Mystery ComRAT cyber-surveillance tool still going strong, researchers confirm

January 20, 2015

Security experts seem no nearer to confirming the nation state behind the long-running Uroburos (aka ‘Snake’ or ‘Turla’) cyberweapon (Russia) but according to German security firm G Data its developers are still hard at work.

The rootkit’s existence was firmed up last March when BAE Systems, G Data and Kaspersky published separate research suggesting it had been used to compromise large enterprises and government networks for years, including its predecessor, Agent.BTZ, successfully used against the US military in 2008.

G Data has continued researching the software, with a new blog note offering a fuller development and version history for what is clearly a major intelligence-gathering and compromise platform of which Uroburos was only one component.

The earliest detection of 46 samples looked at was version 1.5 in June 2007 right up to a new RAT, ComRAT, discovered in 2014. BAE Systems believes this platform goes back even further, to 2005, which would make it the oldest nation state malware currently known about (Stuxnet probably didn’t get going until 2006).

Until last year, nobody noticed it, or if they did, the dots that would have revealed the scale of this platform weren’t joined up.

G Data’s detective work doesn’t add much to this sum of all knowledge, other than to confirm that the malware’s lower detection rates in 2011 coincided with a significant change in design that marked the point where Agent.btz disappeared and ComRAT became the new direction.

The more recent version also abandoned USB sticks as an infection target probably, G Data said, in response to Microsoft’s 2011 disabling of the Windows AutoRun function.

“As a result of the analysis, we now have data on seven years of development of malware that was used by one group for targeted attacks on extremely sensitive targets such as the US Pentagon in 2008, the Belgian Foreign Ministry in 2014 and the Finnish Foreign Ministry,” said G Data SecurityLabs head, Ralf Benzmüller.

The world now knows about the platform but that doesn’t seem to have put its developers off one bit.

“Taking everything into consideration, G DATA SecurityLabs experts are sure that the group behind Uroburos/Agent.BTZ/ComRAT/Linux tool/… will remain an active player in the malware and APT field. The newest revelations made and connections drawn let us believe that there is even more to come.”

It is most likely that this program was developed in Russia, which would fit with subsequent reports that the country has advanced cyberweapon and surveillance capabilities, including through its APT28 group of hackers.