Details of a new version of the ComRAT backdoor, one of the oldest malware families run by the notorious cyber-espionage group Turla, have been outlined by ESET. The findings will be of particular concern for government agencies, such as militaries and diplomats, with this updated backdoor able to use Gmail web UI to receive commands and exfiltrate data to try and steal confidential documents.
The Turla group, also referred to as ‘Snake,’ has been operating for at least 10 years, primarily targeting governments across Europe, Central Asia and the Middle East. It has breached a number of major organizations including the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014.
One method it uses to steal important information is the malicious backdoor, comRAT, which is believed to have been first released in 2007. “Based on the victimology and the other malware samples found on the same compromised machines, we believe that ComRAT is used exclusively by Turla,” noted Matthieu Faou, malware researcher at ESET.
ESET has found evidence the fourth version of the malware, which has attacked at least three government institutions since 2017, was still active in January 2020. The operators used public cloud services such as OneDrive and 4shared to exfiltrate data.
The new version uses a completely new code base and is far more complex than earlier incarnations. It can perform a number of new actions on compromised computers, such as executing additional programs and exfiltrating files, whilst having unique abilities to evade security software.
“This shows the level of sophistication of this group and its intention to stay on the same machines for a long time,” explained Faou. “Additionally, the latest version of the ComRAT malware family, thanks to its use of the Gmail web interface, is able to bypass some security controls because it doesn’t rely on any malicious domain.”