Sneaky malware disguises itself as an Adobe Flash Player installer

Researchers uncover an innocent software update that's really a cover for espionage.
Written by Danny Palmer, Senior Writer

Video: Gazer malware enables hacking group to spy on Europe's embassies

A state-sponsored hacking operation is targeting diplomats, using a new attack that bundles malware with a legitimate software update.

Uncovered by researchers at ESET, the attacks are targeting embassies and consulates in eastern European post-Soviet states and have been attributed to Turla, a well-known advanced persistent threat group.

The hacking operation has a history of targeting government and diplomatic bodies using watering-hole attacks and spear-phishing campaigns, which often involve the use of false Flash downloads, to infiltrate victim's systems. Researchers note that some private companies have been infected, but that they're not the main targets of the campaign.

Campaigns using this attack technique have been operational since July 2016, but security researchers are still unsure as to how the attackers are bundling their payload alongside a Flash player installer. "The victims are made to believe that the only thing that they are downloading is authentic software... unfortunately, nothing could be further from the truth," ESET said.

Possible attack vectors include a man-in-the middle attack, the target organisation having their network gateway compromised, traffic interception at the level of internet service providers, or the attackers could have used a Border Gateway Protocol (BGP) hijack to re-route the traffic to a server controlled by Turla -- although the latter would quickly set off alarm bells.

See also: Cyberwar: A guide to the frightening future of online conflict

What is known is that the Turla group relies on a web app hosted on Google Apps Script as a command-and-control server for JavaScript-based malware. It's something researchers say demonstrates how the attackers are attempting to remain as stealthy as possible by hiding in the network traffic of targeted organisations.

Once a user runs the software, the attackers are able to open backdoors and drop malware onto the compromised machine. One form of malware that the attackers attempt to drop is Mosquito, a backdoor associated with previous Turla campaigns and likely to be custom-built by the hacking outfit.


The attacks are thought to be the work of a state-backed group.

Image: iStock

It's this use of Mosquito -- which shares similarities with other Turla associated malware -- combined with how some of the command and control servers linked to the attack have been used in previous Turla campaigns that has led ESET to say "with confidence" that this campaign is being conducted by the notorious hacking group.

Researchers also add that some of the victims have been infected with other Turla-related malware such as ComRAT or Gazer, suggesting there's a strong link between the campaigns, which all have a strong interest in consults and embassies in Eastern Europe and are noted to have "put a lot of effort into keeping their remote access to these important sources of information".

While ESET don't attribute this attack to a particular nation-state, researchers at other security firms have previously linked Turla to the Russian government.

Related coverage

Tracking Turla: Hackers abuse satellite signals high in the sky

A sophisticated hacking group is using satellites in a novel manner to disguise their tracks.

Stealthy malware targets embassies in snooping campaign

The Turla hacking group is using the new Gazer backdoor to conduct espionage, according to researchers at ESET.

Russian hacking campaign targets G20 attendees with booby-trapped invites

Turla APT group is sending out invites to a real G20 event in Hamburg, targeting politicians, policy makers and other experts for the purposes of espionage.


Editorial standards