Uroburos is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the Turla toolset to collect intelligence on sensitive targets worldwide. Uroburos has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. Uroburos is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. Uroburos has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.[1][2]

ID: S0022
Associated Software: Snake
Platforms: Linux, Windows, macOS
Version: 2.0
Created: 31 May 2017
Last Modified: 02 October 2023

Associated Software Descriptions

Name Description


Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Uroburos can use a custom HTTP-based protocol for large data communications that can blend with normal network traffic by riding on top of standard HTTP.[1]

.003 Application Layer Protocol: Mail Protocols

Uroburos can use custom communications protocols that ride over SMTP.[1]

.004 Application Layer Protocol: DNS

Uroburos has encoded outbound C2 communications in DNS requests consisting of character strings made to resemble standard domain names. The actual information transmitted by Uroburos is contained in the part of the character string prior to the first ‘.’ character.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Uroburos has the ability to use the command line for execution on the targeted system.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Uroburos has registered a service, typically named WerFaultSvc, to decrypt and find a kernel driver and kernel driver loader to maintain persistence.[1]

Enterprise T1132 .002 Data Encoding: Non-Standard Encoding

Uroburos can use a custom base62 and a de-facto base32 encoding that uses digits 0-9 and lowercase letters a-z in C2 communications.[1]

Enterprise T1005 Data from Local System

Uroburos can use its Get command to exfiltrate specified files from the compromised system.[1]

Enterprise T1001 .001 Data Obfuscation: Junk Data

Uroburos can add extra characters in encoded strings to help mimic DNS legitimate requests.[1]

.003 Data Obfuscation: Protocol Impersonation

Uroburos can use custom communication methodologies that ride over common protocols including TCP, UDP, HTTP, SMTP, and DNS in order to blend with normal network traffic. [1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Uroburos can decrypt command parameters sent through C2 and use unpacking code to extract its packed executable.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Uroburos can encrypt the data beneath its http2 or tcp encryption at the session layer with CAST-128, using a different key for incoming and outgoing data.[1]

.002 Encrypted Channel: Asymmetric Cryptography

Uroburos has used a combination of a Diffie-Hellman key exchange mixed with a pre-shared key (PSK) to encrypt its top layer of C2 communications.[1]

Enterprise T1008 Fallback Channels

Uroburos can use up to 10 channels to communicate between implants.[1]

Enterprise T1083 File and Directory Discovery

Uroburos can search for specific files on a compromised system.[1]

Enterprise T1564 .005 Hide Artifacts: Hidden File System

Uroburos can use concealed storage mechanisms including an NTFS or FAT-16 filesystem encrypted with CAST-128 in CBC mode.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

Uroburos can run a Clear Agents Track command on an infected machine to delete Uroburos-related logs.[1]

Enterprise T1105 Ingress Tool Transfer

Uroburos can use a Put command to write files to an infected machine.[1]

Enterprise T1559 Inter-Process Communication

Uroburos has the ability to move data between its kernel and user mode components, generally using named pipes.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Uroburos has registered a service named WerFaultSvc, likely to spoof the legitimate Windows error reporting service.[1]

Enterprise T1112 Modify Registry

Uroburos can store configuration information in the Registry including the initialization vector and AES key needed to find and decrypt other Uroburos components.[1]

Enterprise T1104 Multi-Stage Channels

Individual Uroburos implants can use multiple communication channels based on one of four available modes of operation.[1]

Enterprise T1106 Native API

Uroburos can use native Windows APIs including GetHostByName.[1]

Enterprise T1095 Non-Application Layer Protocol

Uroburos can communicate through custom methodologies for UDP, ICMP, and TCP that use distinct sessions to ride over the legitimate protocols.[1]

Enterprise T1027 Obfuscated Files or Information

Uroburos can use AES and CAST-128 encryption to obfuscate resources.[1]

.002 Software Packing

Uroburos uses a custom packer.[3][1]

.009 Embedded Payloads

The Uroburos Queue file contains embedded executable files along with key material, communication channels, and modes of operation.[1]

.011 Fileless Storage

Uroburos can store configuration information for the kernel driver and kernel driver loader components in an encrypted blob typically found at HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds.[1]

Enterprise T1057 Process Discovery

Uroburos can use its Process List command to enumerate processes on compromised hosts.[1]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Uroburos can use DLL injection to load embedded files and modules.[1]

Enterprise T1572 Protocol Tunneling

Uroburos has the ability to communicate over custom communications methodologies that ride over common network protocols including raw TCP and UDP sockets, HTTP, SMTP, and DNS.[1]

Enterprise T1090 .003 Proxy: Multi-hop Proxy

Uroburos can use implants on multiple compromised machines to proxy communications through its worldwide P2P network.[1]

Enterprise T1012 Query Registry

Uroburos can query the Registry, typically HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds, to find the key and path to decrypt and load its kernel driver and kernel driver loader.[1]

Enterprise T1620 Reflective Code Loading

Uroburos has the ability to load new modules directly into memory using its Load Modules Mem command.[1]

Enterprise T1014 Rootkit

Uroburos can use its kernel module to prevent its host components from being listed by the targeted system's OS and to mediate requests between user mode and concealed components.[2][1]

Enterprise T1082 System Information Discovery

Uroburos has the ability to gather basic system information and run the POSIX API gethostbyname.[1]

Enterprise T1205 Traffic Signaling

Uroburos can intercept the first client to server packet in the 3-way TCP handshake to determine if the packet contains the correct unique value for a specific Uroburos implant. If the value does not match, the packet and the rest of the TCP session are passed to the legitimate listening application.[1]

Groups That Use This Software

ID Name References
G0010 Turla