Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/14/2014
05:53 PM
50%
50%

Cyberespionage Worm May Have Ties To Multiple Spy Campaigns

Researchers at Kaspersky Lab have traced links between Agent.btz and notorious cyberespionage malware, such as Flame

Finding the sources of inspiration for an idea can be tricky; sometimes they are obvious, sometimes not. Such is the case with the Agent.btz and some of the most publicized cyberespionage tools of recent years.

According to researchers from Kaspersky Lab, Agent.btz may have some cousins circulating the Internet, namely the recently revealed Turla malware -- also known as Snake --- as well as the infamous Flame, Gauss, and Red October malware.

The Agent.btz worm has a long history in cyberattacks. In 2008, it was at the center of an incident eventually dubbed "the most significant breach of U.S. military computers ever" by former Deputy Defense Secretary William J. Lynn III. It took the U.S. Department of Defense more than a year to clean the infection from its systems.

Turla has also been linked to attacks in the United States, as well as attacks on other countries such as the Ukraine.

"In targeted attack situations, it is much more likely that two actors active on the same victim would tolerate and ignore each other, unless they disrupt each other's operations," says Kurt Baumgartner, principal security researcher at Kaspersky Lab. "It is very unusual to see either actor interaction at the victim site or highly specific shared artifacts across precise APT-related isolated tools like these. Anything is possible, and new challenges pop up all the time, but it's very unusual. Of course, we saw ripped exploit attachments from likely CN actors repurposed as a part of the Red October campaigns, but that was very unusual as well."

When Kaspersky Lab first became aware of the Turla cyberespionage campaign last March, the company was also investigating a sophisticated rootkit originally known as the Sun rootkit. Later it became apparent that the rootkit and Turla were one and the same.

During this research, Kaspersky Lab also noticed links between Turla and Agent.btz. As it turns out, Turla uses the same file names for its logs ("mswmpdat.tlb," "winview.ocx," and "wmcache.nld") while stored in the infected system as Agent.btz. It also uses the same XOR key for encrypting its log files.

But the connections between Agent.btz and other malware don't stop there. According to Kaspersky Lab, the Red October developers must have known about Agent.btz's functionality because their USB stealer module searches for the worm's data containers. Those containers hold information about infected systems and activity logs.

Further, both the notorious Flame and Gauss malware use similar naming conventions as Agent.btz, such as "*.ocx" files and "thumb*.db." In addition, they also use the USB drive as a container for stolen data.

Despite noting the similarities, Kaspersky Lab cautiously avoided stating a firm connection between the malware, though in his analysis chief security expert Aleks Gostev stated it is possible Agent.btz is a starting point "in the chain of creation of several different cyber-espionage projects."

"The information used by developers was publicly known at the time of Red October and Flame/Gauss' creation," he said in a statement. "It is no secret that Agent.btz used 'thumb.dd' as a container file to collect information from infected systems and in addition, the XOR key used by the developers of Turla and Agent.btz to encrypt their log files was also published in 2008. We do not know when this key was first used in Turla, but we can see it for certain in the latest samples of the malware, which were created around 2013-2014. At the same time, there is some evidence which points towards Turla's development starting in 2006 -- before any known sample of Agent.btz; which leaves the question open."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16317
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerabi...
CVE-2019-16318
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.
CVE-2019-16307
PUBLISHED: 2019-09-14
A Reflected Cross-Site Scripting (XSS) vulnerability in the webEx module in webExMeetingLogin.jsp and deleteWebExMeetingCheck.jsp in Fuji Xerox DocuShare through 7.0.0.C1.609 allows remote attackers to inject arbitrary web script or HTML via the handle parameter (webExMeetingLogin.jsp) and meetingKe...
CVE-2019-16294
PUBLISHED: 2019-09-14
SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.
CVE-2019-16309
PUBLISHED: 2019-09-14
FlameCMS 3.3.5 has SQL injection in account/login.php via accountName.