Threat Management, Threat Management, Threat Intelligence, Malware

Turla APT group linked to Gazer backdoor that spies on embassies

A previously undocumented backdoor program used to spy on foreign embassies and consulates appears to be the work of suspected Russian APT group Turla, researchers from ESET have reported.

According to a Wednesday blog post published by the cybersecurity company, the spyware, dubbed Gazer, has been targeting organizations primarily in Southeastern Europe and in former Soviet nations.

ESET researchers tied Gazer to Turla, aka Uroburos and Snake, because it shares many commonalities with the hacking group's previous malware operations, including its targets, method of delivery, anti-detection methods, use of compromised websites as infrastructure, and other processes.

Jean-Ian Boutin, senior malware researcher at ESET, told SC Media that this backdoor has been in used for at least a year . "The complexity of tools used by Turla is quite high. We're seeing them really trying to change any type of data or strings (the binaries) so that we lose track of them," said Boutin. "We're observing that they fight back to modify the backdoors, so that it's harder to stop them and harder to find them."

Considered a second-stage backdoor, Gazer is distributed via spear phishing emails that initially infect victims with a first-stage backdoor such as Skipper, which is commonly used by Turla in its campaigns. Skipper, in turn, delivers Gazer as the primary payload.

Gazer itself is very similar to other second-stage backdoors used by Turla, such as Carbon and Kazuar, ESET reports. For instance, they all receive tasks (e.g. file uploads/downloads, configuration updates, command executions) from command-and-control servers that can be executed by the actual infected machine or by a connected machine on the same network. Gazer includes a communication module that specifically spearheads this process.

The C&C servers typically consist of legitimate websites that have been compromised to act as a first-layer proxy. ESET further notes that Gazer, Carbon and Kazuar all have "a similar list of processes that may be employed as a target to inject the module used to communicate with the C&C server embedded in the binary."

technical report analyzing Gazer reveals that researchers uncovered four different versions of the backdoor. The malware is written in C++ language, achieves persistence six different ways, and relies heavily on encryption. Additionally, it stores its components and configuration within the Windows Registry, much like Carbon and Kazuar uses encrypted containers for such storage.

All three of Gazer's key components communicate with each other via a named pipe, and they keeps logs of their actions in a file.

As with prior attacks, the hackers took several key steps to avoid detection, such as wiping files and changing the code strings, in this case modifying them to include sly nods to video game references.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.