Gazer:A backdoor targeting Ministries and Embassies

ESET security researchers have discovered a new malware campaign targeting consulates, ministries and embassies and is believed to be carried out by Turla advanced persistent threat (APT) hacking group.

Active since 2016, the malware campaign is leveraging a new backdoor, dubbed Gazer,written in C++, the backdoor delivers via spear phishing emails and hijacks targeted computers.

The attacks show all the hallmarks of past campaigns launched by the Turla hacking group, namely:

  • Targeted organizations are embassies and ministries;
  • Spearphishing delivers a first-stage backdoor such as Skipper;
  • A second stealthier backdoor (Gazer in this instance, but past examples have included Carbon and Kazuar) is put in place;
  • The second-stage backdoor receives encrypted instructions from the gang via C&C servers and evades detection by using compromised using compromised, legitimate websites as a proxy.
Instead of using Windows Crypto API, Gazer uses custom 3DES and RSA encryption libraries to encrypt the data before sending it to the C&C server—a common tactic employed by the Turla APT group.

Gazer uses code-injection technique to take control of a machine and hide itself for a long period of time in an attempt to steal information.

Gazer backdoor also has the ability to forward commands received by one infected endpoint to the other infected machines on the same network.
So far ESET researchers have identified four different variants of the Gazer malware in the wild.
Earlier versions of Gazer were signed with a valid certificate issued by Comodo for “Solid Loop Ltd,” while the latest version is signed with an SSL certificate issued to “Ultimate Computer Support Ltd.”
Certificates used to sign the malware variants

According to researchers, Gazer has already managed to infect a number of targets worldwide, with the most victims being located in Europe.

Full technical analysis of the malware can be found here.

Author: Cognore

Cyber Security Solution

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s