Stealthy malware targets embassies in snooping campaign

The Turla hacking group is using the new Gazer backdoor to conduct espionage, according to researchers at ESET.
Written by Danny Palmer, Senior Writer

The Turla hacking group is targeting undisclosed embassies with a new backdoor.

Image: iStock

A notorious espionage and hacking operation is using a new malware tool to spy on embassies and consulates in Europe, according to security researchers.

Known as Gazer, the malware allows the group to spy on infected Windows machines.

It makes efforts to cover its tracks by wiping files securely from compromised systems.

It was uncovered by researchers at security company ESET, who believe the tool has been used since 2016 and is highly likely to be the work of Turla, a well-known advanced persistent threat group. The researchers uncovered the snooping campaign when analysing a new malware sample that exhibited similarities to past Turla code.

The group is known to target government and diplomatic bodies, especially in Europe, using a combination of watering hole attacks and spear-phishing campaigns to infiltrate victims' systems.

Gazer shares a number of similarities with previous Turla malware, including being written in C++ and the using the delivery of a first-stage backdoor -- often installed on another machine on the network -- before dropping a final, much stealthier, payload.

This second-stage backdoor receives instructions from Turla's command and control servers which used compromised, legitimate websites as a proxy. The backdoor also takes advantage of virtual file system in the Windows registry to evade antivirus defences.

The exact number of victims compromised by Gazer in this way hasn't been revealed -- nor have the targets themselves been disclosed -- but researchers say the number of infections is low, perhaps because the attackers usually try to only compromise specific systems.

"The tactics, techniques, and procedures we've seen here are in line what we typically see in Turla's operations," said Jean-Ian Boutin, senior malware researcher at ESET. "Turla go to great lengths to avoid being detected on a system."

Those behind Gazer use their own customised cryptography in order to obfuscate the backdoor's actions and communication with a command and control server. This type of activity points to Turla being a highly advanced group -- the operation has previously been linked to the Russian government.

Related coverage

Russian hacking campaign targets G20 attendees with booby-trapped invites

Turla APT group is sending out invites to a real G20 event in Hamburg, targeting politicians, policy makers and other experts for the purposes of espionage.


Editorial standards