Turla, Russia’s notorious espionage group, has once again stirred the cybersecurity space after security researchers from ESET revealed it has discovered a new version of the ComRAT backdoor.
Turla, also known as Snake, is one of Russia's most advanced state-backed hacking groups. It has become notorious for launching a number of attacks against major organizations in the past, including the US Department of Defense in 2008 and the Swiss tech company RUAG in 2014. ComRAT, a type of malware, serves as one of the earliest known backdoors used by the group and is believed to had been released in 2007.
According to cybersecurity researchers, new attacks using the new variant of the backdoor have taken place in January 2020, which targeted three high-profile entities, including a national parliament in the Caucasus and two Ministries of Foreign Affairs in Eastern Europe. Operators were also reported to have used public cloud services such as OneDrive and 4shared to exfiltrate data.
“This new version used a completely new code base and was far more complex than its predecessors,” the researchers noted.
Among the main characteristics, it demonstrates include the ability to execute additional programs and exfiltrate files while evading security software.
“This shows the level of sophistication of this group and its intention to stay on the same machines for a long time,” said Matthieu Faou, a malware researcher at ESET. “Additionally, the latest version of the ComRAT malware family, thanks to its use of the Gmail web interface, is able to bypass some security controls because it doesn’t rely on any malicious domain.”
The “most interesting feature” of the new version, the researchers highlighted, is its use of the Gmail web UI to receive commands and exfiltrate data. According to them, this gives the operators the ability to bypass some security controls, as the malware they’re using doesn’t depend on any malicious domain.
“We also noticed that this new version abandoned the use of COM object hijacking for persistence, the method that gave the malware its common name,” they continued.
To date, the real motives behind Turla’s actions remain unclear. However, ESET researcher Faou told ZDNet that the group might be collecting antivirus logs to "allow them to better understand if and which one of their malware samples was detected."
