{"description": "Enterprise techniques used by Uroburos, ATT&CK software S0022 (v2.1)", "name": "Uroburos (S0022)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) can use a custom HTTP-based protocol for large data communications that can blend with normal network traffic by riding on top of standard HTTP.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.003", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) can use custom communications protocols that ride over SMTP.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.004", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) has encoded outbound C2 communications in DNS requests consisting of character strings made to resemble standard domain names. The actual information transmitted by [Uroburos](https://attack.mitre.org/software/S0022) is contained in the part of the character string prior to the first \u2018.\u2019 character.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) has the ability to use the command line for execution on the targeted system.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) has registered a service, typically named `WerFaultSvc`, to decrypt and find a kernel driver and kernel driver loader to maintain persistence.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.002", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) can use a custom base62 and a de-facto base32 encoding that uses digits 0-9 and lowercase letters a-z in C2 communications.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) can use its `Get` command to exfiltrate specified files from the compromised system.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1001", "showSubtechniques": true}, {"techniqueID": "T1001.001", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) can add extra characters in encoded strings to help mimic DNS legitimate requests.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1001.003", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) can use custom communication methodologies that ride over common  protocols including TCP, UDP, HTTP, SMTP, and DNS in order to blend with normal network traffic. (Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) can decrypt command parameters sent through C2 and use unpacking code to extract its packed executable.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) can encrypt the data beneath its http2 or tcp encryption at the session layer with CAST-128, using a different key for incoming and outgoing data.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) has used a combination of a Diffie-Hellman key exchange mixed with a pre-shared key (PSK) to encrypt its top layer of C2 communications.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1008", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) can use up to 10 channels to communicate between implants.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) can search for specific files on a compromised system.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.005", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) can use concealed storage mechanisms including an NTFS or FAT-16 filesystem encrypted with CAST-128 in CBC mode.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) can run a `Clear Agents Track` command on an infected machine to delete [Uroburos](https://attack.mitre.org/software/S0022)-related logs.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) can use a `Put` command to write files to an infected machine.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1559", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) has the ability to move data between its kernel and user mode components, generally using named pipes.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) has registered a service named `WerFaultSvc`, likely to spoof the legitimate Windows error reporting service.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) can store configuration information in the Registry including the initialization vector and AES key needed to find and decrypt other [Uroburos](https://attack.mitre.org/software/S0022) components.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1104", "comment": "Individual [Uroburos](https://attack.mitre.org/software/S0022) implants can use multiple communication channels based on one of four available modes of operation.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) can use native Windows APIs including `GetHostByName`.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) can communicate through custom methodologies for UDP,  ICMP, and TCP that use distinct sessions to ride over the legitimate protocols.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) uses a custom packer.(Citation: Symantec Waterbug)(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.009", "comment": "The [Uroburos](https://attack.mitre.org/software/S0022) Queue file contains embedded executable files along with key material, communication channels, and modes of operation.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.011", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) can store configuration information for the kernel driver and kernel driver loader components in an encrypted blob typically found at `HKLM:\\SOFTWARE\\Classes\\.wav\\OpenWithProgIds.`(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) can use AES and CAST-128 encryption to obfuscate resources.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) can use its `Process List` command to enumerate processes on compromised hosts.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) can use DLL injection to load embedded files and modules.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1572", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) has the ability to communicate over custom communications methodologies that ride over common network protocols including raw TCP and UDP sockets, HTTP, SMTP, and DNS.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.003", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) can use implants on multiple compromised machines to proxy communications through its worldwide P2P network.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) can query the Registry, typically `HKLM:\\SOFTWARE\\Classes\\.wav\\OpenWithProgIds`, to find the key and path to decrypt and load its kernel driver and kernel driver loader.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1620", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) has the ability to load new modules directly into memory using its `Load Modules Mem` command.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1014", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) can use its kernel module to prevent its host components from being listed by the targeted system's OS and to mediate requests between user mode and concealed components.(Citation: Kaspersky Turla)(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) has the ability to gather basic system information and run the POSIX API `gethostbyname`.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1205", "comment": "[Uroburos](https://attack.mitre.org/software/S0022) can intercept the first client to server packet in the 3-way TCP handshake to determine if the packet contains the correct unique value for a specific [Uroburos](https://attack.mitre.org/software/S0022) implant. If the value does not match, the packet and the rest of the TCP session are passed to the legitimate listening application.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Uroburos", "color": "#66b1ff"}]}