Press Releases

Cyber espionage group Turla back with new stealthy backdoor

September 1, 2017

Posted by: Avadhoot Patil

ESET, the global cybersecurity company, published the discovery of a new, advanced backdoor used by the notorious hacking group Turla. Dubbed Gazer, ESET researchers are first to document this newly identified backdoor, actively deployed since 2016, targeting European institutions.

Typical Turla traits

Targeting European governments and embassies around the world for many years, Turla espionage group is known to run watering hole and spear phishing campaigns to hone in on their victims.

ESET researchers has seen Gazer, the newly documented backdoor, deployed on several computers around the world, but mostly in Europe.

“The tactics, techniques and procedures we’ve seen here are in-line what we typically see in Turla’s operations,” said Jean-Ian Boutin, senior malware researcher at ESET. “A first stage backdoor such as Skipper, likely delivered through spearphishing followed by the appearance on the compromised system of a second stage backdoor. In this case, it was Gazer.”

Detecting the undetectable

Much like other second stage backdoor tools used by Turla, including Carbon and Kazuar, Gazer receives encrypted tasks from a command-and-control server that can be executed either on an already infected machine or by another machine on the network.

Gazer authors also make extensive use of their own customised cryptography, using their own library for 3DES or RSA. The RSA keys embedded in the resources contains the public server’s key controller by the attacker and a private key.

Jean-Ian Boutin

These keys are unique for each sample and are used to encrypt and decrypt the data sent/received to/from the command-and-control server. Furthermore, the notorious Turla group was seen using a virtual file system in the Windows registry to evade antivirus defenses and continue to attack the system.

“Turla go to great lengths to avoid being detected on a system,” continued Boutin. “The group firstly wipe files from compromised systems, and then it changes the strings and randomises marquees using backdoor versions. In this latest case, Gazer authors changed simple marquees and inserted lines from video games such as “Only single player is allowed”.

For the team of experts at ESET to discover this new and undocumented backdoor marks a step in the right direction to tackle the growing problem of cyber espionage in today’s digital world.“

To learn more technical details about Turla’s new backdoor, please read our blog post or download the whole white paper from WeLiveSecurity.com

Comment on this article below or via Twitter @IoTGN