Skip to content

Hide Navigation Hide TOC

Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4)

Uroburos is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the Turla toolset to collect intelligence on sensitive targets worldwide. Uroburos has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. Uroburos is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. Uroburos has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)(Citation: Kaspersky Turla)

Cluster A Galaxy A Cluster B Galaxy B Level
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Hidden File System - T1564.005 (dfebc3b7-d19d-450b-81c7-6dafe4184c04) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Turla (22332d52-c0c2-443c-9ffb-f08c0d23722c) Tool 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Multi-Stage Channels - T1104 (84e02621-8fdf-470f-bd58-993bb6a89d91) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Uroburos (Windows) (d674ffd2-1f27-403b-8fe9-b4af6e303e5c) Malpedia 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc) Attack Pattern 1
Uroburos - S0022 (80a014ba-3fef-4768-990b-37d8bd10d7f4) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842) Attack Pattern Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden File System - T1564.005 (dfebc3b7-d19d-450b-81c7-6dafe4184c04) Attack Pattern 2
Uroburos (Windows) (d674ffd2-1f27-403b-8fe9-b4af6e303e5c) Malpedia Turla (22332d52-c0c2-443c-9ffb-f08c0d23722c) Tool 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 2
Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc) Attack Pattern Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 2
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842) Attack Pattern Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc) Attack Pattern 2