Analysis of Project Cobra

Another extensible framework used by the Uroburos’ actors


Author: Paul Rascagnères

Project Cobra and the Carbon System were mentioned by Kaspersky in the article called “The Epic Turla Operation” . This malware is used by the same actors as Uroburos (aka Snake/Turla) and Agent.BTZ. We estimate that Carbon System was developed after Agent.BTZ and before Uroburos. The Carbon System shares some technical details with Uroburos and Agent.BTZ (encryption key, encryption algorithm, design, …) and some other links, such as the name of the snake-related project: Cobra. Uroburos could be considered as a kernel centric “snake” and Cobra Carbon System as a userland centric “snake”. ... read more

Author: Paul Rascagnères

In November 2014, the experts of the G DATA SecurityLabs published an article about ComRAT, the Agent.BTZ successor. We explained that this case is linked to the Uroburos rootkit. We assume that the actor behind these campaigns uses several different malware strains in order to compromise the targeted infrastructure: Uroburos, a rootkit; Agent.BTZ/ComRAT, remote administration tools or Linux malware and maybe even more. ... read more

BKA strikes a blow against botnet operators

G DATA provides free tool for purging Dropperbot


Author: Sabrina Berkenkopf

The Federal Criminal Police Office (Bundeskriminalamt; BKA) has made a successful strike against cyber criminals by halting the distribution of Dropperbot. The main task of the malware, which, according to initial reports, has infected 11,000 computers across the world, was to steal data from infected computers – until it was discovered. Around half of the infections have been detected in Germany. Now that the perpetrators have been arrested, it is a matter of cleaning up the PCs. G DATA is providing all computer users with a free tool to detect and remove Dropperbot that works independently of the installed AV software. ... read more

Money is what matters, and visitors are money

Or: Why online casino advertising appears on legitimate websites


Author: Sabrina Berkenkopf

Gambling has always been a somewhat shady area – online and offline. In the digital world, the proportion of legal gambling sites is vanishingly small [1], in Germany at least, compared to the almost countless number of providers. Every provider is on the lookout for customers and so has to have a presence – on search engines for example. Experts at G DATA explain three of the methods currently used for increasing the level of awareness that all involve the manipulation of websites and that website visitors might come across while surfing. ... read more

COM Object hijacking: the discreet way of persistence

An Analysis of a new persistence mechanism in the wild


Author: Paul Rascagneres

G DATA SecurityLabs experts discovered a new Remote Administration Tool, which we dubbed COMpfun. This RAT supports 32-bit and 64-bit Windows versions, up to the Windows 8 operating system. The features are rather common for today’s espionage tools: file management (download and upload), screenshot taking, Keylogger functionality, code execution possibility and more. It uses the HTTPS and an asymmetric encryption (RSA) to communicate with the command and control server. The big novelty is the persistence mechanism: the malware hijacks a legitimate COM object in order to be injected into the processes of the compromised system. And it is remarkable, that this hijacking action does not need administrator rights. With this RAT, Attackers could spy on an infected system for quite a long time, as this detection evasion and persistence mechanism is indeed pretty advanced! ... read more

Author: Ralf Benzmüller

G DATA’s Malware Report H2 2013 includes the most important statistics and information regarding new malware types, websites’ threat potential as well as botnet and banking Trojan activities. Check out the essential facts. ... read more