{ "id": "b64dcf91-f17c-46b0-bb4f-5b62ad9a9f8e", "created_at": "2026-04-06T00:17:39.232328Z", "updated_at": "2026-04-10T03:33:35.913912Z", "deleted_at": null, "sha1_hash": "68c7d766a4c835fff047e765a8289b3837dddc78", "title": "The Uroburos case: new sophisticated RAT identified", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 59396, "plain_text": "The Uroburos case: new sophisticated RAT identified\r\nBy Paul Rascagnères\r\nPublished: 2017-05-11 · Archived: 2026-04-05 15:08:14 UTC\r\nIn February 2014, the experts of the G DATA SecurityLabs published an analysis of Uroburos, the rootkit with\r\nRussian roots. We explained that a link exists between Uroburos and the Agent.BTZ malware, which was\r\nresponsible for \"the most significant breach of U.S. military computers ever.\" [1] Nine months later, after the buzz\r\naround Uroburos, aka Snake or Turla, we now identified a new generation of Agent.BTZ We dubbed it ComRAT\r\nand, by now, analyzed two versions of the threat (v3.25 and v3.26).\r\nAs reported earlier this year, Agent.BTZ used the same encoding key and the installation log file name as\r\nUroburos. ComRAT, in its version 3.25, shows the same behavior. Furthermore, the attackers also shared a C\u0026C\r\ndomain. The latest version of ComRAT known to us (v3.26) uses a new key and does not create the installation log\r\nfile, in order to complicate the analysis and to disguise the link between the two cases.\r\nAnother very interesting fact: the attackers use COM Object hijacking, the same persistence mechanism as\r\nCOMpfun, which we described recently.\r\nTaken everything into consideration, the indications we saw during our analyzes lead to the supposition that the\r\ngroup behind Agent.BTZ and Uroburos is still active and is pursuing the Agent.BTZ path once more to improve\r\nand change the RAT.\r\nDropper\r\nThe analyzed file is the latest version we identified: v3.26. The version identification is described in the chapter\r\n“Log files”. The major difference between this version and the older version(s) will be described there.\r\nFile installation\r\nThe first task of the malware is to install the file credprov.tlb in %APPDATA%\\Microsoft\\. This file is the main\r\npayload of the malware. The dropper executes the following command in order to install a second file:\r\nrundll32.exe %APPDATA%\\Microsoft\\credprov.tlb,Install %APPDATA%\\Microsoft\\shdocvw.tlp\r\nThe second file is shdocw.tlp. The two files are Microsoft Windows dynamic libraries.\r\nPersistence\r\nTo be started during the boot process of the infected machine, the malware creates the following registry key:\r\nHKCU\\Software\\Classes\\CLSID\\{42aedc87-2188-41fd-b9a3-0c966feabec1}\\InprocServer32 =\r\n%APPDATA%\\shdocvw.tlp\r\nhttps://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified\r\nPage 1 of 6\n\nThis registry key is used to associate the library shdocvw.tlp to the object 42aedc87-2188-41fd-b9a3-0c966feabec1\r\nas previously explained in the article about COMpfun. The purpose is to load the library into each and every\r\nprocess executed on the infected system.\r\nDropper’s log file\r\nIf the version of the malware is older than 3.26, the dropper creates an additional file called winview.ocx. We\r\nnoticed that the file name is still the same as the file name used by Agent.BTZ in the past. The file is xored with the\r\nfollowing obfuscation key (used by both, Uroburos and Agent.BTZ):\r\n1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s\r\nHere is the decoded log file content:\r\nuser1@gdata$ ./decode.py winview.ocx\r\nLog begin: 06.11.2014 22:55:55\r\nTVer=2.2\r\n06.11.2014 22:55:55 TVer=2.3\r\n06.11.2014 22:55:55 CFG: CFG_4\r\n06.11.2014 22:55:55 User: user1\r\n06.11.2014 22:55:55 Machine: x86\r\n06.11.2014 22:55:55 Removing C:\\Documents and Settings\\user1\\Application Data\\\\Microsoft\\\\shdocvw.tlb [2]\r\n06.11.2014 22:55:55 Removing C:\\Documents and Settings\\user1\\Application Data\\\\Microsoft\\\\oleaut32.dll [2]\r\n06.11.2014 22:55:55 Removing C:\\Documents