Security researchers at ESET have released new research today into the activities of the notorious Turla cyber espionage group, and specifically a previously undocumented backdoor that has been used to spy on consulates and embassies worldwide.
ESET’s research team are the first in the world to document the advanced backdoor malware, which they have named “Gazer”, despite evidence that it has been actively deployed in targeted attacks against governments and diplomats since at least 2016.
Active since 2016, the malware campaign is leveraging a new backdoor, dubbed Gazer, and is believed to be carried out by Turla advanced persistent threat (APT) hacking group that's been previously linked to Russian intelligence.
Gazer, written in C++, the backdoor delivers via spear phishing emails and hijacks targeted computers in two steps—first, the malware drops Skipper backdoor, which has previously been linked to Turla and then installs Gazer components.
Gazer, written in C++, the backdoor delivers via spear phishing emails and hijacks targeted computers in two steps—first, the malware drops Skipper backdoor, which has previously been linked to Turla and then installs Gazer components.
In previous cyber espionage campaigns, the Turla hacking group used Carbon and Kazuar backdoors as its second-stage malware, which also has many similarities with Gazer, according to research [PDF] published by ESET.
Gazer receives encrypted commands from a remote command-and-control server and evades detection by using compromised, legitimate websites (that mostly use the WordPress CMS) as a proxy
Instead of using Windows Crypto API, Gazer uses custom 3DES and RSA encryption libraries to encrypt the data before sending it to the C&C server—a common tactic employed by the Turla APT group.
Gazer uses code-injection technique to take control of a machine and hide itself for a long period of time in an attempt to steal information.
Gazer uses code-injection technique to take control of a machine and hide itself for a long period of time in an attempt to steal information.
ESET’s research team are the first in the world to document the advanced backdoor malware, which they have named “Gazer”, despite evidence that it has been actively deployed in targeted attacks against governments and diplomats since at least 2016.
Gazer’s success can be explained by the advanced methods it uses to spy on its intended targets, and its ability to remain persistent on infected devices, embedding itself out of sight on victim’s computers in an attempt to steal information for a long period of time.
ESET researchers have discovered that Gazer has managed to infect a number of computers around the world, with the most victims being located in Europe. Curiously, ESET’s examination of a variety of different espionage campaigns which used Gazer has identified that the main target appears to have been Southeastern Europe as well as countries in the former Soviet Union.
The attacks show all the hallmarks of past campaigns launched by the Turla hacking group, namely:
- Targeted organizations are embassies and ministries;
- Spearphishing delivers a first-stage backdoor such as Skipper;
- A second stealthier backdoor (Gazer in this instance, but past examples have included Carbon and Kazuar) is put in place;
- The second-stage backdoor receives encrypted instructions from the gang via C&C servers, using compromised, legitimate websites as a proxy.
- Don’t be fooled by the sense of humor that the Turla hacking group are showing here, falling foul of computer criminals is no laughing matter.All organizations, whether governmental, diplomatic, law enforcement, or in traditional business, need to take today’s sophisticated threats serious and adopt a layered defense to reduce the chances of a security breach.ESET’s research team are the first in the world to document the advanced backdoor malware, which they have named “Gazer”, despite evidence that it has been actively deployed in targeted attacks against governments and diplomats since at least 2016.
Post A Comment:
0 comments: