 ecx, ecx

        $sequence_17 = { e8???????? 85c0 740e 8d9891010000 81cb00005921 eb02 33db }
            // n = 7, score = 200
            //   e8????????           |                     
            //   85c0                 | mov                 esi, dword ptr [ebp + 0xc]
            //   740e                 | or                  esi, esi
            //   8d9891010000         | push                edi
            //   81cb00005921         | mov                 edi, dword ptr [ebp + 0x10]
            //   eb02                 | jne                 0xf
            //   33db                 | jne                 0x28

        $sequence_19 = { 4881c108010000 483bc1 7211 4963403c 42813c0050450000 7503 33c0 }
            // n = 7, score = 200
            //   4881c108010000       | dec                 eax
            //   483bc1               | add                 ecx, 0x108
            //   7211                 | dec                 eax
            //   4963403c             | cmp                 eax, ecx
            //   42813c0050450000     | jb                  0x13
            //   7503                 | dec                 ecx
            //   33c0                 | arpl                word ptr [eax + 0x3c], ax

        $sequence_20 = { e9???????? 4d85c0 750a b867005921 e9???????? 448bc1 }
            // n = 6, score = 200
            //   e9????????           |                     
            //   4d85c0               | dec                 eax
            //   750a                 | mov                 edx, ebx
            //   b867005921           | dec                 eax
            //   e9????????           |                     
            //   448bc1               | mov                 ecx, eax

        $sequence_21 = { e8???????? 3bc3 740c 0591010000 0d00005921 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   3bc3                 | test                edx, edx
            //   740c                 | je                  0x15
            //   0591010000           | mov                 ecx, dword ptr [ecx + 0x3c]
            //   0d00005921           | mov                 eax, edx

        $sequence_22 = { 7507 b804005921 eb40 41b804010000 488bd3 488bc8 }
            // n = 6, score = 200
            //   7507                 | mov                 ecx, dword ptr [ecx + 0x3c]
            //   b804005921           | mov                 eax, edx
            //   eb40                 | dec                 eax
            //   41b804010000         | add                 ecx, 0x108
            //   488bd3               | dec                 eax
            //   488bc8               | cmp                 eax, ecx

        $sequence_23 = { 8bce ff15???????? 3d040000c0 751c }
            // n = 4, score = 200
            //   8bce                 | mov                 ecx, esi
            //   ff15????????         |                     
            //   3d040000c0           | cmp                 eax, 0xc0000004
            //   751c                 | jne                 0x1e

        $sequence_26 = { c744242000200000 ff15???????? 85c0 742d }
            // n = 4, score = 200
            //   c744242000200000     | mov                 dword ptr [esp + 0x20], 0x2000
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   742d                 | je                  0x2f

    condition:
        7 of them and filesize < 1136640
}
Download all Yara Rules