ESET today released data on the discovery of a new, advanced backdoor used by the notorious team of Turla cybercriminals. ESET researchers are the first to identify this recent backdoor, known as Gazer, which has been evolving since 2016, targeting institutions in Europe.
Typical features of the group Turla
Targeting governments in Europe and embassies around the world for many years, the Turla espionage group is known for attacks type "watering hole"And the spearphishing campaigns she uses in her victims.
ESET researchers have reported that Gazer, the backdoor recently discovered, has infected several computers around the world, with much of the attacks targeting Southeast Europe.
"The tactics, techniques and procedures we've encountered here are similar to those we usually see in the Turla action," said Jean-Ian Boutin, Senior Malware Researcher at ESET. "Initially, a first backdoor was installed, that is, the Skipper, possibly using spearphishing techniques, and then the second backdoor appeared in the compromised system, in this case the Gazer."
Detecting one backdoor cuts which uses detection techniques
Like the other tools he uses the team Turla to install second backdoors, such as Carbon and Kazuar, Gazer receives encrypted commands from a C&C server, which can be executed on either an already infected machine or another machine on the network.
The Gazer creators also make extensive use of their own custom encryption using their own library of 3DES or RSA. The RSA keys embedded in the backdoor contain the intruder control server public key and a private key.
These keys are unique for each sample and are used to encrypt and decrypt data sent/received from/to the C&C server. In addition, the infamous Turla group appeared to use a virtual file system in the Windows registry to avoid antivirus and continue to attack the system.
"The team Turla does everything to avoid locating in a system, "he says Boutin. "It simply came to our notice then archives from compromised systems and then transforms the symbolsseries and using various versions backdoor cuts modifies texts in applications in a random fashion.
In this latter case, its creators Gazer changed the text and imported lines of video games such as "Only single player is 許可された". The discovery of this new and uncharted backdoor cuts by her team of researchers ESET marks a significant step in the right direction to address the growing cyber-espionage problem in today's digital world. "
For more technical details about Turla's new backdoor, visit the relevant blogpost or download the entire white paper from WeLiveSecurity.com.