New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 1/2 - Intezer

New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 1/2

Written by Omri Ben Bassat
Join our free communityGet started
Share Article
FacebookTwitterLinkedIn

Agent.BTZ–also known as ComRAT–is one of the world’s oldest known state-sponsored threats, mainly known for the 2008 Pentagon breach. Technically speaking, Agent.BTZ is a sophisticated user-mode RAT developed and operated by the Turla group in conjunction with Snake/Uroburos rootkit. In the past few months, we conducted research on Agent.BTZ’s code-base and how it evolved using Intezer Code Intelligence™ technology. Based on our research conclusions, we were able to hunt about a dozen new samples and more than seventy previously unknown live IP & DNS addresses indicating the ongoing abuse of satellite internet providers operating in both Africa & the Middle East.

This is a short memo regarding our findings from the past few months; in a few days, we will publish a whitepaper (part 2/2) describing in more details how we found these new variants using our technology, along with a thorough analysis of the new samples.

Dropper: Although the code itself was written from scratch and has nothing to do with WinRAR, the adversary tried to mimic WinRAR’s SFX installer. Resource data was duplicated, including icons and layouts used by the original installer, as you can see in the following screenshot:Intezer Code Intelligence technology

Once executed, the dropper installs activeds.dll – a proxy dll which is loaded directly to explorer.exe once the machine reboots. The purpose of this proxy dll is to load the malware’s main payload –
stdole2.tlb. The dropper then also deletes any previous installation of Agent.BTZ if it exists. This is done using a hard-coded file path:

  • “C:\Documents and Settings\<USER>\Application Data\\Microsoft\\Windows\\Themes\\termsvr32.dll”
  • “C:\Documents and Settings\<USER>\Application Data\\Microsoft\\Windows\\Themes\\pcasrc.tlb”

**Note: These file names were first used by Agent.BTZ in late 2014, as you can see in this automatic Dr.WEB report

Once finished, the dropper renames and self delete using the following command line:

  • “C:\WINDOWS\system32\rundll32.exe C:\DOCUME~1\<USER>~1\APPLIC~1\MICROS~1\Windows\stdole2.tlb,UnInstall C:\~$.tmp”

Samples found:

  1. 69690f609140db503463daf6a3699f1bf3e2a5a6049cefe7e6437f762040e548
  2. 6798b3278ae926b0145ee342ee9840d0b2e6ba11ff995c2bc84d3c6eb3e55ff4

stdole2.tlb: As previously mentioned, this file is the main component installed by the fake-sfx dropper and loaded by activeds.dll. We extracted the configuration from each sample in order to obtain the c2 address and inner version (“PVer”), which is built into every Agent.BTZ sample. In the past, Agent.BTZ’s developers have used an incremental value to indicate the inner build version, the last known value is 3.26 as published by G-Data in late 2014, It seems that the developers have reacted to G-Data’s publication and have stopped using an incremental value. New variants are now using a different numbering system of 0.8/9.<RANDOM_VALUE>, making it more difficult for researchers to track the exact version of the samples.

Intezer Code Intelligence technology

**example configuration extracted from one of the samples – PVer 0.9.1528434231.

Even without the PVer numbering, we were able to determine using our technology that these samples are from a newer version, which is based on the latest known versions of Agent.BTZ – 3.25 / 3.26. These are the two top files you can see in the following screenshot:

  1. 4e553bce90f0b39cd71ba633da5990259e185979c2859ec2e04dd8efcdafe356(VirusTotal)
  2. 3a6c1aa367476ea1a6809814cf534e094035f88ac5fb759398b783f3929a0db2(VirusTotal)

Both of these files were uploaded almost three years ago to VT(!)

Intezer Code Intelligence technology

**A screenshot from the Intezer Analyze™ product displaying a list of files in our database that share pieces of code with one of the new samples.  These pieces of code are specific to the Turla malware family, and were not seen in any other malicious or legitimate software.

Samples found:

  1. 6ad78f069c3619d0d18eef8281219679f538cfe0c1b6d40b244beb359762cf96
  2. 49c5c798689d4a54e5b7099b647b0596fb96b996a437bb8241b5dd76e974c24e
  3. e88970fa4892150441c1616028982fe63c875f149cd490c3c910a1c091d3ad49
  4. 89db8a69ff030600f26d5c875785d20f15d45331d007733be9a2422261d16cea

