Newly documented Gazer backdoor identified as the latest tool to be used in espionage campaigns across Europe
ESET, the leading global cybersecurity company, today publishes the discovery of a new, advanced backdoor used by the notorious hacking group Turla. Dubbed Gazer, ESET researchers are first to document this newly identified backdoor, actively deployed since 2016, targeting European institutions.
Typical Turla traits
Targeting European governments and embassies around the world for many years, Turla espionage group is known to run watering hole and spearphishing campaigns to hone in on their victims.
ESET researchers has seen Gazer, the newly documented backdoor, deployed on several computers around the world, but mostly in Europe.
“The tactics, techniques and procedures we’ve seen here are in-line what we typically see in Turla’s operations,” said Jean-Ian Boutin, Senior Malware Researcher at ESET. “A first stage backdoor such as Skipper, likely delivered through spearphishing followed by the appearance on the compromised system of a second stage backdoor. In this case, it was Gazer.”
Detecting the undetectable
Much like other second stage backdoor tools used by Turla, including Carbon and Kazuar, Gazer receives encrypted tasks from a command-and-control server that can be executed either on an already infected machine or by another machine on the network.
Gazer authors also make extensive use of their own customized cryptography, using their own library for 3DES or RSA. The RSA keys embedded in the resources contains the public server’s key controller by the attacker and a private key.
These keys are unique for each sample and are used to encrypt and decrypt the data sent/received to/from the command-and-control server. Furthermore, the notorious Turla group was seen using a virtual file system in the Windows registry to evade antivirus defenses and continue to attack the system.
“Turla go to great lengths to avoid being detected on a system,” continued Boutin. “The group firstly wipe files from compromised systems, and then it changes the strings and randomises marquees using backdoor versions. In this latest case, Gazer authors changed simple marquees and inserted lines from video games such as “Only single player is allowed”. For the team of experts at ESET to discover this new and undocumented backdoormarks a step in the right direction to tackle the growing problem of cyber espionage in today’s digital world.“
To learn more technical details about Turla’s new backdoor, please read our blogpost or download the whole white paper from WeLiveSecurity.com.
About ESET
Since 1987, ESET® has been developing award-winning security software that now helps over 100 million users to Enjoy Safer Technology. Its broad security product portfolio covers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering 200 countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires. For more information visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.