{ "id": "93444075-1304-428d-b335-4575ae005b20", "created_at": "2026-04-06T00:14:29.879139Z", "updated_at": "2026-04-10T13:12:00.067843Z", "deleted_at": null, "sha1_hash": "1bb0a7b7f784cca21f919f0f760a9ce948f6e668", "title": "Something about one of the Uroburos’ RPC-based backdoors – Emanuele De Lucia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 271884, "plain_text": "Something about one of the Uroburos’ RPC-based backdoors –\r\nEmanuele De Lucia\r\nBy edelucia\r\nPublished: 2021-11-05 · Archived: 2026-04-02 12:43:04 UTC\r\nBigBoss is one of the RPC-based backdoors used by Uroburos (aka Turla, Snake, Venomous Bear, Pacifier). It\r\nwas first spotted out in 2018 and was observed to include new features in the last quarter of 2020. During\r\noperations usually it’s used in combination with R.A.T. (Remote Administration Tools) such\r\nas Kazuar and Carbon. Several months ago I had the opportunity to analyze some versions of these pieces of\r\nmalware and have now decided to publish an excerpt based solely on some specific technical characteristics\r\nobserved. The activity had as objective the production of detection and attribution rules one of which is shared in\r\nthis post.\r\nInsights\r\nBigBoss implants exports basically (3) three functions. The Start() one is designed to retrieve basic information\r\nand to call sub_407E50 at 0040B0D3. First of all modulename kernel32.dll is dexored through the\r\nkey 0x4d4e and an handle to kernel32.dll is obtained through GetModuleHandle. Malware writer chose to\r\ndynamically resolve certain API functions likely in order to hide information, from static analysis, about libraries\r\nand functions that are used by the implant and normally stored in IAT. In this case IsWow64Process is found\r\nthrough GetProcAddress to retrieve OS bitness.\r\nShortly after a call to sub_409C70 where the path of the .inf file is retrieved.\r\nhttps://www.emanueledelucia.net/the-bigboss-rules-something-about-one-of-the-uroburos-rpc-based-backdoors/\r\nPage 1 of 7\n\nBigBoss writes a configuration file named backport.inf. The configuration file is written\r\nto %SystemRoot%\\INF\\backport.inf (as reported in screenshot above) and contains a [Version] section with\r\nvarious configuration entries. At this point instructions performed call the StartServiceCtrlDispatcher function in\r\norder to connect to the SCM (Service Control Manager) and start the control dispatcher thread. The dispatcher\r\nthread loops, waiting for incoming control requests for the services specified in the dispatch table.\r\nService name is SWCheckState. Further API functions is then dynamically resolved. One of them\r\nis CreateService retrieved even in this case through a GetProcAddress call after to have obtained an handle\r\nto advapi32.dll at sub_408790. After the service is created OpenService function is called in order to interact with\r\nthe service just created and ChangeServiceConfig2W \u0026 ChangeServiceConfigW are subsequently used to\r\nmodified parameters of the same. Finally, StartService starts the service. In ServiceMain\r\na RegisterServiceCtrlHandlerEx function is used to register a control handler with the control\r\ndispatcher. SetServiceStatus is called to set the status of the service and the CreateEvent function is then\r\nresponsible to create the event object. \r\nhttps://www.emanueledelucia.net/the-bigboss-rules-something-about-one-of-the-uroburos-rpc-based-backdoors/\r\nPage 2 of 7\n\nSMB Server is then enabled by creating the RegKey HKEY_LOCAL_MACHINE\r\n“SYSTEM\\\\CurrentControlSet\\\\Services\\\\lanmanserver\\\\parameters on sub_40AB90.  Named pipes are used for\r\ninterprocess communication (IPC) both locally and remotely. Access to the remote named pipes is done via SMB.