ESET security researchers have discovered a new version of the ComRAT backdoor that is controlled using Gmail's web interface and used by the Russian-backed hacker group Turla to harvest and steal attacks on government institutions.
The use of Gmail for command-and-control purposes fits exactly with other achievements of the Russian-speaking Turla team (it has also been identified as Waterbug, Snake or VENOMOUS BEAR) seeing that it is known for the use of unorthodox methods to achieve their goals in cyber-espionage.
In the past, they have developed Trojans backdoor with their own APIs designed to reverse communication flows, used comments on photos of her Britney Spears on Instagram to control malware, sent attachments PDF email with commands to control servers infected with its backdoor Outlook and have done hijack in the infrastructure and malware of OilRig funded by Iran for use in their own campaigns.
Gmail abuse for cyber espionage
ComRAT (also known as Agent.BTZ and Chinch) remote access trojan (RAT) is one of the oldest tools in Turla's arsenal and has been developed in attacks starting at least in 2007.
It rose to fame after being used to endanger US military systems in 2008, but is not limited to computers used by the Central Command to monitor combat zones in Afghanistan and the Iraq.
Turla uses Gmail's web user interface as one of the two command and control channels for the updated malware, while the other is an old HTTP comm channel.
This latest ComRAT reprint, compiled in November 2019, connects to Gmail to receive encrypted email attachments commands sent by Turla operators by other email providers.
Since 2017, when the current version of ComRAT first appeared on ESET, Turla has used it in attacks on two foreign ministries and a national parliament.
"ESET has found evidence that this latest version of ComRAT was still in use in early 2020, showing that the Turla team is still very active and important. threatening for diplomats and the military. "
An exclusive of Turla
While the upgrade of the backdoor has a completely new base code and looks much more complex compared to previous versions, still uses the internal name Chinch, has enabled the old HTTP protocol C&C and shares part of the network infrastructure with Turla Mosquito malware.
The ComRAT v4 was introduced into hacked systems using stolen ones credentials or other Turla backdoors or has abandoned other known malicious programs related to the group, such as the PowerStallion backdoor, the RPC backdoor or a custom PowerShell loader.
Once developed on a breached device, ComRAT was used by Russian cyberspace to steal confidentially documents and took advantage of public services in cloud such as 4shared and OneDrive to chase away the stolen data.
"In one case, its operators even developed an executable .NET to interact with the victim's central MS SQL Server database containing the organization's documents," ESET found.
They also collect and export information about the organization's network infrastructure, Active Directory teams and their policies. Windows, and were observed in an attempt to avoid it security software.
Turla "often runs security-related logs to find out if malware has been detected."
Designed to bypass security software
"It simply came to our notice then complexity of this group and its intention to remain on the same machines for a long time ", explained the ESET researcher, Matthieu Faou.
"Based on other samples of malware found in the same compromises, we believe that ComRAT is used exclusively by Turla," Faou concluded.
Earlier this month, Kaspersky also identified what it believes to be a "medium to low level of trust" in another Turla malware, a RAT variant called COMpfun that uses unusual HTTP status codes and is used in attacks against European diplomatic entities. .
COMpfun, like the first versions of ComRAT, also has the ability to infect other devices by tracking and spreading to all removable devices that are connected to infringers. computers.