{ "id": "d4eb7d49-2ab9-4826-b537-461b591a392a", "created_at": "2026-04-06T00:10:52.187216Z", "updated_at": "2026-04-10T03:24:29.995103Z", "deleted_at": null, "sha1_hash": "f99e1df44df592570d0c8b3c6abab9ee9bacda0c", "title": "Rurktar - Spyware under Construction", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 164892, "plain_text": "Rurktar - Spyware under Construction\r\nBy Tim Berghoff\r\nPublished: 2017-07-20 · Archived: 2026-04-05 17:29:12 UTC\r\n07/20/2017\r\nReading time: 2 min (656 words)\r\nThe development of any kind of software takes time. Not every function that is planned for the final product is\r\nimplemented right from the start. It does not come as a surprise that this is also true for the development of\r\nmalware. At the G DATA Security Labs, a file has sparked the interest of our researchers - this file is interesting\r\nfor a number of reasons.\r\nWho commissioned it?\r\nThe new espionage tool which was was christened \"Rurktar\" allows some conclusions as to its origin. It is very\r\nlikely that it originates from Russia. There is quite some evidence to support this: some of the internal error\r\nmessages of Rurktar are in Russian. Also, the IP addresses used for remote control of the spyware are located in\r\nRussia.\r\nIt is not 100 per cent clear whether Rurktar is the work of a single individual or a development team. What we can\r\nsay, though, is that a Dropbox folder is used as a working directory. There are several possible reasons for this.\r\nOne of them is that several developers are cooperating here and consolidate their work through a Dropbox. What\r\nDropbox can also be used for by a single individual is a crude and very basic versioning system - some Dropbox\r\naccounts offer the possibility of restoring earlier versions of a file. Therefore, it can be used to track changes, but it\r\nis not ideal from a developer's stand point. Using Dropbox as a backup is, of course, also a possibility to be\r\nconsidered here.\r\nObjectives\r\nhttps://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction\r\nPage 1 of 5\n\nRurktar error message in Russian\r\nAlthough not all of the functions are omplemented yet, it is relatively safe to say that Rurktar is intended for use in\r\ntargeted spying operations. The functions that are already implemented allow reconnaissance of a network\r\ninfrastructure, they can check whether or not a particular machine is reachable, take screen shots and even\r\ndownload specific files from an infected machine. It is also possible to delete files from or upload files to a\r\nmachine. All of this points to industrial espionage - the functions that have been described so far do not have any\r\npractical application for large-scale operations, such as ransomware schemes.\r\nPrevalence\r\nAs the spyware is still in a development state and not operational yet, it has not spread very widely.\r\nThose few IP addresses that have been linked to Rurktar so far could just as well only have been used for testing\r\npurposes by the developer(s). This, however, can and will change as development work progresses. The IP\r\naddresses used for remote controlling Rurktar will see more diversity and not only be confined to Russia but to\r\nother countries as well. This is also due to the fact that other actors will start using or repurposing the malware\r\neither entirely or in parts. Past experiences have shown that many malidious programs are used by so-called\r\n\"script kiddies\" who intend to cobble together new malware using readily available parts while having only\r\nminimal coding skills.  This has happened, for instance, with the \"HiddenTear\" ransomware, which was originally\r\ndesigned for training and education. It had some flaws  in its cryptographic components (which had also been\r\ndocumented by the developer) - but this did not keep some from using the flawed encryption components to create\r\n\"real\" ransomware.\r\nThe versions of Rurktar which are known so far are detected by all G DATA solutions as\r\nMSIL.Backdoor.Rurktar.A.\r\nhttps://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction\r\nPage 2 of 5\n\n\"Coming soon\"?\r\nMany functions and configuration parameters are defined but not implemented yet. The following table shows a\r\nsmall excerpt:\r\nFeature \u0026 configuration list of Rurktar - not all functions are implemented yet.\r\nhttps://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction\r\nPage 3 of 5\n\nDetailled information\r\nYou can read up on further technical information in Nathan Stern's detailed analysis report. The report is\r\ndownloadable using the link below.\r\nhttps://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction\r\nPage 4 of 5\n\nRelated articles:\r\nShare Article\r\nSource: https://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction\r\nhttps://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction" ], "report_names": [ "29896-rurktar-spyware-under-construction" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434252, "ts_updated_at": 1775791469, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f99e1df44df592570d0c8b3c6abab9ee9bacda0c.pdf", "text": "https://archive.orkl.eu/f99e1df44df592570d0c8b3c6abab9ee9bacda0c.txt", "img": "https://archive.orkl.eu/f99e1df44df592570d0c8b3c6abab9ee9bacda0c.jpg" } }