Published On: Fri, Sep 1st, 2017

Russia-Linked APT Group Discovered Spying on Embassies Using a Newly Uncovered Backdoor

Security researchers during Kaspersky Lab and ESET have suggested sum of a new modernized backdoor that was used by a Russian cyber espionage group, Turla, to view on unfamiliar embassies and consulates worldwide. The spyware has been dubbed as Grazer and was primarily targeting consulates in Southeastern Europe and former Soviet Union nations.

The APT (advanced determined threat) organisation has been regulating this spyware given during slightest 2016. ESET wrote in a blog post that “Gazer creates additional efforts to hedge showing by changing strings within a code, randomizing markers, and wiping files securely.”

cyber-espionageRelated Russian Bears Are Using Leaked NSA Exploits to Target European Hotels

“Turla is one of a many inclusive now active APT groups”

Turla is one of a many feared state-sponsored actors that are now active with worldly malware including Skipper, Carbon, and Kazuar to a name. The organisation has been operative for over a decade now. But given final year, Turla has been regulating a new spyware together with Skipper.

ESET pronounced they have found a Grazer commissioned on several compromised systems of embassies. However, Turla seems to have now shifted a concentration to invulnerability organizations. Grazer is a second-stage backdoor that was distributed around phishing emails that initial taint victims with a first-stage backdoor like Skipper. Once active, Skipper afterwards delivers Gazer as a primary payload.

Here is what ESET wrote when articulate about how it connected Grazer backdoor to Turla:

Gazer, Carbon and Kazuar can accept encrypted tasks from a CC server, that can be executed possibly by a putrescent appurtenance or by another appurtenance on a network. They all use an encrypted enclosure to store a malware’s components and pattern and they also record their actions in a file.

bitcoin-mt-gox-btc-eRelated Feds Arrest Suspected Russian BTC-e Owner for Playing a Central Role in $4 Billion Mt. Gox Hack

The list of CC servers is encrypted and embedded in Gazer’s PE resources. They are all compromised, legitimate websites (that mostly use a WordPress CMS) that act as a initial covering proxy. This is also a common tactic for a Turla APT group.

Another engaging linkage is that one of a CC servers embedded in a Gazer representation was famous to be used in a JScript backdoor documented by Kaspersky as Kopiluak.

Last though not least, these 3 malware families (Gazer, Carbon and Kazuar) have a identical list of processes that might be employed as a aim to inject a procedure used to promulgate with a CC server embedded in a binary.

The finish 29-page news can be accessed here (PDF) that offers a extensive investigate of this backdoor that a researchers have connected with Turla. Kaspersky in a possess investigate combined that “Turla continues to be one of a many prolific, longstanding, and modernized APT we have researched.”

About the Author

Leave a comment

XHTML: You can use these html tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>