A notorious cyber espionage and hacking operation is using a new tool to spy on embassies and consulates in Europe according to cyber security researchers.
Dubbed Gazer, the malware allows the group to spy on infected Windows systems and makes careful effort to cover its tracks by wiping files securely from compromised systems.
It was uncovered by researchers at security company ESET, who believe the tool has been used since 2016 and is highly likely to be the work of Turla, a well-known advance persistent threat group. Researchers uncovered the snooping campaign when analysing a new malware sample which exhibited similarities with other Turla code analysed in the past.
The group is known to target government and diplomatic bodies – especially in Europe – using a combination of watering hole attacks and spear-phishing campaigns to infiltrate victims.
Gazer shares a number of similarities with previous Turla malware, including being written in C++ and the using the delivery of a first stage backdoor – often installed on another machine on the network – before dropping the final, much stealthier payload.
This second-stage backdoor receives instructions from Turla’s command and control servers which used compromised, legitimate websites as a proxy. The backdoor also takes advantage of virtual file system in the Windows registry to evade antivirus defences.
The exact number of victims compromised by Gazer in this way hasn’t been revealed – nor have the specific targets been disclosed – but researchers say the number of detections is low, perhaps because the attackers usually try to only compromise specific systems.
“The tactics, techniques and procedures we’ve seen here are in-line what we typically see in Turla’s operations,” said Jean-Ian Boutin, Senior Malware Researcher at ESET. “Turla go to great lengths to avoid being detected on a system.”
Those behind Gazer use their own customized cryptography in order to obfuscate the backdoors’ actions and communications with a command and control server. This type of activity points to Turla being a highly advanced group – the operation has previously been linked to the Russian government.
READ MORE ON CYBERCRIME