Researchers at both ESET and Kaspersky Lab's Global Research and Analysis Team have uncovered a new backdoor allegedly used by the infamous Turla group. The backdoor has been used to spy on consulates, ministries and embassies worldwide to spy on governments and diplomats. This campaign has reportedly been in action since 2016 and it appears that embassies and consulates of old Eastern Bloc countries were the main targets of the campaign. ESET researchers have termed the backdoor Gazer while Kaspersky Lab's Global Research and Analysis Team have named it Whitebear. Despite the differing names both organisations believe it to be attributed to the Turla group, famed experts of cyber espionage who have been active since the internet was in its infancy and are alleged to have the backing from Russian Intelligence Services.
Gazer is a second stage backdoor
Gazer is written in C++ and is delivered by a concentrated spear phishing email campaign. Gazer is essentially deployed in two stages. In the first stage, the malware termed Skipper is dropped onto the target victim’s system. The use of Skipper initially has been a hallmark on previous attacks attributed to Turla. Once Skipper is deployed and leveraged on the victim’s system only then does the installation of Gazer components occur. In previous Turla campaigns backdoors such as Carbon and Kazuar as the second stage malware. Gazer appears to be new and authored by experts and seems built for purposes that the Turla group specialise in.
Gazer is especially advanced in the way that it evades detection. In order to evade detection, it uses legitimate websites, often WordPress CMS, as a proxy. Interestingly older versions of Gazer were signed with a valid certificate issued by Comodo while later versions were signed with an SSL Certificate. Both certificates were signed by different companies. ESET has detected four variants of Glazer in use. Gazer receives encrypted commands from the C&C server, however, rather than using generic Windows Crypto API it uses custom 3DES and RSA encryption libraries to encrypt the data before sending it to the C&C server. The encryption resources are structured similarly as OpenSSL but values are computed by the custom encryption on the C&C. This is also seen as a hallmark of how Turla operates.
Once Grazer has installed on the victim’s system it uses code injection techniques to further evade detection and to hide on the victim’s system for long periods of time. The evasion techniques are fundamental to the success of the campaign as the longer Gazer remains undetected the more information it can steal. The Gazer backdoor also has the ability to communicate and forward commands to other infected systems on the same network.
While attributing the attack to Turla with a hundred percent certainty is near impossible, researchers at ESET have listed the following similarities between this campaign and previous campaigns attributed to Turla:
- Targeted organizations are embassies and ministries
- Spearphishing delivers a first-stage backdoor such as Skipper
- A second stealthier backdoor (Gazer in this instance, but past examples have included Carbon and Kazuar) is put in place
- The second-stage backdoor receives encrypted instructions from the gang via C&C servers, using compromised, legitimate websites as a proxy
Links between Moonlight Maze and Turla
Back in 1996 with the internet only been roughly two years old as we know it two groups went on to prove the dangers of hacking to targets and the benefits to intelligence agencies of hacking. Those two groups were Moonlight Maze and Equation group. Over the years information as to the operations of Equation Group began to filter in, Moonlight Maze, however, remained an anomaly.
After successful hacks of the Pentagon, NSA, the US Navy, and the Department of Energy they seemed to disappear off the cyber map at the turn of the century. Despite, or perhaps because of, this sudden disappearing the group achieved near mythical status. They also hold the mantle of being considered the first Advanced Persistent Threat (APT). Their modes of attack laid the foundation for many other hackers and cyber criminals’ activities.
It was alleged that Moonlight Maze stole so much data that if printed would be taller than the Washington Monument. The data stolen by Moonlight Maze was classified by the US Government and then destroyed in 2008 as no headway could be made in determining who Moonlight Maze could be with any degree of certainty.
However, in 2016 researchers at Kaspersky Labs working in conjunction with King’s College London discovered an old Linux machine which had been compromised by Moonlight Maze. Called HRTest the Linux server was used as a relay point in a vast network controlled by the infamous group. The machine was turned into a honeypot in conjunction with UK authorities and used to determine all the traffic that went through it.
What was found was not that Moonlight Maze disappeared as originally believed, however, the group kept evolving and changing tactics. This was done by moving from Linux backdoors to creating malware which targeted Windows systems. Based on all the information available to Kaspersky, researchers concluded that Moonlight Maze would eventually evolve into what we know now as Turla who have been behind today’s most advanced attacks. Perhaps their most famous hack was of satellites and then used to spy on targets in remote locations.
Much of the evidence provided will not be able to attribute the evolution of Moonlight Maze to Turla with any certainty, fairly sound assumptions can be made.
Ever present dangers posed by APTs
While targets infected by Gazer seems to be for the sole reason of cyber espionage in that embassies and the like were targeted. That might lead some to believe the threat posed does not apply to the average individual is negligible. This is not the case as it is the tools used by APTs that will future influence and be used by cyber criminals. It was the WannaCry and NotPetya attacks of earlier this year that leveraged hacking tools used by the NSA to wreak havoc across the networks of ordinary businesses.