One of Russia’s most advanced state-sponsored hacker groups has added several devious new tools to its arsenal, security researchers have warned.
Although the Turla group is still using the v4 version of the ComRAT malware, ESET researchers warned that this has since been updated to include two new features: exfiltration of victim’s antivirus logs, and the ability to control the malware via a Gmail inbox.
According to ESET, the antivirus logs are stolen by the malware and then uploaded to one of its command-and-control servers.
The malware was discovered to have been deployed in January, targeting parliaments and Foreign Affairs ministries of three unidentified European governments.
The Gmail control mechanism is another new functionality, wherein the malware commandeers the victim’s browser, loads a predefined cookie file and initiates a session to the Gmail web dashboard.
Once this is done, Turla operators can simply send an email to the Gmail account with instructions in an attached file. The ComRAT malware will read the email, download the attachment, and read and execute the instructions therein. All data thus collected will be sent back to the Gmail inbox and thereby to the operators.
Matthieu Faou, an ESET researcher, told ZDNet that collecting antivirus logs might be to “allow them to better understand if and which one of their malware sample[s] was detected.” This would help tweak the malware to avoid detection in the future.
It is typically challenging to figure out which files were “exfiltrated” by the attackers, Faou pointed out, adding that for relatively advanced groups, however, “it is not uncommon to try to understand if they are detected or if they leave traces behind them or not.”
- Stay protected online with our top picks for the best antivirus software