A cyber-espionage group believed to be operating out of Russia for the past two decades has deployed a new backdoor trojan on computers at embassies in Southeast Europe, former Soviet states, and some South American countries.
This cyber-espionage group is named Turla, one of the most prolific, advanced, and feared state-backed actors currently active.
Across years, security firms have linked the group to several malware families. Most families have been used in a small number of campaigns, and Turla operators usually deployed new tools for each campaign.
In the past, we've seen Turla use malware such as Skipper, Carbon, and Kazuar. Attackers compromise a target and deploy a first-stage backdoor (Skipper), which they later use to install a second-stage backdoor — usually Carbon or Kazuar [1, 2].
During 2016 and 2017, ESET and Kaspersky said they detected new Turla attacks that deployed a different second-stage backdoor together with the classic Skipper. ESET named this backdoor Gazer.
For most of 2016, researchers say they found Gazer installed on compromised computers at various embassies and diplomatic/foreign affair organizations, but in 2017, Turla operators switched to targeting defense-related organizations.
Kaspersky tracked these attacks with the Gazer backdoor in a report called WhiteBear. Attacks with the Kazuar and Carbon backdoors are tracked as WhiteAtlas, and are also detailed in a Bitdefender report on the Pacifier APT campaign.
ESET and Kaspersky linked the Gazer (WhiteBear) attacks with the Kazuar/Carbon (WhiteAtlas) campaign because both shared infrastructure and used similar techniques. ESET explains in depth below.
This new tool shows once again that Turla is miles above most other cyber-espionage groups when it comes to sophistication.
While some APTs grab open-source tools of GitHub, Turla operators put time and money into developing new tools that allow them to remain undetected on infected hosts for much longer periods of time. For example, Gazer attacks were tracked back to February 2016, but it was only recently that researchers were able to link them to Turla operations. As before, experts now expect Turla to create and deploy a new tool to replace Gazer.