Gazer: A Novel Backdoor Targets Ministries Together With Embassies Worldwide

Security researchers at ESET direct keep discovered a novel malware motility targeting consulates, ministries together with embassies worldwide to spy on governments together with diplomats.

Active since 2016, the malware motility is leveraging a novel backdoor, dubbed Gazer, together with is believed to hold upwards carried out past times Turla advanced persistent threat (APT) hacking grouping that's been previously linked to Russian intelligence.

Gazer, written inwards C++, the backdoor delivers via pike phishing emails together with hijacks targeted computers inwards 2 steps—first, the malware drops Skipper backdoor, which has previously been linked to Turla together with thence installs Gazer components.

In previous cyber espionage campaigns, the Turla hacking grouping used Carbon together with Kazuar backdoors equally its second-stage malware, which equally good has many similarities amongst Gazer, according to interrogation [PDF] published past times ESET.

Gazer receives encrypted commands from a remote command-and-control server together with evades detection past times using compromised, legitimate websites (that generally role the WordPress CMS) equally a proxy.

Instead of using Windows Crypto API, Gazer uses custom 3DES together with RSA encryption libraries to encrypt the information before sending it to the C&C server—a mutual tactic employed past times the Turla APT group.

Gazer uses code-injection technique to direct keep command of a machine together with cover itself for a long menses of fourth dimension inwards an travail to pocket information.

Gazer backdoor equally good has the mightiness to forrard commands received past times i infected endpoint to the other infected machines on the same network.

So far ESET researchers direct keep identified iv unlike variants of the Gazer malware inwards the wild, primarily spying on Southeast European together with onetime Soviet bloc political targets.

Interestingly, before versions of Gazer were signed amongst a valid certificate issued past times Comodo for "Solid Loop Ltd," spell the latest version is signed amongst an SSL certificate issued to "Ultimate Computer Support Ltd."

According to researchers, Gazer has already managed to infect a number of targets worldwide, amongst the most victims existence located inwards Europe.

Meanwhile, Kaspersky lab has equally good published almost like details virtually Gazer backdoor, exactly they called it 'Whitebear' APT campaign.

Share This :