Researchers at cyber security firm ESET have discovered a new version of Turla's tried-and-tested ComRAT backdoor, which uses which Gmail web interface to quietly steal sensitive information from victim's networks.
Turla is an elite cyber-espionage threat group with suspected links to Russia's FSB intelligence agency. The group, also known as Snake, Venomous Bear, Group 88 and Iron Hunter, has been active since 2008 and is known for launching targeted attacks against foreign government entities, embassies and militaries.
According to researchers, the latest iteration of ComRAT is much more complex than earlier versions. It is built on an entirely different codebase and was compiled in November 2019. It is yet another example of Turla's ability to create malware that can maintain presence on victims' systems for years to extract confidential information.
ComRAT backdoor, also known as Agent.BTZ, is one of Turla's oldest weapons. It came to light in 2008 after hackers used it to breach Pentagon's network and steal data from it. The first version of ComRAT, which was likely released in 2007, showed worm capabilities by spreading through removable drives. Since then, the malware has seen a number of updates, with new versions discovered by researchers in 2014 and 2017.
Since 2017, ComRAT has attacked at least three governmental institutions, one of which is the network of a national parliament, while other two are Ministries of Foreign Affairs. ESET refrained from revealing the identity of the victims due to national security reasons.
In March, ESET researchers said that they had uncovered a new campaign by Turla group which used watering-hole attacks to target government and civilian websites in Armenia. In this campaign, researchers noticed two previously unseen malware elements, NetFlash and PyFlash, which were being delivered by Turla members on targeted machines.
The Ukrainian national was part of spear-phishing campaign that enabled hackers to gain unauthorised access to victims' system
The tool uses zero-day bug in the Darwin XNU kernel
The malware avoids infecting every Android device, and rather focuses on hand-picked targets
Message telling people that they may be infected links to a malicious website which asks for personal details
Theft of such valuable data could threaten the delivery of secure treatment options, the agency believes