New Malware Campaign Targets Diplomatic Entities Worldwide
Recent findings from cybersecurity firm ESET reveal a sophisticated malware campaign that has been orchestrating attacks on consulates, ministries, and embassies across the globe in a bid to gather intelligence on governmental operations and diplomats. This campaign, which has reportedly been active since 2016, employs a newly identified backdoor known as Gazer, which is attributed to the advanced persistent threat (APT) group Turla, believed to have connections to Russian intelligence.
The Gazer malware is distributed primarily through spear phishing emails, targeting specific individuals in these diplomatic settings. Upon being activated on a victim’s system, Gazer executes a multi-step process that first installs a previously linked backdoor called Skipper, which is then followed by the deployment of Gazer itself. This methodology mirrors previous tactics utilized by the Turla group, where similar second-stage malware such as Carbon and Kazuar played key roles.
A notable aspect of Gazer’s operation lies in its sophisticated evasion techniques. The malware communicates through a remote command-and-control server, employing encrypted transmissions to remain concealed. It utilizes compromised websites, often those built on the WordPress CMS, as proxies to obscure its activities. Significantly, instead of conventional encryption methods like the Windows Crypto API, Gazer leverages custom 3DES and RSA libraries, a strategy commonly seen in APT groups to enhance stealth.
Furthermore, Gazer’s functionality allows it to not only control the infected machine but also pivot through the network, relaying commands to other compromised devices. This horizontal movement within the network poses a substantial threat, as it can lead to wider data breaches and information loss. Research indicates that ESET has detected four distinct variants of Gazer targeted primarily at political entities in Southeast Europe and the former Soviet bloc.
Interestingly, earlier iterations of the Gazer malware were signed with a valid certificate from Comodo for a company named “Solid Loop Ltd.” However, the most recent versions carry an SSL certificate associated with “Ultimate Computer Support Ltd.” This shift suggests an adaptive strategy aimed at maintaining legitimacy and evading detection.
Research efforts have so far identified significant installations of Gazer worldwide, with Europe being particularly affected. Concurrently, Kaspersky Lab released a report paralleling ESET’s findings, suggesting that they refer to the same threats under the name ‘Whitebear’ APT campaign, indicating a broader acknowledgment of this issue across cybersecurity firms.
In the context of the MITRE ATT&CK framework, this malware campaign appears to encompass numerous adversary tactics and techniques. Initial access likely occurs through spear phishing, while persistence is established through backdoors like Gazer and Skipper. The technique of privilege escalation can also be inferred as attackers aim to gain elevated access to system resources. The use of code injection further illustrates Gazer’s capability to maintain a foothold in compromised environments, evading detection for prolonged periods.
As the threats evolve, business owners, particularly in sectors related to government and diplomacy, must remain vigilant and proactive in their cybersecurity measures, ensuring robust defenses against such clandestine operations.