Latest version of Turla's ComRAT backdoor uses Gmail web UI to receive orders from hackers
It is built on an entirely different codebase and was compiled in November 2019
Researchers at cyber security firm ESET have discovered a new version of Turla ' s tried-and-tested ComRAT backdoor, which uses which Gmail web interface to quietly steal sensitive information from victim ' s networks.
Turla is an elite cyber-espionage threat group with suspected links to Russia ' s FSB intelligence agency. The group, also known as Snake, Venomous Bear, Group 88 and Iron Hunter, has been active since 2008 and is known for launching targeted attacks against foreign government entities, embassies and militaries.
ESET researchers say they recently discovered a new version of ComRAT backdoor, which uses Gmail web interface to receive commands and exfiltrate data. This backdoor uses cookies stored in its configuration to connect to Gmail's Web interface. After a connection is established, it checks the mail inbox and downloads email attachment containing commands in encrypted form.
According to researchers, the latest iteration of ComRAT is much more complex than earlier versions. It is built on an entirely different codebase and was compiled in November 2019. It is yet another example of Turla ' s ability to create malware that can maintain presence on victims ' systems for years to extract confidential information.
ComRAT backdoor, also known as Agent.BTZ, is one of Turla's oldest weapons. It came to light in 2008 after hackers used it to breach Pentagon ' s network and steal data from it. The first version of ComRAT, which was likely released in 2007, showed worm capabilities by spreading through removable drives. Since then, the malware has seen a number of updates, with new versions discovered by researchers in 2014 and 2017.
Since 2017, ComRAT has attacked at least three governmental institutions, one of which is the network of a national parliament, while other two are Ministries of Foreign Affairs. ESET refrained from revealing the identity of the victims due to national security reasons.
Last year, researchers at Kaspersky also warned that Turla had revamped its arsenal by wrapping its JavaScript KopiLuwak malware in a new dropper called Topinambour to create two similar versions in different languages. The malware is comprised of a Microsoft .NET file that distributes KopiLuwak through infected installation packages for VPNs and other forms of software.
In March, ESET researchers said that they had uncovered a new campaign by Turla group which used watering-hole attacks to target government and civilian websites in Armenia. In this campaign, researchers noticed two previously unseen malware elements, NetFlash and PyFlash, which were being delivered by Turla members on targeted machines.