Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/26/2020
05:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Turla Backdoor Adds Gmail Web Interface for Command-and-Control

The latest version of ComRAT is another sign of the threat actor's continued focus on targets in the government, military, and other sectors.

Russia-based advanced persistent threat actor Turla has begun using a new version of one its oldest malware tools in another sign of the continued threat the cyberespionage group presents more than 10 years after it first surfaced.

Researchers from ESET recently observed a backdoor called ComRAT—that has long been associated with Turla—with a new feature that allows the malware to receive commands and exfiltrate data via the Gmail Web user interface. At least three organizations have been targeted, two of which are Ministries of Foreign Affairs and the other which is the network of a national parliament, according to ESET.

What's interesting with the Gmail command-and control channel is that the malware doesn't make HTTP, DNS, or other relatively easily observable requests to a suspicious domain. From a network point of view, only traffic to and from mail.google.com can be seen, says Matthieu Faou, malware researcher at ESET.

"So, it is hard to detect and block, especially if some users of the targeted organization are also using Gmail for legitimate purposes," Faou says.

In a technical paper Tuesday, ESET described the new version of the ComRAT backdoor as using cookies stored in its configuration to connect to Gmail's Web interface in order to check the inbox and to download email attachments containing encrypted commands. According to the vendor, the latest version of ComRAT is a totally different beast from earlier versions because it is built on an entirely different codebase and is much more complex.

Turla, aka Snake and Waterbug, is a long-known threat group that security researchers have identified as mostly likely working out of Russia. Since it first appeared on the threat scene more than a decade ago, Turla has targeted numerous foreign affairs offices, embassies, consulates, military organizations, defense contractors, and political organizations. Though the group has targeted organizations in several regions of the world, of late many of its targets have been based in the Middle East and Eastern Europe.

Turla's typical attack strategy has been to use what ESET describes as basic first stage malware, and even legitimate tools like Metasploit, to conduct reconnaissance on a target organization and then switch to more sophisticated tools if the target is deemed interesting. The attackers typically have used spearphishing emails, watering hole attacks, or man-in-the-middle attacks to deploy the more serious malware.

Once on a network, the group has been known to expand its presence via lateral movement and to exfiltrate data using sophisticated custom developed tools. The threat group is also know for establishing secret user accounts on compromised systems so they can reestablish control in case their activities are detected.

"ComRAT is a good example of a complex malware that is deployed once the victim is breached, in order to stay persistent and spy for a long time," Faou notes. Like other backdoors, the malware can execute almost any action on a compromised machine including writing or reading files and creating malicious processes.

Hijack and Reuse

Turla has not been above hijacking and using malware and infrastructure belonging to other threat groups in its own intelligence-gathering campaigns. Last year, security researchers from Symantec and later the United Kingdom's National Cyber Security Center (NCSC) found that at least two sophisticated malware tools and command-and-control infrastructures that Turla had used in recent campaigns actually belonged to Iranian threat group APT34.

"Turla's toolset is quite more sophisticated than most APT groups' toolset," Faou says. While operationally the group is like other sophisticated APTs, Turla's malware portfolio makes it a formidable threat, he says. "The development and the usage of technically complex pieces of malware is a characteristic of the Turla group."

Organizations in Turla's targeted sectors need to be cognizant of the continued threat the group presents, Faou says. Turla is developing and continuing to update its toolset on a regular basis, so organizations need to be monitoring for activity and malware associated with the threat actors, he warns.

Related Content:

 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5595
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a buffer overflow vulnerability, which may allow a remote attacker to stop the network functions of the products or execute...
CVE-2020-5596
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) does not properly manage sessions, which may allow a remote attacker to stop the network functions of the products or execute a mali...
CVE-2020-5597
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a null pointer dereference vulnerability, which may allow a remote attacker to stop the network functions of the products o...
CVE-2020-5598
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper access control vulnerability, which may which may allow a remote attacker tobypass access restriction and stop ...
CVE-2020-5599
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability, which may allow a remo...