and Settings\\user1\\Application Data\\\\Microsoft\\\\oleaut32.tlb [2]\r\n06.11.2014 22:55:55 Removing C:\\Documents and Settings\\user1\\Application Data\\\\Microsoft\\\\credprov.tlb [2]\r\n06.11.2014 22:55:55 Removing C:\\Documents and Settings\\user1\\Application Data\\\\Microsoft\\\\libadcodec.dll [2]\r\n06.11.2014 22:55:55 Removing C:\\Documents and Settings\\user1\\Application Data\\\\Microsoft\\\\libadcodec.tlb [2]\r\n06.11.2014 22:55:55 Writing C:\\Documents and Settings\\user1\\Application Data\\\\Microsoft\\\\shdocvw.tlb 51200B\r\nOk\r\n06.11.2014 22:55:56 Writing C:\\Documents and Settings\\user1\\Application Data\\\\Microsoft\\\\credprov.tlb 260096B\r\nOk\r\n06.11.2014 22:55:57 Exit code1 0\r\n06.11.2014 22:55:57 Writing 3072B Ok\r\nWe can notice that the malware checks if an older version is installed on the system and if this is the case, the\r\ndropper removes the older version. In contrast to this, in our Uroburos analysis, we found out that Uroburos does\r\nnot install itself in case a version of Agent.BTZ was found on a system.\r\nExecution flow and features\r\nDuring the startup of the infected machine, the shdocvw.tlp library is loaded into all processes. If the process is\r\nexplorer.exe, this library will load the other library called credprov.tlb. This library is the real payload. Its features\r\nare common for a Remote Administration Tool (RAT):\r\ncommand execution;\r\nfile download;\r\nhttps://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified\r\nPage 2 of 6\n\nfile upload;\ninformation gathering.\nComRAT’s communication to the command and control server is performed by the browser process and not by\nexplorer.exe in order to avoid being blocked by a firewall on the system or any additional security products. The\ncommunication between the processes is performed by named pipe.\nLog files\nTwo log files are created during the malware execution: mskfp32.ocx and msvcrtd.tlb. If the malware version is\nolder than 3.26, the xored key is the same as the dropper key. Concerning the version 3.26, the malware uses a new\nnon-ASCII key.\nHere is an example of decoded log file for the version 3.26:\nuser1@gdata$ ./decode.py mskfp32.ocx\n?xml version=\"1.0\" encoding=\"unicode\"?\u003e\n2.10'\nWe can identify the version of the malware thanks to the PVer flag. The command and control server information is\nstored in the registry, not in an XML, and encoded:\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionMRU\\IPlace\nFor example, in the analyzed sample the CC is: weather-online.hopto.org. This domain is far from unknown, as it\nhas been mentioned in BAE System’s Uroburos (aka Snake) analysis paper as C\u0026C server domain for the Uroburos\nhttps://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified\nPage 3 of 6\n\nmalware. Another connection between the cases.\nIf the malware version in lower than 3.26, the XML log file contains the command and control server information:\n[…]\n[…]\nSummary\nLet us summarize the similarities and differences between Agent.BTZ, Uroburos and ComRAT as far as we can:\nSimilarities:\nBefore version 3.26:\nuse of the same xor key\nuse of the same file name for the log\nOn all versions:\nSome parts of the code are exactly the same (appears to be copy \u0026 paste)\nThat is the reason why the sample is detected as Uroburos (aka Turla). The same code was used by\nAgent.BTZ and also the dll loaded into userland during the Uroburos analysis.\nCommand and control server domains are shared between Uroburos and ComRAT.\nDifferences:\nIn version 3.26, the author changed the key and remove the known file name\nThis action can be an indication for the developer’s effort to hide this connection\nThe main difference is the design\nAgent.BTZ is a common RAT, a simple library executed on an infected machine. ComRAT is more complex\nand cleverer. The malware is loaded into each and every process of the infected machine and the main part\n(payload) of the malware is only executed in explorer.exe. Furthermore, the C\u0026C communication blends\ninto the usual browser traffic and the malware communicates to the browser by named pipe. It is by far a\nmore complex userland design than Agent.BTZ.