Recent cybersecurity investigations have revealed an upgraded variant of the ComRAT backdoor, a sophisticated tool initially deployed by the Turla Advanced Persistent Threat (APT) group. This latest iteration utilizes Gmail’s web interface to clandestinely receive commands and exfiltrate sensitive information.
Cybersecurity firm ESET reported that ComRAT version 4, first identified in 2017 and still active as of January 2020, targets several entities, including two Ministries of Foreign Affairs in Eastern Europe and a national parliament in the Caucasus. This ongoing campaign indicates Turla’s continued focus on espionage, leveraging its extensive history in covert operations against military and governmental organizations since at least 2004.
The Turla group has a deeply ingrained presence in the cybersecurity landscape, initially emerging with the Agent.BTZ malware in 2007. Over time, this evolved into ComRAT, which enhanced its functionalities to maintain persistence and gather data from local networks. Previous versions of the malware have been linked to significant breaches, notably compromising U.S. military networks in 2008 and the French Armed Forces in 2018, illustrating the audacity and effectiveness of Turla’s cyber activities.
In its latest form, ComRAT no longer employs the USB-stick infection method characteristic of older variants, opting instead to inject itself into every running process on the infected system, executing its payload within legitimate processes such as “explorer.exe.”
The operational architecture of ComRAT version 4, also referred to as “Chinch” by its creators, is highly sophisticated. ESET noted that it features a new code base, making it considerably more complex than its predecessors. The malware is typically installed through a lightweight PowerShell backdoor known as PowerStallion, which facilitates the injection of ComRAT orchestrator modules into web browsers. This mechanism allows the backdoor to receive commands via two channels — a legacy mode and an email mode, effectively bypassing many security measures by not relying on malicious domains.
The email mode interacts with Gmail directly, utilizing a virtual file system (VFS) for critical data, such as authentication cookies. This allows ComRAT to parse inbox messages and identify those that match specified subject lines, downloading attachments that ostensibly resemble office documents but contain encrypted commands for executing diverse tasks like reading/writing files and gathering logs.
Conversely, the legacy mode capitalizes on existing C2 structures associated with earlier ComRAT versions to dispatch commands and manage data exfiltration, often sending compressed results to cloud services like Microsoft OneDrive. The exfiltrated data frequently consists of user credentials and security logs, which aid the operators in assessing whether their malware was detected during system scans.
Based on the email distribution patterns over a one-month analysis, ESET has suggested that the operators of this backdoor may be operating from UTC+3 or UTC+4 time zones. The findings underscore the advanced capabilities of ComRAT v4, which combines a virtual file system in FAT16 and Gmail’s web interface to obscure its activities, thus posing a significant threat to organizations’ cybersecurity defenses.
In light of these developments, business owners must remain vigilant against such sophisticated threats. Understanding methodologies mapped to the MITRE ATT&CK framework can provide insight into possible adversary tactics, including initial access via web applications, persistence through scheduled tasks, and data exfiltration techniques suited to the evolving landscape of cyber threats.
