Backdoor malware targets embassies
4 September 2017 | 0
Cybersecurity specialist ESET has uncovered a new, advanced backdoor used by the notorious hacking group Turla.
Dubbed Gazer, ESET researchers have document the newly identified backdoor, actively deployed since 2016, targeting consulates and embassies worldwide.
According to the company, Turla espionage group has been targeting European governments and embassies around the world for many years, and is known to run watering hole and spear-phishing campaigns to catch victims. ESET researchers said they have seen Gazer deployed on several computers around the world, but mostly in Europe.
Much like other second stage backdoor tools used by Turla, including Carbon and Kazuar, ESET said Gazer receives encrypted tasks from a command-and-control server that can be executed either on an already infected machine or by another machine on the network. The backdoor authors also make extensive use of their own customised cryptography, used to encrypt and decrypt the data sent/received to/from the command-and-control server. Furthermore, the researchers said the notorious Turla group was seen using a virtual file system in the Windows registry to evade antivirus defences and continue to attack the system.
“Turla go to great lengths to avoid being detected on a system,” said Jean-Ian Boutin, senior malware researcher, ESET.
“The cybercriminals first wipe files from compromised systems, and then change the strings and randomise marquees using backdoor versions. For the experts at ESET to discover this new and undocumented backdoor, marks a step in the right direction, to tackle the growing problem of cyber espionage in today’s digital world,” said Boutin.