ESET security researchers have discovered a new malware campaign targeting consulates, ministries and embassies and is believed to be carried out by Turla advanced persistent threat (APT) hacking group.
Active since 2016, the malware campaign is leveraging a new backdoor, dubbed Gazer,written in C++, the backdoor delivers via spear phishing emails and hijacks targeted computers.
The attacks show all the hallmarks of past campaigns launched by the Turla hacking group, namely:
- Targeted organizations are embassies and ministries;
- Spearphishing delivers a first-stage backdoor such as Skipper;
- A second stealthier backdoor (Gazer in this instance, but past examples have included Carbon and Kazuar) is put in place;
- The second-stage backdoor receives encrypted instructions from the gang via C&C servers and evades detection by using compromised using compromised, legitimate websites as a proxy.
Gazer uses code-injection technique to take control of a machine and hide itself for a long period of time in an attempt to steal information.
According to researchers, Gazer has already managed to infect a number of targets worldwide, with the most victims being located in Europe.