ESET today released data on the discovery of a new, advanced backdoor used by the notorious team of Turla cybercriminals. ESET researchers are the first to identify this recent backdoor, known as Gazer, which has been evolving since 2016, targeting institutions in Europe.
Typical features of the group Turla
Aiming at governments in Europe and embassies around the world for many years, the Turla spy team is known for its attacks.watering hole"And the spearphishing campaigns she uses in her victims.
ESET researchers have recorded that Gazer, the recently discovered backdoor, has infected several computers worldwide, with a large portion of attacks to have targeted south-eastern Europe.
"The tactics, techniques and procedures we encountered here are similar to what we usually see in action by the Turla team," said Jean-Ian Boutin, Senior Malware Researcher at ESET. "Initially a first backdoor, namely Skipper, was installed, possibly using spearphishing techniques, and then the second backdoor appeared on the compromised system, in this case Gazer."
Detecting one backdoor cuts which uses detection techniques
Like the other tools he uses the team Turla to install second backdoors, such as Carbon and Kazuar, Gazer receives encrypted commands from a C&C server, which can be executed on either an already infected machine or another machine on the network.
The Gazer creators also make extensive use of their own custom encryption using their own library of 3DES or RSA. The RSA keys embedded in the backdoor contain the intruder control server public key and a private key.
These keys are unique for each sample and are used to encrypt and decrypt data sent/received from/to the C&C server. In addition, the infamous Turla group appeared to be using a virtual system files in the Windows registry to evade antiviruses and continue to attack the system.
"The team Turla does everything to avoid locating in a system, "he says Boutin. "It simply came to our notice then archives from compromised systems and then transforms the strings and using different versions backdoor cuts modifies texts in applications in a random fashion.
In this latter case, its creators Gazer changed the text and imported lines of video games such as "Only single player is 許可された". The discovery of this new and uncharted backdoor cuts by her team of researchers ESET marks a significant step in the right direction to address the growing cyber-espionage problem in today's digital world. "
For more technical details about Turla's new backdoor, visit the relevant blogpost or download the entire white paper from WeLiveSecurity.com.