Turla’s ComRAT v4 uses Gmail web UI to receive commands, steal data

Researchers have uncovered a version of the ComRat backdoor, one of the Turla Group’s oldest malware families, that distinguishes itself by using Gmail’s web UI to receive commands and nick data.

The new version of ComRAT, known for stealing sensitive documents and targeting various government entities and military organizations, was in use as late as early 2020.

“Thanks to its use of the Gmail web interface, [ComRAT v4] is able to bypass some security controls because it doesn’t rely on any malicious domain,” said ESET researcher Matthieu Faou, who detailed his findings in a white paper. “This shows the level of sophistication of this group and its intention to stay on the same machines for a long time.”

Faou noted that Turla operators are focused on evading detection and “regularly exfiltrate security-related log files” to divine whether malware samples had been detected. The first ComRAT v4 sample was likely first compiled in April 2017 with the most recent iteration apparently compiled in November 2019. The original ComRAT debuted in 2007, and by 2008 it was notably used to breach the Department of Defense's U.S. Central Command.

Faou wrote that the latest ComRAT version uses compromised credentials or another existing foothold like Turla backdoor, noting that ESET researchers observed the backdoor being installed by PowerStallion.  

The ComRAT installer, a PowerShell script, “creates a Windows scheduled task and fills  a registry value with the encrypted payload,” Faou wrote.

When a user logs in, the PowerShell loader executes, with the orchestrator embedding ”an encrypted communication module that will be injected into the default web browser” and  interacting  “with the ComRAT communication module through a named pipe,” he explained.  Because the malware’s network communications is initiated in the browser process, it “is stealthier than if it was done directly by the orchestrator.”

Two C&C channels – one HTTP and the other email that uses Gmail’s web interface. Operators can send commands using either channel. “The backdoor will receive the command ID and the arguments, if any,” wrote Faou, who said the commands aren’t “surprising and allow control of almost everything on the machine: manage files, execute additional processes or gather logs.”

ComRAT developers, the researchers believe, are experienced and put considerable time into designing the malware architecture and used a number of design patterns. “There is a lot of duplicated code in the compiled binary because each templated class or function will have a different implementation for each type it is used with,” Faou explained.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.