Security researchers at Kaspersky Lab and ESET have revealed details of a new advanced backdoor that was used by a Russian cyber espionage group, Turla, to spy on foreign embassies and consulates worldwide. The spyware has been dubbed as Grazer and was predominantly targeting consulates in Southeastern Europe and former Soviet Union nations.
The APT (advanced persistent threat) group has been using this spyware since at least 2016. ESET wrote in a blog post that "Gazer makes extra efforts to evade detection by changing strings within its code, randomizing markers, and wiping files securely."
"Turla is one of the most prolific currently active APT groups"
Turla is one of the most feared state-sponsored actors that are currently active with sophisticated malware including Skipper, Carbon, and Kazuar to its name. The group has been working for over a decade now. But since last year, Turla has been using a new spyware together with Skipper.
ESET said they have found the Grazer installed on various compromised systems of embassies. However, Turla seems to have now shifted its focus to defense organizations. Grazer is a second-stage backdoor that was distributed via phishing emails that first infect victims with a first-stage backdoor like Skipper. Once active, Skipper then delivers Gazer as the primary payload.
Here is what ESET wrote when talking about how it connected Grazer backdoor to Turla:
Gazer, Carbon and Kazuar can receive encrypted tasks from a C&C server, which can be executed either by the infected machine or by another machine on the network. They all use an encrypted container to store the malware’s components and configuration and they also log their actions in a file.
The list of C&C servers is encrypted and embedded in Gazer’s PE resources. They are all compromised, legitimate websites (that mostly use the WordPress CMS) that act as a first layer proxy. This is also a common tactic for the Turla APT group.
Another interesting linkage is that one of the C&C servers embedded in a Gazer sample was known to be used in a JScript backdoor documented by Kaspersky as Kopiluak.
Last but not least, these three malware families (Gazer, Carbon and Kazuar) have a similar list of processes that may be employed as a target to inject the module used to communicate with the C&C server embedded in the binary.
The complete 29-page report can be accessed here (PDF) that offers a comprehensive analysis of this backdoor that the researchers have connected with Turla. Kaspersky in its own research added that "Turla continues to be one of the most prolific, longstanding, and advanced APT we have researched."