G DATA discovers and analyses successor to Agent.BTZ.
G DATA security experts have discovered and analysed a new variant of a highly complex spyware program. The ComRAT spyware attacks high-potential networks in order to steal sensitive secret data. On the basis of technical details, the analysts assume that the malware has the same origin as the Agent.BTZ malware that was used in a cyber attack on the USA in 2008. Furthermore, the experts have once again determined similarities to the Uroburos spyware program. G DATA SecurityLabs first issued warnings about Uroburos in February 2014, after it had compromised the Belgian Foreign Ministry among others. By hijacking a developer interface, which is called "COM hijacking", the malware can embed itself on a PC and run malicious functions unnoticed, such as smuggling out highly sensitive data via the browser data traffic. In this way attackers can use the ComRAT Remote Administration Tool (RAT) to spy on an infected system for a long time without being noticed. G DATA security solutions detect and block the ComRAT variants.
"ComRAT is the latest generation of the well-known spyware programs Uroburos and Agent.BTZ. As with its predecessors, ComRAT is designed to operate and attack in large networks belonging to companies, authorities, organisations and research institutes," explains Ralf Benzmüller, head of G DATA SecurityLabs. "We presume that the same group is behind it again, as the malware shows numerous similarities. The current software is even more complex and sophisticated. This indicates cost-intensive development."
What is ComRAT?
G DATA SecurityLabs have christened the spyware "ComRAT" because of its technical properties. The name is composed of the COM (Component Object Model) interface and the term RAT (Remote Administration Tool). COM objects are misused to hijack a computer. This functionality offers malware programmers a hiding place where they can operate without being noticed by the user or the virus protection, in this case to compromise the browser. The data being smuggled out of the network looks like completely normal browser surfing data. A RAT is a remote administration tool that is generally used for accessing other computers from remote locations. The hackers can control the malware from outside.
In their analysis, the G DATA security experts have discovered two variants of the malware.
The hijacking of COM objects is investigated in more detail in the G DATA SecurityBlog.