IS researchers at ESET discovered new attacks the Russian-speaking hacker group Turla (aka Waterbug, Snake, WhiteBear, VENOMOUS BEAR and Kypton), sent to two foreign ministries in Eastern Europe, as well as to the parliament of an unnamed country in the Caucasus region. According to analysts, these attacks occurred in January 2020 and used an updated version of the ComRAT malvari.
Let me remind you that the first official mention of the Turla hack group was dated 2008 and is associated with a hack US Department of Defense. Because of this, for quite a long time it was believed that the group began its activities around 2007, but several years ago information security experts discovered Turla traces in attacks 20 years ago, that is, it is now believed that the group was probably active from the beginning late 90s.
At different times, Turla was associated with numerous information security incidents – the seizure of satellite communications channels to disguise its activities, attacks on government and strategic industries, including the defense industry in Europe, the Middle East, Asia and Africa.
The malware ComRAT is also known as Agent.BTZ and is one of Turla's oldest tools. This Malware Hackers used back in 2008, to steal data from the Pentagon network.
Over the past years, ComRAT has been updated several times: new versions have been discovered in 2014 and 2017 years. The latest version of Malvari, known as ComRAT 4, appeared in 2017, but an ESET report released this week says researchers discovered a new variation of ComRAT 4 that has two new features at once.
The first of these functions is Malvari’s ability to collect antivirus logs from an infected host and upload them to one of its control servers. It is not clear why Turla members need this, but ESET analysts believe that Malvari operators can collect logs to better understand which malware sample was detected by security solutions. This information can be used to further configure the malvari to avoid detection in other systems.
“The fact is that it is usually very difficult to determine which files were stolen by attackers. But for advanced hack groups, it’s completely normal to try to understand whether they were detected and whether there are “traces” in the systems after their attacks, ”experts say.
The second new feature is the ability to control ComRAT through a Gmail inbox. That is, in fact, at present, the malware has not one, but two C&C mechanisms. The first is the classic method of communicating with a remote server via HTTP to receive instructions that need to be executed on infected hosts. The second and new method is using the Gmail web interface.
Experts write that the latest version of ComRAT 4 takes control of one of the victim’s browsers, loads a predefined cookie, and then accesses Gmail. In the mailbox, the Malware reads the last letters in the Inbox folder, from where it downloads attachments, and then reads the instructions contained in these files.
The essence of this method is that every time Turla hackers need to give new commands to ComRAT installations running on infected hosts, attackers simply send an email to a specific Gmail address. All data collected after following the instructions received in this way is sent back to the Gmail inbox, from where the data is transferred to the Malware operators.
ESET analysts explain that, despite these new features, Turla continues to use ComRAT in the same way as before, that is, the malware usually acts as a second-level payload on already infected hosts. Typically, ComRAT is used to search for specific files in the file system, steal them and transfer them to a remote server (as a rule, OneDrive or 4shared accounts are used for this).
Let me remind you that a couple of weeks ago, Kaspersky Lab experts also published a report on some old Turla tools that recently received interesting updates. So, the new version of malvari COMpfun received a new communication system with the management server: the C & C malicious protocol now relies on HTTP status codes in its work.