A cyber-espionage group believed to be operating out of Russia for the past two decades has deployed a new backdoor trojan on computers at embassies in Southeast Europe, former Soviet states, and some South American countries.

This cyber-espionage group is named Turla, one of the most prolific, advanced, and feared state-backed actors currently active.

Across years, security firms have linked the group to several malware families. Most families have been used in a small number of campaigns, and Turla operators usually deployed new tools for each campaign.

Turla group developers new backdoor

In the past, we've seen Turla use malware such as Skipper, Carbon, and Kazuar. Attackers compromise a target and deploy a first-stage backdoor (Skipper), which they later use to install a second-stage backdoor — usually Carbon or Kazuar [1, 2].

During 2016 and 2017, ESET and Kaspersky said they detected new Turla attacks that deployed a different second-stage backdoor together with the classic Skipper. ESET named this backdoor Gazer.

For most of 2016, researchers say they found Gazer installed on compromised computers at various embassies and diplomatic/foreign affair organizations, but in 2017, Turla operators switched to targeting defense-related organizations.

Making sense of recent Turla attacks

Kaspersky tracked these attacks with the Gazer backdoor in a report called WhiteBear. Attacks with the Kazuar and Carbon backdoors are tracked as WhiteAtlas, and are also detailed in a Bitdefender report on the Pacifier APT campaign.

ESET and Kaspersky linked the Gazer (WhiteBear) attacks with the Kazuar/Carbon (WhiteAtlas) campaign because both shared infrastructure and used similar techniques. ESET explains in depth below.

Gazer, Carbon and Kazuar can receive encrypted tasks from a C&C server, which can be executed either by the infected machine or by another machine on the network. They all use an encrypted container to store the malware’s components and configuration and they also log their actions in a file.

The list of C&C servers is encrypted and embedded in Gazer’s PE resources. They are all compromised, legitimate websites (that mostly use the WordPress CMS) that act as a first layer proxy. This is also a common tactic for the Turla APT group.

Another interesting linkage is that one of the C&C servers embedded in a Gazer sample was known to be used in a JScript backdoor documented by Kaspersky as Kopiluak.

Last but not least, these three malware families (Gazer, Carbon and Kazuar) have a similar list of processes that may be employed as a target to inject the module used to communicate with the C&C server embedded in the binary.

This new tool shows once again that Turla is miles above most other cyber-espionage groups when it comes to sophistication.

While some APTs grab open-source tools of GitHub, Turla operators put time and money into developing new tools that allow them to remain undetected on infected hosts for much longer periods of time. For example, Gazer attacks were tracked back to February 2016, but it was only recently that researchers were able to link them to Turla operations. As before, experts now expect Turla to create and deploy a new tool to replace Gazer.