ESET today released data on the discovery of a new, advanced backdoor used by the notorious group of cybercriminals Turla. ESET researchers are the first to locate this recent backdoor, known as Gazer, which is constantly evolving from 2016, targeting institutions in Europe.
Typical features of the group Turla
Targeting governments in Europe and embassies around the world for many years, the team espionageς Turla είναι γνωστή για τις attacks type "watering hole"And the spearphishing campaigns she uses in her victims.
ESET researchers have reported that Gazer, the backdoor recently discovered, has infected several computers around the world, with much of the attacks targeting Southeast Europe.
"The tactics, techniques and processes we encountered here are similar to what we typically see in action by the Turla team," said Jean-Ian Boutin, Senior Malware Researcher at ESET. "Initially a first backdoor, namely Skipper, was installed, possibly using spearphishing techniques, and then the second backdoor appeared on the compromised system, in this particular case Gazer.”
Detecting one backdoor cuts which uses detection techniques
Like the other tools he uses the team Turla to install second backdoors, such as Carbon and Kazuar, Gazer receives encrypted commands from a C&C server, which can be executed on either an already infected machine or another machine on the network.
The Gazer creators also make extensive use of their own custom encryption using their own library of 3DES or RSA. The RSA keys embedded in the backdoor contain the intruder control server public key and a private key.
These keys are unique to each sample and are used to encrypt and decrypt data sent / received from / to the C&C server. In addition, the infamous Turla team appeared to be using a virtual file system in the Windows registry to bypass antivirus and continue to attack the system.
"The team Turla does everything to avoid locating in a system, "he says Boutin. "The group initially deletes files from infringing systems and then transforms strings and using various versions backdoor cuts modifies the texts in applications in a random way.
In this latter case, its creators Gazer changed the text and imported lines of video games such as "Only single player is 許可された". The discovery of this new and uncharted backdoor cuts by her team of researchers ESET marks a significant step in the right direction to address the growing cyber-espionage problem in today's digital world. "
For more technical details about Turla's new backdoor, visit the relevant blogpost or download the entire white paper from WeLiveSecurity.com.