A notorious espionage and hacking operation are using a new malware tool to spy on embassies and consulates in Europe, according to security researchers. Known as Gazer, the malware allows the group to spy on infected Windows machines. It makes efforts to cover its tracks by wiping files securely from compromised systems. It was uncovered by researchers at security company ESET, who believe the tool has been used since 2016 and is highly likely to be the work of Turla, a well-known advanced persistent threat group. The researchers uncovered the snooping campaign when analyzing a new malware sample that exhibited similarities to past Turla code.
The group is known to target government and diplomatic bodies, especially in Europe, using a combination of watering hole attacks and spear-phishing campaigns to infiltrate victims’ systems. Gazer shares a number of similarities with previous Turla malware, including being written in C++ and the using the delivery of a first-stage backdoor — often installed on another machine on the network — before dropping a final, much stealthier, payload.
This second-stage backdoor receives instructions from Turla’s command and control servers which used compromised, legitimate websites as a proxy. The backdoor also takes advantage of the virtual file system in the Windows registry to evade antivirus defenses. The exact number of victims compromised by Gazer in this way hasn’t been revealed — nor have the targets themselves been disclosed — but researchers say the number of infections is low, perhaps because the attackers usually try to only compromise specific systems. “The tactics, techniques, and procedures we’ve seen here are in line what we typically see in Turla’s operations,” said Jean-Ian Boutin, senior malware researcher at ESET. “Turla go to great lengths to avoid being detected by a system.”
Those behind Gazer use their own customised cryptography in order to obfuscate the backdoor’s actions and communication with a command and control server. This type of activity points to Turla being a highly advanced group — the operation has previously been linked to the Russian government.