Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)

Uroburos is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the Turla toolset to collect intelligence on sensitive targets worldwide. Uroburos has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. Uroburos is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. Uroburos has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)(Citation: Kaspersky Turla)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b)	Attack Pattern	1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	1
Multi-Stage Channels - T1104 (84e02621-8fdf-470f-bd58-993bb6a89d91)	Attack Pattern	Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	1
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a)	Attack Pattern	Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	1
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	1
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	1
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d)	Attack Pattern	Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	1
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	1
Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	Uroburos (Windows) (d674ffd2-1f27-403b-8fe9-b4af6e303e5c)	Malpedia	1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	1
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	1
Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade)	Attack Pattern	Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	1
Hidden File System - T1564.005 (dfebc3b7-d19d-450b-81c7-6dafe4184c04)	Attack Pattern	Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	1
Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1)	Attack Pattern	Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	1
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc)	Attack Pattern	1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)	Malware	Turla (22332d52-c0c2-443c-9ffb-f08c0d23722c)	Tool	1
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	2
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	2
Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade)	Attack Pattern	Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden File System - T1564.005 (dfebc3b7-d19d-450b-81c7-6dafe4184c04)	Attack Pattern	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	2
Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	2
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2
Uroburos (Windows) (d674ffd2-1f27-403b-8fe9-b4af6e303e5c)	Malpedia	Turla (22332d52-c0c2-443c-9ffb-f08c0d23722c)	Tool	2