ESET today released data on the discovery of a new, advanced backdoor used by the notorious group of cybercriminals Turla. ESET researchers are the first to locate this recent backdoor, known as Gazer, which is constantly evolving from 2016, targeting institutions in Europe.
Typical features of the group Turla
Targeting governments in Europe and embassies around the world for many years, the Turla espionage group is known for attacks type "watering hole"And the spearphishing campaigns she uses in her victims.
ESET researchers have reported that Gazer, the backdoor recently discovered, has infected several computers around the world, with much of the attacks targeting Southeast Europe.
"The tactics, techniques and procedures we've encountered here are similar to those we usually see in the Turla action," said Jean-Ian Boutin, Senior Malware Researcher at ESET. "Initially, a first backdoor was installed, that is, the Skipper, possibly using spearphishing techniques, and then the second backdoor appeared in the compromised system, in this case the Gazer."
Detecting one backdoor cuts which uses detection techniques
Like the other tools he uses the team Turla to install second backdoors, such as Carbon and Kazuar, Gazer receives encrypted commands from a C&C server, which can be executed on either an already infected machine or another machine on the network.
Gazer creators also make extensive use of their own custom encryptions, using their own library of 3DES algorithms or RSA. The RSA keys embedded in the backdoor contain the intruder control server public key and a private key.
These keys are unique for each sample and are used to encrypt and decrypt data sent/received from/to the C&C server. In addition, the infamous Turla group appeared to be using a virtual system files στο μητρώο των Windows για να αποφεύγει τα antivirus and continue to attack the system.
"The team Turla does everything to avoid locating in a system, "he says Boutin. "The group initially deletes files from infringing systems and then transforms strings and using various versions backdoor cuts modifies texts in applications in a random fashion.
In this latter case, its creators Gazer changed the text and imported lines of video games such as "Only single player is 許可された". The discovery of this new and uncharted backdoor cuts by her team of researchers ESET marks a significant step in the right direction to address the growing cyber-espionage problem in today's digital world. "
For more technical details about Turla's new backdoor, visit the relevant blogpost or download the entire white paper from WeLiveSecurity.com.