Refreshed Turla’s ComRat uses Gmail web UI for data exfiltration

by Gabriel E. Hall - - 2020-05-27

Turla APT arranges new attacks against high-profile entities since January 2020

Turla group spreads renewed ComRAT Renewed Turla's ComRat targets several high-profile entities, including one parliament and ministries of foreign affairs

Security company ESET^[1] has shared their knowledge about a recently renewed attacks of the Turla Advanced Persistent Threat (APT) against high-profile institutions. According to the company, the gang has invested much effort to revive the infamous ComRAT backdoor, which has started its “career” Agent.BTZ back in 2008 when the virus breached the US military^[2] and the incident was condemned by Pentagon officials as “the most significant breach of U.S. military computers ever.”

Turla APT^[3] is dubbed as an elite cyber-espionage state-backed Russian group of hackers, which has a long list of incidents it is linked to throughout over ten years of existence. These guys are also called Snake, Group 88, Iron Hunter, Venomous Bear, or Chinch. The group is not oriented to individuals, but rather launch targetted attacks against governmental institutions. Kaspersky LABs used to describe this threat as follows:

It is a complex cyberattack platform focused predominantly on diplomatic and government-related targets, particularly in the Middle East, Central and Far East Asia, Europe, North and South America, and former Soviet bloc nations.

The new Turla's campaign was first spotted in January 2020 when ESET revealed a renewed strain of the ComRAT targeting three high-profile institutions, i.e. a national parliament in the Caucasus and two Ministries of Foreign Affairs in Eastern Europe.

A renewed variant of ComRAT uses Gmail web UI to remain undetected and exfiltrate data

The history of the ComRAT as a Remote Access Trojan (RAT) stretches back to 2008 when, as pointed before, it manages to exfiltrate data from the U.S military and affected PCs used by the Central Commands in Iraq and Afganistan combat zones. This variant of ComRAT has been distributed via removable drives and exhibited traits that a regular trojan exhibits, i.e. infiltrate Windows OS via security loopholes, launch the payload, create persistence, and subsequently connect to remote C2 server for regular data transmission.

However, in comparison to the previous ComRAT variants, the 2020 update is incomparable more sophisticated. Based on the deep analysis of this threat, it turns out that it has been in an active development/update phase since 2017. Despite being built on the identical code, the ComRAT v4^[4] has been supplemented with several new traits for a more successful data stealing and self-protection endurance.

First of all, ComRAT v4 uses a PowerStallion PowerShell backdoor commands to access the targetted machine. Upon the success of infiltration, it establishes a connection between the Command and Control server in two ways, i.e. HTTP protocol just like its ancestors and the Gmail web interface^[5] allowing the RAT to gain commands and exfiltrate data.

The most significant change of the backdoor is its capability to use the Gmail web interface. For that, the threat uses cookies stored in the configuration and, if the connection is successful, it reads Gmail's inbox and downloads email attachments that contain commands in encrypted form. The session initiated on the Gmail web dashboard aims at reading the instructions of the specific files:

Its most interesting feature is the use of the Gmail web UI to receive commands and exfiltrate data. Thus, it is able to bypass some security controls because it doesn’t rely on any malicious domain.

Such changes allow cybersecurity researchers presume that the ComRAT v4 is a very potential cyber threat that can be the worst nightmare of the governmental institutions.

The ComRAT harvests antivirus logs

According to ESET, Turla managers are putting much effort to bypass security software. When the RAT gets installed, it is programmed to search for security-related log files to draw the view if the malware is easily detected by AV engines or not.

This shows the level of sophistication of this group and its intention to stay on the same machines for a long time.

Additionally, it seeks to obtain as many technical details about the host machine as possible. For instance, it keeps recording Active Directory groups and users, the network details, Microsoft Windows configurations (group policies), and more.

As researchers point out, the Turla group and its novel ComRAT spyware are on its peak of activity. Earlier this week Kaspersky Lab^[6] has submitted a whitepaper last week warning the cyber community about a renewed COMPfun RAT, which basically stems from the same Turla group and is geologically related to the ComRAT.

Thus, experts of security systems are expected to strengthen the forces against this backdoor trojan to prevent its attacks on high-profile entities and organizations. It seems that the APT group may have plans to duplicate the malware on a big scale.

About the author

Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References

^ Matthieu Faou. From Agent.BTZ to ComRAT v4: A ten‑year journey. ESET. Slovak internet security company.
^ Brian Knowlton. Military Computer Attack Confirmed. The New York Times. American newspaper.
^ Jai Vijayan. Russia-Based Turla APT Group's Infrastructure, Activity Traceable. DarkReading. Cyber security news.
^ Ravie Lakshmanan. https://thehackernews.com/2020/05/gmail-malware-hacker.html. The Hacker News. The latest insights on cybersecurity.
^ JR Raphael. How to make Gmail's desktop interface infinitely better. Computer World. Technology topics.
^ Kaspersky research finds new spying Trojan targets diplomatic entities in Europe via spoofed visa application. Kaspersky Labs. Official website.