Diplomats being Spied on via Stealthy Backdoor

The new cyber attack comes in the form of a stealthy backdoor and this time it is aimed at diplomats and consulates throughout the Republics of the former Soviet Union and Southeastern Europe.

Gazer, as named by the researchers of ESET (an IT security company that offers anti-virus and firewall products), is malware that has been operating the systems since 2016 stealthily, without anyone noticing it, thanks to its custom encryption style. 

In fact, the four different versions of Gazer have just recently been documented, with some of them having been signed with legitimate certificates.

Gazer and its connection to Turla

ESET researchers have linked the Gazer to a Russian cyber espionage group Turla, who have been targeting governments and militaries for years now.

The TTPs – witnessed techniques, tactics and procedures and the extra effort put in to secure that the files are wiped perfectly align with Turla’s usually malware systems, also called Turla, hence the logical connection between the two.

Another telltale sign that Gazer is a product of the cyber espionage group Turla lies in the Carbo and Kazuar, backdoors similar to the Gazer, which were used as second-stage malware in Turla’s previous cyber attacks.

Another research team, this time from Kaspersky, has also linked the Gazer, also known as Whitebear APT campaign, according to them, to Turla. 

Kaspersky researchers see this cyber espionage campaign as a second sage Skipper Turla, as the hijacking of the satellite connections for commanding and controlling (c2) of the infrastructure is the same as the previous Turla cyber attack.

With the target of the Gazer/Whitebear cyber attack being the same as the previous Turla cyber attack, i.e. embassies and their employees, there is no doubt that the Turla cyber criminal group is responsible for the Gazer/Whitebear.

How Gazer works

Written in C , the Gazer cyber attack campaign hijacks targeted private computers in two ways: firstly, by dropping a Skipper backdoor; secondly by installing the Gazer malicious code.

The malicious code Gazer enables the cyber criminals to send encrypted commands remotely, via C&C servers, that is command and control servers.

Then it manages to evade detection using legitimate websites, mostly the WordPress CMS, which were compromised, as a first layer proxy.

The prime attack was done through spear phishing emails, an email-spoofing attack that targets a specific organization looking for unauthorized access to highly sensitive details that can be used for other attacks.

Among the C&C servers that are embedded in Gazer’s PE resources, the ESET researchers have found one command and control server that is used by a JScript backdoor, previously documented as Kapiluwak by Kaspersky.

The custom encryption is the thing that makes Gazer so difficult to detect, as they do not use the standard Windows Crypto API.

Thanks to 3DES and RSA encryption systems, that encrypts information prior to sending it to the command and control server, a tactic used in previous cyber attack campaigns by Turla, Gazer malware has managed to stay under the security’s radar for many months. 

The RSA keys that are embedded in the resources has the public key of the hacker, used for information encryption which is sent to the control and command server as well as a private key used to decrypt the data which are embedded in binaries, with both of the keys being completely unique for every sample.

Through a code-injection technique, Gazer manages to take control over a PC, stealthily keeping itself hidden and stealing data for a longer period of time.

Aside from the information theft, Gazer is able to redirect commands from one compromised endpoint to the other PCs that are using the same network.

The recent version of the Gazer malware has used video-game related sentences throughout the code to modify the strings.

So far, ESET researchers have managed to discern 4 different variations of the malware known as Gazer.

The previous two versions were signed through a valid certification, the same one issued for Solid Loop Ltd by Comodo, whereas the newer versions are signed using an SSL certification, the one issued for Ultimate Support Ltd.

Future for Gazer and similar attacks

With the rise of more sophisticated technology rises the number of more sophisticated cyber attacks, Gazer being just one of them.

Thanks to its improved encryption system, Gazer backdoor has managed to stay low-key since 2016, infecting a number of targets all over the world, with the most victims found precisely in Europe.
What the Gazer cyber attack campaign has shown us is that no one is safe.

With the trend of constant cyber attacks and a lack of proper security measures, it seems that Gazer and similar sophisticated cyber attack campaigns are here to stay for good.