Turla hacker group steals antivirus logs to see if its malware was detected

Turla, one of Russia's most advanced hacker groups, has created malware that gets its orders from email attachments sent to an arbitrary Gmail inbox.
Written by Catalin Cimpanu, Contributor

Security researchers from ESET have discovered new attacks carried out by Turla, one of Russia's most advanced state-sponsored hacking groups.

The new attacks have taken place in January 2020. ESET researchers say the attacks targeted three high-profile entities, such as a national parliament in the Caucasus and two Ministries of Foreign Affairs in Eastern Europe. Targets could not be identified by name due to national security reasons.

These intrusions represent the latest entries in a long list of victims, most of which include diplomatic and military entities. This list started in the mid-2000s with the Pentagon and has continued throughout the years with targets in Europe, the Middle East, Asia, and Africa.

The January 2020 attacks, however, stood out due to the deployment of an updated version of the ComRAT malware, which ESET says contained some pretty clever new features.

Turla now steals antivirus logs

The ComRAT malware, also known as Agent.BTZ, is one of Turla's oldest weapons, and the one they used to siphon data from the Pentagon's network in 2008.

The tool has seen several updates across the years, with new versions discovered in 2014 and 2017, respectively.

Image: ESET

The latest version, known as ComRAT v4, was first seen in 2017, however, in a report published today, ESET says they've spotted a variation of ComRAT v4 that includes two new features, such as the ability to exfiltrate antivirus logs and the ability to control the malware using a Gmail inbox.

The first of these features is the malware's ability to collect antivirus logs from an infected host and upload it to one of its command and control servers.

The exact motives of a hacker group will always remain unclear, but Matthieu Faou, the ESET researcher who analyzed the malware, told ZDNet that Turla operators might be collecting antivirus logs to "allow them to better understand if and which one of their malware sample was detected."

The belief is that if Turla operators see a detection, they can then tweak their malware and avoid future detections on other systems, where they can then operate undetected.

Faou says that malware that steals logs is common, but it's always hard for incident responders to detect the behavior.

"The thing is that it is generally hard to determine what files were exfiltrated by the attackers," Faou told us. "But for relatively advanced groups, it is not uncommon to try to understand if they are detected or if they leave traces behind them or not."

Turla's ComRAT uses Gmail as a C&C server

But this wasn't the only major change in the latest ComRAT malware version. Faou says that the malware now includes not one, but two command-and-control mechanisms.

The first is the classic method of contacting a remote server via HTTP and retrieving instructions to execute on infected hosts.

The second, and the new one, is the use of Gmail's web interface. Faou says that the latest ComRAT v4 takes over one of the victim's browsers, loads a predefined cookie file, and then initiates a session to the Gmail web dashboard.

Here, the malware reads recent emails in the inbox, from where it downloads file attachments, and then reads the instructions contained within the file.

The idea is that whenever Turla operators want to issue new commands to ComRAT instances running on infected hosts, the hackers merely have to send an email to the Gmail address. All data collected following the execution of instructions sent this way is sent back to the Gmail inbox, and redirected back to Turla operators.

Image: ESET

ESET says that despite the new features, Turla operators continue to use ComRAT as they did before, which is primarily as a second-stage payload on already infected hosts. Here, ComRAT is used to search the filesystem for specific files, and then exfiltrate the data to a remote point, usually a cloud file sharing account on OneDrive or 4shared.

Additional details on the new ComRAT malware are available in ESET's report, here.

Two weeks ago, Kaspersky also published a report on some older Turla malware that received a nifty update. Researchers said they spotted a new version of the COMpfun malware, which Turla operators could control using a novel and never-before-seen system that relied on HTTP status codes.

Turla ComRAT
Image: ESET

The world's most famous and dangerous APT (state-developed) malware

Editorial standards