Indicators of Compromise:

typeindicatornotes
sha25669690f609140db503463daf6a3699f1bf3e2a5a6049cefe7e6437f762040e548dropper
sha2566798b3278ae926b0145ee342ee9840d0b2e6ba11ff995c2bc84d3c6eb3e55ff4dropper
sha25673db4295c5b29958c5d93c20be9482c1efffc89fc4e5c8ba59ac9425a4657a88activeds.dll
sha25650067ebcc2d2069b3613a20b81f9d61f2cd5be9c85533c4ea34edbefaeb8a15factiveds.dll
sha256380b0353ba8cd33da8c5e5b95e3e032e83193019e73c71875b58ec1ed389bdacactiveds.dll
sha2569c163c3f2bd5c5181147c6f4cf2571160197de98f496d16b38c7dc46b5dc1426activeds.dll
sha256628d316a983383ed716e3f827720915683a8876b54677878a7d2db376d117a24activeds.dll
sha256f27e9bba6a2635731845b4334b807c0e4f57d3b790cecdc77d8fef50629f51a2activeds.dll
sha256a093fa22d7bc4ee99049a29b66a13d4bf4d1899ed4c7a8423fbb8c54f4230f3cactiveds.dll
sha2566ad78f069c3619d0d18eef8281219679f538cfe0c1b6d40b244beb359762cf96stdole2.tlb
sha25649c5c798689d4a54e5b7099b647b0596fb96b996a437bb8241b5dd76e974c24estdole2.tlb
sha256e88970fa4892150441c1616028982fe63c875f149cd490c3c910a1c091d3ad49stdole2.tlb
sha25689db8a69ff030600f26d5c875785d20f15d45331d007733be9a2422261d16ceastdole2.tlb
ip81.199.34[.]150
dnselephant.zzux[.]com
dnsangrybear.ignorelist[.]com
dnsbigalert.mefound[.]com
dnsbughouse.yourtrap[.]com
dnsgetfreetools.strangled[.]net
dnsnews100top.diskstation[.]org
dnspro100sport.mein-vigor[.]de
dnsredneck.yourtrap[.]com
dnssavage.2waky[.]com
dnstehnologtrade.4irc[.]com
ip81.199.160[.]11
dnsforums.chatnook[.]com
dnsgoodengine.darktech[.]org
dnslocker.strangled[.]net
dnssimple-house.zzux[.]com
dnsspecialcar.mooo[.]com
dnssunseed.strangled[.]net
dnswhitelibrary.4irc[.]com
dnsbloodpearl.strangled[.]net
dnsgetlucky.ignorelist[.]com
dnsproriot.zzux[.]com
dnsfourapi.mooo[.]com
dnsnopasaran.strangled[.]net
ip78.138.25[.]29
dnsshowme.twilightparadox[.]com
dnsmouses.strangled[.]net
ip82.146.175[.]69
dnsmouses.strangled[.]net
ip178.219.68[.]242
dnsftp.fueldust.compress[.]to
dnsftp.linear.wikaba[.]com
dnsftp.mysterysoft.epac[.]to
dnsftp.scroller.longmusic[.]com
dnsftp.spartano.mefound[.]com
dnsfueldust.compress[.]to
dnslinear.wikaba[.]com
dnsmysterysoft.epac.to
dnssafety.deaftone[.]com
dnssalary.flnet[.]org
dnsscroller.longmusic[.]com
dnsspartano.mefound[.]com
ip88.83.25[.]122
dnsrobot.wikaba[.]com
ip41.223.91[.]217
dnssmileman.compress[.]to
dnsdecent.ignorelist[.]com
dnsdekka.biz[.]tm
dnsdisol.strangled[.]net
dnseraser.2waky[.]com
dnsfilelord.epac[.]to
dnsjustsoft.epac[.]to
dnssmuggler.zzux[.]com
dnssport-journal.twilightparadox[.]com
dnssportinfo.yourtrap[.]com
dnsstager.ignorelist[.]com
dnstankos.wikaba[.]com
dnsgrandfathers.mooo[.]com
dnshomeric.mooo[.]com
dnsjamming.mooo[.]com
dnspneumo.mooo[.]com
dnsrazory.mooo[.]com
dnsanger.scieron[.]com
dnsgantama.mefound[.]com
dnsletgetbad.epac[.]to
dnsrowstate.epac[.]to
dnsmemento.info[.]tm
ip196.43.240[.]177
dnsbughouse.yourtrap[.]com
dnsnews100top.diskstation[.]org
ip169.255.102[.]240
dnsharm17.zzux[.]com
dnsmountain8.wikaba[.]com
sha2560e0045d2c4bfff4345d460957a543e2e7f1638de745644f6bf58555c1d287286other
sha256bdcc7e900f10986cdb6dc7762de35b4f07f2ee153a341bef843b866e999d73a3other
sha256fac13f08afe2745fc441ada37120cebce0e0aa16d03a03e9cda3ec9384dd40f2backdoor
sha256bae62f7f96c4cc300ec685f42eb451388cf50a13aa624b3f2a019d071fddaeb1other

 

Related articles:

  1. https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified
  2. https://www.gdatasoftware.com/blog/2015/01/23927-evolution-of-sophisticated-spyware-from-agent-btz-to-comrat
  3. http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html
  4. https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/
  5. https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf
  6. https://securelist.com/the-epic-turla-operation/65545/
  7. http://artemonsecurity.com/snake_whitepaper.pdf
  8. https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
Omri Ben Bassat

Ex-officer in the IDF CERT. Malware analyst and a reverse engineer with vast experience in dealing with nation-state sponsored cyber attacks. Omri is the creator of Master of Puppets (MoP)—an open-source framework for reverse engineers who wish to create and operate trackers for new malware found in the wild—which was presented during the Black Hat USA 2019 Arsenal.

© Intezer.com 2020 All rights reserved