G DATA Publishes Analysis of Cyber-espionage Programs

Share Article

Security experts have been documenting the development of the Agent.BTZ malware for seven years. The latest disclosures and links lead to speculation that even more attacks can be expected in the future.

Malware samples per year

As a result of the analysis, we now have data on seven years of development of malware that was used by one group for targeted attacks on extremely sensitive targets such as the US Pentagon in 2008, the Belgian Foreign Ministry in 2014

Targeted cyber-attacks on government institutions, businesses and international organisations have increased in recent years. Malware is the weapon of choice. For seven years, G DATA has followed the development of one of the most well-known malicious programs: Agent.BTZ. In 2008, the malware strain was deployed in a cyber attack on the Pentagon in the USA. In 2014, it was noted that the Uroburos spyware program had attacked both the Belgian and the Finnish Foreign Ministries. In November 2014, ComRAT (Agent.BTZ’s successor) was discovered and analyzed in detail, revealing technical similarities with the Uroburos rootkit. In all malware samples, G DATA security experts found similarities and cumulative programming code. But how do perpetrators approach the concept of cyber-espionage weapons? To illustrate how a highly complex spyware program is developed, the experts investigated Agent.BTZ and Com-RAT more closely - in total 46 different samples from a seven year period were analyzed.

Minor changes to the software

Until version 3.00 in 2012, the G DATA security experts detected only minor changes to the software over the years. Modifications for Windows versions were made, programming errors were eliminated and disguising methods were added. The biggest update took place in version 3.00 of the RAT. However, the attackers' methods are not completely clear. The security experts suspect that well-trained developers, who know how to cover their tracks, are behind the malware.

The G DATA analysts are sure that the group behind Uroburos, Agent.BTZ and ComRAT continues to be active in the malware and APT (Advanced Persistent Threat) area. The latest disclosures and links lead to speculation that even more attacks can be expected in the future.

The detailed analysis of the complex spyware program is described:
https://blog.gdatasoftware.com/blog/article/evolution-of-sophisticated-spyware-from-agentbtz-to-comrat.html

G DATA experts have analyzed the successor to Agent.BTZ, ComRAT: https://blog.gdatasoftware.com/blog/article/the-uroburos-case-new-sophisticated-rat-identified.html

The hijacking of COM objects is investigated in more detail at the G DATA SecurityBlog:
https://blog.gdatasoftware.com/blog/article/com-object-hijacking-the-discreet-way-of-persistence.html

About G DATA
IT security was invented in Germany: G DATA Software AG is the antivirus pioneer. It was 30 years ago that the company, founded in Bochum, in 1985, developed the first program to combat computer viruses. These days, G DATA is one of the world's leading providers of IT security solutions.
For sales inquiries in North America please contact http://www.contronex.com

Share article on socal media or email:

View article via:

Pdf Print

Contact Author

Thorsten Urbanski
Contronex, Inc.

Follow us on
Visit website