ESET publishes the discovery of a new, advanced backdoor used by the notorious hacking group Turla. Dubbed Gazer, ESET researchers are first to document this newly identified backdoor, actively deployed since 2016, targeting European institutions.
Typical Turla traits
Targeting European governments and embassies around the world for many years, Turla espionage group is known to run watering hole and spearphishing campaigns to hone in on their victims. ESET researchers has seen Gazer, the newly documented backdoor, deployed on several computers around the world, but mostly in Europe.
Jean-Ian Boutin, Senior Malware Researcher at ESET, said:
“The tactics, techniques and procedures we’ve seen here are in-line what we typically see in Turla’s operations. A first stage backdoor such as Skipper, likely delivered through spearphishing followed by the appearance on the compromised system of a second stage backdoor. In this case, it was Gazer.”
Detecting the undetectable
Much like other second stage backdoor tools used by Turla, including Carbon and Kazuar, Gazer receives encrypted tasks from a command-and-control server that can be executed either on an already infected machine or by another machine on the network.
Gazer authors also make extensive use of their own customized cryptography, using their own library for 3DES or RSA. The RSA keys embedded in the resources contains the public server’s key controller by the attacker and a private key.
These keys are unique for each sample and are used to encrypt and decrypt the data sent/received to/from the command-and-control server. Furthermore, the notorious Turla group was seen using a virtual file system in the Windows registry to evade antivirus defenses and continue to attack the system.
“Turla go to great lengths to avoid being detected on a system. The group firstly wipe files from compromised systems, and then it changes the strings and randomises marquees using backdoor versions. In this latest case, Gazer authors changed simple marquees and inserted lines from video games such as “Only single player is allowed”. For the team of experts at ESET to discover this new and undocumented backdoor marks a step in the right direction to tackle the growing problem of cyber espionage in today’s digital world.“