In November 2014, the experts of the G DATA SecurityLabs published an article about ComRAT, the Agent.BTZ successor. We explained that this case is linked to the Uroburos rootkit. We assume that the actor behind these campaigns uses several different malware strains in order to compromise the targeted infrastructure: Uroburos, a rootkit; Agent.BTZ/ComRAT, remote administration tools or Linux malware and maybe even more.
We decided to have an even closer look at Agent.BTZ and ComRAT and therefore analyzed the evolution of this RAT, covering seven years of development. Here is a table with the minimal information about 46 different samples:
MD5 | Version | Compilation Date |
---|---|---|
b41fbdd02e4d54b4bc28eda99a8c1502 | Ch 1.0 | Wed Jun 13 07:31:32 2007 UTC |
93827a6c77e84ffdd9c793d485d3df6e | Ch 1.0 | Wed Jun 13 07:31:32 2007 UTC |
3e9c7ef54ea3d55d5b53abab4c3e2385 | Ch 1.0 | Wed Jun 13 07:31:32 2007 UTC |
b9ed8876ef5a05ba364a9cdbdf4f184d | Ch 1.0 | Tue Jun 19 12:41:21 2007 UTC |
d8f98f64687b05a62c81ce9e52dd808d | Ch 1.1 | Tue Jun 26 08:46:11 2007 UTC |
2cf64ff9dad8d64ee9322e390d4f7283 | Ch 1.1 | Tue Jun 26 08:46:11 2007 UTC |
24e679155697bd31b34036a44d4346a7 | Ch 1.2wcc | Tue Jul 24 12:57:37 2007 UTC |
53b8b9f779b1d1d298884d1c21313ab3 | Ch 1.2wcc | Tue Jul 24 12:57:37 2007 UTC |
69ae46fedf3c18ff36fc850e0baa9365 | Ch 1.2wcc | Tue Jul 24 12:57:37 2007 UTC |
e05511a84eb345954b94f1e05c78bf22 | Ch 1.2 | Thu Jul 26 07:20:17 2007 UTC |
f93ce76f6580d68a95260198b2d6feaa | Ch 1.3 | Mon Dec 3 14:15:58 2007 UTC |
db5d1583704b0fb6d1cff0b62a512a7d | Ch 1.4 | Tue Dec 11 17:36:03 2007 UTC |
2b348c225985679f62e50b28bdb74ac9 | Ch 1.4 | Tue Dec 11 17:36:03 2007 UTC |
af3f0efbd69905123f7df958cc88dff9 | Ch 1.4 | Tue Dec 11 17:36:03 2007 UTC |
e825c4961293ad45883cd52f38695283 | Ch 1.5 | Thu Mar 27 14:58:15 2008 UTC |
2a67b53b7ef7b70763658ca7f60e7005 | Ch 1.5 | Thu Mar 27 14:58:15 2008 UTC |
bbf569176ec7ec611d8a000b50cdb754 | Ch 1.5 | Thu Mar 27 14:58:15 2008 UTC |
e5c76e67128e48cb0f003c2beee47d1f | Ch 1.5 | Thu Mar 27 14:58:15 2008 UTC |
8e5da63369d20e1d2c530bf806996285 | Ch 2.02 | Mon May 5 11:27:48 2008 UTC |
78d3f074b70788897ae7e20e5137bf47 | Ch 2.03 | Mon May 12 11:52:31 2008 UTC |
986f263ca2c529d5d28bce3c62f858ea | Ch 2.03 | Thu May 22 10:24:55 2008 UTC |
4f732099caf5d21729572cec229f7614 | Ch 2.04 | Mon Jun 9 17:23:56 2008 UTC |
5336c24a3399f522f8e19d9c54a069c6 | Ch 2.04 | Mon Jun 9 17:23:56 2008 UTC |
dc1c54751f94b6fdf0b6ecdd64e67701 | Ch 2.04 | Mon Jun 9 17:23:56 2008 UTC |
40335fca60acd05f1428b13a9a3c1228 | Ch 2.04 | Mon Jun 9 17:23:56 2008 UTC |
72663ee9d3efaff959bff4ce25bd37a6 | Ch 2.04 | Mon Jun 9 17:23:56 2008 UTC |
5ef72904221aa4090a262a24714054f0 | Ch 2.04 | Mon Jun 9 17:23:56 2008 UTC |
331eca9c7d9fd9cbe7cd192af09880a3 | Ch 2.05 | Thu Nov 6 13:21:45 2008 UTC |
db1156b072d58acdac1aeab9af2160a2 | Ch 2.05 | Thu Nov 6 13:21:45 2008 UTC |
74dbea70bfb15db31bb9f757ed4bb1a0 | Ch 2.07 | Mon Dec 29 11:37:17 2008 UTC |
eb928bca5675722c7e9e2b09eec1158a | Ch 2.07 | Mon Dec 29 11:37:17 2008 UTC |
162f415abad9708aa61db8e03bcf2f3c | Ch 2.11 | Mon Sep 14 13:22:57 2009 UTC |
448524fd62dec1151c75b55b86587784 | Ch 2.11 | Mon Sep 14 15:28:07 2009 UTC |
29bb70a40689e9e665d15716519bacfd | Ch 2.12 | Tue Sep 29 10:28:40 2009 UTC |
38d6719d6a266c6cefb8626c57378927 | Ch 2.13 | Mon Dec 7 14:25:12 2009 UTC |
02eda1effde92bdf8462abcf40c4f776 | Ch 2.13 | Mon Dec 7 14:27:53 2009 UTC |
5121ce1f96d74076df1c39748e019f42 | Ch 2.14.1 | Wed Feb 17 15:14:20 2010 UTC |
28dc1ca683d6a14d0d1794a68c477604 | Ch 3.00 | Tue Jan 31 16:12:25 2012 UTC |
40bd7846553550f38e458b8493824cb4 | Ch 3.00 | Tue Feb 14 10:28:06 2012 UTC |
ba0c777317461ed57a85ffae277044dc | Ch 3.02 | Wed Apr 4 16:23:44 2012 UTC |
b86137fa5a232c614ec5405be4d13b37 | Ch 3.10 | Tue Dec 18 08:22:43 2012 UTC |
7872c1d88fe21d8a85f160a6666c76e8 | Ch 3.20 | Fri Jun 28 12:16:40 2013 UTC |
83a48760e92bf30961b4a943d3095b0a | Ch 3.20 | Fri Jun 28 12:16:58 2013 UTC |
3d65c18d09f47547f85c631ebeeda482 | Ch 3.20 | Mon Jun 24 10:51:01 2013 UTC |
ec7e3cfaeaac0401316d66e964be684e | Ch 3.25 | Thu Feb 6 12:37:44 2014 UTC |
b407b6e5b4046da226d6e189a67f62ca | Ch 3.26 | Thu Jan 3 18:03:46 2013 UTC |
Thanks to the versioning, we can deduce that the compilation dates we saw and currently see actually seem to be legit – except for the last known version, in which the author modified the compilation date in order to make the analysis more complex. We can see that this malware was really active in 2007 and 2008. New versions declined in frequency in 2009 and only one new sample was identified in 2010. We did not encounter any new sample from 2011, but the malware appeared back in 2012, with a new major version.
