Skip to content

Cyber-espionage group Turla (a.k.a. Snake) now uses Gmail web interface for command and control, ESET discovers

Bratislava, Montreal – ESET researchers have uncovered a new version of one of the oldest malware families run by the Turla group, the ComRAT backdoor. Turla, also known as Snake, is an infamous cyber-espionage group that has been active for more than ten years. The most interesting feature of the updated backdoor is its use of the Gmail web UI to receive commands and exfiltrate data. ComRAT steals sensitive documents, and since 2017 it has attacked at least three governmental institutions. ESET has found indications that this latest version of ComRAT was still in use at the beginning of 2020, showing that the Turla group is still very active and a major threat for diplomats and militaries.

The main use of ComRAT is stealing confidential documents. In one case, its operators even deployed a .NET executable to interact with the victim’s central MS SQL Server database containing the organization’s documents. The malware operators used public cloud services such as OneDrive and 4shared to exfiltrate data. Turla’s latest backdoor can perform many other actions on compromised computers, such as executing additional programs and exfiltrating files.

The fact that the attackers try to evade security software is concerning. “This shows the level of sophistication of this group and its intention to stay on the same machines for a long time,” explains Matthieu Faou, who has investigated the infamous group for several years. “Additionally, the latest version of the ComRAT malware family, thanks to its use of the Gmail web interface, is able to bypass some security controls because it doesn’t rely on any malicious domain,” says Faou.

The backdoor upgrade was first discovered by ESET in 2017. It uses a completely new code base and is far more complex than its predecessors. The most recent iteration of the backdoor that ESET researchers have seen was compiled in November of last year.“

Based on the victimology and the other malware samples found on the same compromised machines, we believe that ComRAT is used exclusively by Turla,” says Faou.

ComRAT, also known as Agent.BTZ, is a malicious backdoor that became infamous after its use in a breach of the US military in 2008. The first version of this malware, likely released in 2007, exhibited worm capabilities by spreading through removable drives.

For more technical details of ComRAT and a full and comprehensive list of Indicators of Compromise (IoCs), please read the full ESET white paper From Agent.BTZ to ComRAT v4: a ten year journey on WeLiveSecurity. Make sure to follow ESET research on Twitter for the latest news from ESET Research.

 

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

Bratislava, Montreal – ESET researchers have uncovered a new version of one of the oldest malware families run by the Turla group, the ComRAT backdoor. Turla, also known as Snake, is an infamous cyber-espionage group that has been active for more than ten years. The most interesting feature of the updated backdoor is its use of the Gmail web UI to receive commands and exfiltrate data. ComRAT steals sensitive documents, and since 2017 it has attacked at least three governmental institutions. ESET has found indications that this latest version of ComRAT was still in use at the beginning of 2020, showing that the Turla group is still very active and a major threat for diplomats and militaries.

The main use of ComRAT is stealing confidential documents. In one case, its operators even deployed a .NET executable to interact with the victim’s central MS SQL Server database containing the organization’s documents. The malware operators used public cloud services such as OneDrive and 4shared to exfiltrate data. Turla’s latest backdoor can perform many other actions on compromised computers, such as executing additional programs and exfiltrating files.

The fact that the attackers try to evade security software is concerning. “This shows the level of sophistication of this group and its intention to stay on the same machines for a long time,” explains Matthieu Faou, who has investigated the infamous group for several years. “Additionally, the latest version of the ComRAT malware family, thanks to its use of the Gmail web interface, is able to bypass some security controls because it doesn’t rely on any malicious domain,” says Faou.

The backdoor upgrade was first discovered by ESET in 2017. It uses a completely new code base and is far more complex than its predecessors. The most recent iteration of the backdoor that ESET researchers have seen was compiled in November of last year.“

Based on the victimology and the other malware samples found on the same compromised machines, we believe that ComRAT is used exclusively by Turla,” says Faou.

ComRAT, also known as Agent.BTZ, is a malicious backdoor that became infamous after its use in a breach of the US military in 2008. The first version of this malware, likely released in 2007, exhibited worm capabilities by spreading through removable drives.

For more technical details of ComRAT and a full and comprehensive list of Indicators of Compromise (IoCs), please read the full ESET white paper From Agent.BTZ to ComRAT v4: a ten year journey on WeLiveSecurity. Make sure to follow ESET research on Twitter for the latest news from ESET Research.

 

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

ESET NOD32 產品註冊伺服器將於2020-06-02進行定期維護

為了提供更穩定的服務,ESET NOD32 產品註冊伺服器 (https://www.eset.hk/download/register/) 將於2020-06-02進行定期維護。

不便之處,敬請原諒。

技術支援熱線: (852) 2893 8186
或電郵至: support@eset.hk

About Version 2

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

關於ESET
ESET成立於1992年,是一家面向企業與個人用戶的全球性的電腦安全軟件提供商,其獲獎產品 — NOD32防病毒軟件系統,能夠針對各種已知或未知病毒、間諜軟件 (spyware)、rootkits和其他惡意軟件為電腦系統提供實時保護。ESET NOD32佔用 系統資源最少,偵測速度最快,可以提供最有效的保護,並且比其他任何防病毒產品獲得了更多的Virus Bulletin 100獎項。ESET連續五年被評為“德勤高科技快速成長500 強”(Deloitte’s Technology Fast 500)公司,擁有廣泛的合作夥伴網絡,包括佳能、戴爾、微軟等國際知名公司,在布拉迪斯拉發(斯洛伐克)、布裏斯托爾(英國 )、布宜諾斯艾利斯(阿根廷)、布拉格(捷克)、聖地亞哥(美國)等地均設有辦事處,代理機構覆蓋全球超過100個國家。

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×