Turla APT group linked to Gazer backdoor that spies on embassies
Turla APT group linked to Gazer backdoor that spies on embassies

A previously undocumented backdoor program used to spy on foreign embassies and consulates appears to be the work of suspected Russian APT group Turla, researchers from ESET have reported.

According to a Wednesday blog post published by the cyber-security company, the spyware, dubbed Gazer, has been targeting organisations primarily in Southeastern Europe and in former Soviet nations.

ESET researchers tied Gazer to Turla, aka Uroburos and Snake, because it shares many commonalities with the hacking group's previous malware operations, including its targets, method of delivery, anti-detection methods, use of compromised websites as infrastructure, and other processes.

Jean-Ian Boutin, senior malware researcher at ESET, told SC Media that this backdoor has been in used for at least a year . "The complexity of tools used by Turla is quite high. We're seeing them really trying to change any type of data or strings (the binaries) so that we lose track of them," said Boutin. "We're observing that they fight back to modify the backdoors, so that it's harder to stop them and harder to find them."

Considered a second-stage backdoor, Gazer is distributed via spear phishing emails that initially infect victims with a first-stage backdoor such as Skipper, which is commonly used by Turla in its campaigns. Skipper, in turn, delivers Gazer as the primary payload.

Gazer itself is very similar to other second-stage backdoors used by Turla, such as Carbon and Kazuar, ESET reports. For instance, they all receive tasks (eg file uploads/downloads, configuration updates, command executions) from command-and-control servers that can be executed by the actual infected machine or by a connected machine on the same network. Gazer includes a communication module that specifically spearheads this process.

The C&C servers typically consist of legitimate websites that have been compromised to act as a first-layer proxy. ESET further notes that Gazer, Carbon and Kazuar all have "a similar list of processes that may be employed as a target to inject the module used to communicate with the C&C server embedded in the binary."

technical report analysing Gazer reveals that researchers uncovered four different versions of the backdoor. The malware is written in C++ language, achieves persistence six different ways, and relies heavily on encryption. Additionally, it stores its components and configuration within the Windows Registry, much like Carbon and Kazuar uses encrypted containers for such storage.

All three of Gazer's key components communicate with each other via a named pipe, and they keeps logs of their actions in a file.

As with prior attacks, the hackers took several key steps to avoid detection, such as wiping files and changing the code strings, in this case modifying them to include sly nods to video game references.