To describe the evolution of the development, we decided to compare ten major versions:
The following chapter will present the main differences between the versions mentioned above. Here is the resemblance ratio for each version, comparing direct neighbor versions only, created using BinDiff:
The biggest code update has occurred between version 2.14.1 and version 3.00. The gap matches the absence of samples during two years and this fundamental modification is what we call the death of Agent.BTZ and the birth of ComRAT.
The analyzed samples are:
We did not identify strong modification between the two samples. However, we can notice the following:
The analyzed samples are:
In version 2.03 of Agent.BTZ, the authors changed the following:
According to an article, version 1.5 was used against the US Pentagon. We assume that the string obfuscation was performed in order to bypass security measures being capable of detecting an intrusion.
The analyzed samples are:
The codes of these two versions are extremely similar to each other, we can only notice small changes:
The analyzed samples are:
These codes are really similar to each other, too. We can notice only two changes:
The four exported libraries show that the malware has started to support the OLE Component Object Model (COM). This version is the first version able to be registered as a COM object. Three of the four functions are empty. The fourth one executes the malware.
The analyzed samples are:
These codes really differ from each other, even if some parts of version 2.14.1 were retained. Moreover, the developers changed the compiler; they switched from Visual Studio 6.0 to Visual Studio 9.0/10.0 , which is a strong indicator for the huge differences.
Version 3.00 is what the G DATA SecurityLabs experts call ComRAT. We can say that version 2.14.1 is the last version of Agent.BTZ. Here are the main differences between Agent.BTZ and ComRAT:
On several 3.00 samples, the author forgot to remove the compilation path, here are some examples:
Thanks to these compilation paths, we assume that the original name of the RAT is “Chinch”, which leads us to the assumption that the “CH” characters in the version name and in the flag “<CHCMD>” stands for “Chinch”. In English, chinch is the word for a small North American bug, Blissus leucopterus. This word is derived from the Spanish word chinche, meaning pest.
The analyzed samples are:
The codes are similar to each other, but the authors added several features:
The last new feature is really interesting: if the compromised targets block a specific command and control server, the malware will continue to work, thanks to two alternative command and control servers.
The analyzed samples are:
The major new feature in the version is the new exports function called InstallW(). This exported function is used by the dropper to add persistence in the registry and to drop a second file (as explained in our previous article). Version 3.20 uses the following CLSID in order to hijack COM object: B196B286-BAB4-101A-B69C-00AA00341D07.
This object is the IConnectionPoint interface. The CLSID was only used in this version. We assume that the performed COM object hijacking generates some trouble on the infected system, that’s why the author changed related things in the next version. Furthermore, the CLSID was stored in plain text within the sample.
The analyzed samples are:
In the 3.25 version, the author switched to the CLSID: 42aedc87-2188-41fd-b9a3-0c966feabec1 as described in our article. Furthermore, the strings in the sample are obfuscated. The main new feature is the obfuscation – almost all strings are obfuscated and the XML pattern is not written in plain text anymore.
The analyzed samples are:
The version 3.26 is the latest known version. In this version:
This analysis shows us seven years of the evolution of a Remote Administration Tool, used by a group which targeted extremely sensitive entities, such as the US Pentagon in 2008 or the Belgium Ministry of Foreign Affairs in 2014 as well as the Finnish Ministry of Foreign Affairs.
Except for version 3.00, the modifications made are rather marginal. We can see that the authors adapted features to the Windows versions, patched bugs, added obfuscation etc… The biggest update was performed to version 3.00, after two years of silence. Visibly, this RAT was used alongside the Uroburos rootkit. Nevertheless, it is not entirely clear how and when the attackers choose to use the RAT or the rootkit or whether both are used in parallel.
Taking everything into consideration, G DATA SecurityLabs experts are sure that the group behind Uroburos/Agent.BTZ/ComRAT/Linux tool/… will remain an active player in the malware and APT field. The newest revelations made and connections drawn let us believe that there is even more to come.