\nThese differences, mainly the more complex design, lead us to give this malware a new name.\nThe analyzed dropper of v3.25 has a compilation date of February 6th 2014. The more recent dropper of v3.26,\nwhich has all the mentioned changes implemented, reveals a compilation date of January 3rd 2013. We suspect that\nthis date is spoofed in order to disguise that this is in fact a newer version.\nhttps://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified\nPage 4 of 6\n\nConclusion\r\nThis analysis shows that even after the Uroburos publication in February 2014, the group behind this piece of\r\nmalware seems to be still active. In any case, the ComRAT developers implemented new mechanisms, changed\r\nkeys, removed log files to hide their activities and tried to disguise the connections between the RAT ComRAT, the\r\nrootkit Uroburos and the RAT Agent.BTZ as much as possible. However, we can still follow the evolution of the\r\nmalware by comparing the versions.\r\nThe persistence mechanism discovered in October 2014 makes it possible to intrude into a system in a really\r\ndiscreet manner and we estimate that other actors will use the same persistence mechanism in the near future.\r\nWe will definitely keep our ears and eyes open and continue analyzing.\r\nIOC\r\nMD5\r\n51e7e58a1e654b6e586fe36e10c67a73    (dropper v3.25)\r\ne6ce1f962a47479a86ff2e67129f4ecc    (lib1, v3.25)\r\nec7e3cfaeaac0401316d66e964be684e    (lib2, v3.25)\r\n0ae421450679ff6b27f65f49e79e88f6    (dropper v3.26)\r\n255118ac14a9e66124f7110acd16f2cd    (lib1 v3.26)\r\nb407b6e5b4046da226d6e189a67f62ca    (lib2, v3.26)\r\n8ebf7f768d7214f99905c99b6f8242dc    (dropper, unknown version)\r\n9d481769de63789d571805009cbf709a    (dropper, unknown version)\r\n83a48760e92bf30961b4a943d3095b0a    (lib 64-Bit, unknown version)\r\nea23d67e41d1f0a7f7e7a8b59e7cb60f    (lib 64-Bit; unknown version)\r\nPaths\r\n%APPDATA%\\\\Microsoft\\\\shdocvw.tlb\r\n%APPDATA%\\\\Microsoft\\\\oleaut32.dll\r\n%APPDATA%\\\\Microsoft\\\\oleaut32.tlb\r\n%APPDATA%\\\\Microsoft\\\\credprov.tlb\r\n%APPDATA%\\\\Microsoft\\\\libadcodec.dll\r\n%APPDATA%\\\\Microsoft\\\\libadcodec.tlb\r\nRegistry\r\nHKCU\\Software\\Classes\\CLSID\\{42aedc87-2188-41fd-b9a3-0c966feabec1}\\InprocServer32\r\nCommand and control\r\nweather-online.hopto.org\r\nwebonline.mefound.com\r\nhttps://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified\r\nPage 5 of 6\n\nsportacademy.my03.com\r\neasport-news.publicvm.com\r\nnew-book.linkpc.net\r\n-------------------------------\r\nRelated articles:\r\nOctober 30th 2014: COM Object hijacking: the discreet way of persistence\r\nJune 2nd 2014: Analysis of Uroburos, using WinDbg\r\nMay 13th 2014: Uroburos rootkit: Belgian Foreign Ministry stricken\r\nMarch 3rd 2014: Uroburos - Deeper travel into kernel protection mitigation\r\nFebruary 28th 2014: Uroburos - highly complex espionage software with Russian roots\r\n-------------------------------\r\n[1] www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new-domain\r\nSource: https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified\r\nhttps://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified" ], "report_names": [ "23937-the-uroburos-case-new-sophisticated-rat-identified" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "08c8f238-1df5-4e75-b4d8-276ebead502d", "created_at": "2023-01-06T13:46:39.344081Z", "updated_at": "2026-04-10T02:00:03.294222Z", "deleted_at": null, "main_name": "Copy-Paste", "aliases": [], "source_name": "MISPGALAXY:Copy-Paste", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434659, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/68c7d766a4c835fff047e765a8289b3837dddc78.pdf", "text": "https://archive.orkl.eu/68c7d766a4c835fff047e765a8289b3837dddc78.txt", "img": "https://archive.orkl.eu/68c7d766a4c835fff047e765a8289b3837dddc78.jpg" } }