Latest version of Turla's ComRAT backdoor uses Gmail web UI to receive orders from hackers
It is built on an entirely different codebase and was compiled in November 2019
Researchers at cyber security firm ESET have discovered a new version of Turla's tried-and-tested ComRAT backdoor, which uses which Gmail web interface to quietly steal sensitive information from victim's networks.
Turla is an elite cyber-espionage threat group with suspected links to Russia's FSB intelligence agency. The group, also known as Snake, Venomous Bear, Group 88 and Iron Hunter, has been active since 2008 and is known for launching targeted attacks against foreign government entities, embassies and militaries.
ESET researchers say they recently discovered a new version of ComRAT backdoor, which uses Gmail web interface to receive commands and exfiltrate data. This backdoor uses cookies stored in its configuration to connect to Gmail's Web interface. After a connection is established, it checks the mail inbox and downloads email attachment containing commands in encrypted form.
According to researchers, the latest iteration of ComRAT is much more complex than earlier versions. It is built on an entirely different codebase and was compiled in November 2019. It is yet another example of Turla's ability to create malware that can maintain presence on victims' systems for years to extract confidential information.
ComRAT backdoor, also known as Agent.BTZ, is one of Turla's oldest weapons. It came to light in 2008 after hackers used it to breach Pentagon's network and steal data from it. The first version of ComRAT, which was likely released in 2007, showed worm capabilities by spreading through removable drives. Since then, the malware has seen a number of updates, with new versions discovered by researchers in 2014 and 2017.
Since 2017, ComRAT has attacked at least three governmental institutions, one of which is the network of a national parliament, while other two are Ministries of Foreign Affairs. ESET refrained from revealing the identity of the victims due to national security reasons.
Last year, researchers at Kaspersky also warned that Turla had revamped its arsenal by wrapping its JavaScript KopiLuwak malware in a new dropper called Topinambour to create two similar versions in different languages. The malware is comprised of a Microsoft .NET file that distributes KopiLuwak through infected installation packages for VPNs and other forms of software.
In March, ESET researchers said that they had uncovered a new campaign by Turla group which used watering-hole attacks to target government and civilian websites in Armenia. In this campaign, researchers noticed two previously unseen malware elements, NetFlash and PyFlash, which were being delivered by Turla members on targeted machines.
More on Threats and Risks
US officials arrest another member of Fin7 hacking group
The Ukrainian national was part of spear-phishing campaign that enabled hackers to gain unauthorised access to victims' system
Unc0ver team releases new jailbreak package that can unlock iPhones running iOS 13.5
The tool uses zero-day bug in the Darwin XNU kernel
Warning over Mandrake malware infecting Android devices since 2016
The malware avoids infecting every Android device, and rather focuses on hand-picked targets
Trading Standards warns of NHS contact-tracing phishing scam
Message telling people that they may be infected links to a malicious website which asks for personal details
Chinese cyber actors are trying to steal Covid-19 vaccine research, FBI
Theft of such valuable data could threaten the delivery of secure treatment options, the agency believes
Most read