\r\nRegKey HKLM\\SYSTEM\\CurrentControlSet\\Control\\LSA\\Restrict Anonymous is then set to 0 in order to permit\r\nanonymous logon users can access all shared resources on a remote share\r\nhttps://www.emanueledelucia.net/the-bigboss-rules-something-about-one-of-the-uroburos-rpc-based-backdoors/\r\nPage 3 of 7\n\nThe\r\nRegKey HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LanmanServer\\Parameters\\NullSessionPipes is\r\nalso written in order to add the following values\r\nCOMNAP\r\nCOMNODE\r\nSQLQUERY\r\nSPOOLSS\r\nLLSRPC\r\nbrowser\r\nsub_40AAE0 is responsible for connections to remote devices via IPC$. via WNetAddConnection2\r\nhttps://www.emanueledelucia.net/the-bigboss-rules-something-about-one-of-the-uroburos-rpc-based-backdoors/\r\nPage 4 of 7\n\nBigBoss supports connections through null sessions or via default credentials. A thread is then created\r\nhaving sub_408830 as StartAddress. This thread is mainly responsible to handle communications with CnC\r\n(Command and Control) server. CreateNamedPipeW and ConnectNamedPipe are used to test connection. If\r\nsuccessfull it’s able to get additional payloads and write operation results into log files created and written\r\nunder %temp% path.\r\nConclusions\r\nBigBoss is an integral part of the Turla team’s attack and persistence suite. Its development and evolution have\r\nprobably shared practices and logic with other implants linked to its main cluster such as the second stage\r\nbackdoor called Carbon. For example, by analyzing both, it can be noted that it shares with it not only a partial\r\noverlap in some internal functions, as shown below\r\nhttps://www.emanueledelucia.net/the-bigboss-rules-something-about-one-of-the-uroburos-rpc-based-backdoors/\r\nPage 5 of 7\n\nbut in some cases whole code chunks having a full overlap\r\nhttps://www.emanueledelucia.net/the-bigboss-rules-something-about-one-of-the-uroburos-rpc-based-backdoors/\r\nPage 6 of 7\n\nI based one of my hunting rules for this family on this piece of code. The rule is released in the “Detection”\r\nsection\r\nIndicators\r\nType Value\r\nSHA256 3b8bd0a0c6069f2d27d759340721b78fd289f92e0a13965262fea4e8907af122\r\nSHA256 a679dbde0f4411396af54ea6ac887bd0488b2339cd8a4b509a01ca5e906f70bd\r\nDetection\r\nrule Turla_Code_00325_00291 {\r\nmeta:\r\nauthor = “Emanuele De Lucia”\r\ndescription = “Yara hunting rule for Turla shared code chunk”\r\nhash1 = “3b8bd0a0c6069f2d27d759340721b78fd289f92e0a13965262fea4e8907af122”\r\nhash2 = “a679dbde0f4411396af54ea6ac887bd0488b2339cd8a4b509a01ca5e906f70bd”\r\nhash3 = “c819ec7743e2f5db13f277749961dffad08dba6dd21450eea33a27403386c959”\r\nhash4 = “7bb65fe9421af04c5546b04a93aa0e517356c0a85856f1265587983ce2bf8aef”\r\nhash5 = “94421ccb97b784c43d92c4b1438481eee9c907db6b13f6cfc4b86a6bb057ddcd”\r\nstrings:\r\n$hex = { 8B (4C 24 ??|55 ??) (51|52) 8D (54 24 ??|45 ??) (52|50) 56 E8 ?? ?? ?? ?? 83 C4 ?? 8D (44 24 ??|4D ??)\r\n(50|51) 6A ?? 8D (4C 24 ??|55 ??) (51|52) 6A ?? 8D (54 24 ??|45 ??) (52|50) 8B (54 24 ??|45 ??) 6A ?? 8D (44 24\r\n?? | 4D ??) (50|51) 6A ?? 8D (4C 24 ??|55 ??) (51|52) 56 (52|50) FF 15 ?? ?? ?? ?? 85 C0 (0F 85 ?? ?? ?? ??|75\r\n??)}\r\ncondition:\r\n$hex\r\n}\r\nSource: https://www.emanueledelucia.net/the-bigboss-rules-something-about-one-of-the-uroburos-rpc-based-backdoors/\r\nhttps://www.emanueledelucia.net/the-bigboss-rules-something-about-one-of-the-uroburos-rpc-based-backdoors/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.emanueledelucia.net/the-bigboss-rules-something-about-one-of-the-uroburos-rpc-based-backdoors/" ], "report_names": [ "the-bigboss-rules-something-about-one-of-the-uroburos-rpc-based-backdoors" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434469, "ts_updated_at": 1775826720, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1bb0a7b7f784cca21f919f0f760a9ce948f6e668.pdf", "text": "https://archive.orkl.eu/1bb0a7b7f784cca21f919f0f760a9ce948f6e668.txt", "img": "https://archive.orkl.eu/1bb0a7b7f784cca21f919f0f760a9ce948f6e668.jpg" } }