-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2014-029 Title: Snake Campaign and Cyber Espionage Toolkit [1] Version history: 24.02.2014 Initial publication Summary ======= BAE Systems have recently published a report on so called Snake Campaign and Cyber Espionage Toolkit [1]. Another report related to the topic was also recently published by G Data [2], where it is named Uroburos. Both reports describe a cyber-espionage campaign and their related tools. The campaign is alleged to be linked to Russia. Background ========== Uroburos/Snake is a rootkit, composed of two files, a driver and an encrypted virtual file system. The rootkit is able to take control of an infected machine, execute arbitrary commands and hide system activities. It can steal information (most notably: files) and it is also able to capture network traffic. Its modular structure allows extending it with new features easily, which makes it not only highly sophisticated but also highly flexible and dangerous. The driver part is extremely complex and is designed to be very discrete and very difficult to identify [2]. It is designed to covertly install a backdoor on a compromised system, hide the presence of its components, provide a communication mechanism with its C&C servers, and enable an effective data exfiltration mechanism. At the same time, Snake exposed a flexibility to conduct its operations by engaging these noticeably different architectures [1]. What can you do? ================ Use the IoCs from the public reports and in particular IoCs distributed in the past in the form of CIMBL by CERT-EU to identify potentially suspicious network activity. More information ================ [1] http://info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf [2] https://public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf Best regards, CERT-EU Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJTHx2vAAoJEPpzpNLI8SVo1NAP/jykOz5FNuQgaOot1kuu7DNg DAUb7Vc6G4rADdWs/8/9o4RPqYVYD1nceaiyvY0BOfkb0GHmmslrqzjPl110UYLn kEKvrwGdLnAcwG9tQDr0jSlBNKT4xHbEoyW6AMfFSL2ZPvlpbs91yRXqCjuFg4oS ws0r11PAW9FF6Ot+Wc5fGDfrNrj7Z2TrAoHvOgQjxNW0sWq0nz+aNC64v+HEI4fu s2+WZ/bW93LQtXRMiyiC2TThvkCj+eHRckZcKw9T6Yygku55HTB4ZvzSzqNXYnvJ H06WzkPIiL+oBwzKzrszW8uQKg1WMmRor562WSGpzu1viCve23VNWWs+/88lWYbX JcYcHtAHGDmCIi86+3Uz/NmsPyEZv2WqJCe1J+16s2Q7q9Bx7M3oozAJhjztV5pC 56CMeUpUrh9wDqZxHK9KDuypT0/Y3Vej+r08zBqKQJ55Acvo41Dp+oRJSz+uKZ4e qQkKPnraNogsK+TYiZSfn+zRl8x8uoW9wTsqxNydTZFDCx7UAU9XywlibdOEnjZy xMEy4GW3Y3dc9PC+YXv0eZFPUpiixPZKRTZQEG0XZXdsStVZShzvDEW/b5KgNQm/ z1tpTxI5DcJHA3lIXHlVaJNP5Ciy2uAgybWPVKj6iaueDVC1qCZ2XKvImbkzVXbo sEAw8t3gI2eHrFKsTQBF =KdH0 -----END PGP SIGNATURE-----