ESET Discovers New Advanced Backdoor Targeting Embassies

By   ISBuzz Team
Writer , Information Security Buzz | Aug 31, 2017 03:24 pm PST

Newly documented Gazer backdoor identified as the latest tool used in espionage campaigns across Europe

ESET, the leading global cybersecurity company, revealed the discovery of a new, advanced backdoor used by the notorious hacking group Turla. Dubbed Gazer, ESET researchers are first to document this newly identified backdoor, actively deployed since 2016, targeting consulates and embassies worldwide.

 Typical Turla traits

Targeting European governments and embassies around the world for many years, Turla espionage group is known to run watering hole and spear-phishing campaigns to catch their victims. ESET researchers have seen Gazer, the newly documented backdoor, deployed on several computers around the world, but mostly in Europe.

 Detecting the undetectable

Much like other second stage backdoor tools used by Turla, including Carbon and Kazuar, Gazer receives encrypted tasks from a command-and-control server that can be executed either on an already infected machine or by another machine on the network.

Gazer authors also make extensive use of their own customised cryptography, used to encrypt and decrypt the data sent/received to/from the command-and-control server. Furthermore, the notorious Turla group was seen using a virtual file system in the Windows registry to evade antivirus defenses and continue to attack the system.

 “Turla go to great lengths to avoid being detected on a system,” said Jean-Ian Boutin, Senior Malware Researcher at ESET. “The cybercriminals first wipe files from compromised systems, and then change the strings and randomise marquees using backdoor versions. For the experts at ESET to discover this new and undocumented backdoor, marks a step in the right direction, to tackle the growing problem of cyber espionage in today’s digital world.“

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x