Turla (a.k.a. Snake, Venomous Bear, Waterbug or Uroboros), is a Russian-speaking threat actor known since 2014, but with roots that go back to 2004 and earlier, according to previous research from Kaspersky. “It is a complex cyberattack platform focused predominantly on diplomatic and government-related targets, particularly in the Middle East, Central and Far East Asia, Europe, North and South America, and former Soviet bloc nations,” according to the firm.
The group is also known for its custom espionage toolset. According to ESET researchers, ComRAT is one of Turla’s oldest weapons, released in 2007 – but the firm found that Turla used an updated version in attacks against at least three targets earlier this year: Two Ministries of Foreign Affairs and a national parliament.
“ComRAT, also known as Agent.BTZ and to its developers as Chinch, is a RAT that became infamous after its use in a breach of the U.S. military in 2008,” explained ESET researchers in an analysis on Tuesday. “The first version of this malware, likely released in 2007, exhibited worm capabilities by spreading through removable drives. From 2007 to 2012, two new major versions of the RAT were released.”
However, a fourth version has been released – with a time stamp that goes back to 2017 – that ESET researchers said is “far more complex” than previous versions, featuring a completely new codebase.
“According to its compilation timestamp, which is likely genuine, the first known sample of ComRAT v.4 was compiled in April 2017,” said researchers. “The most recent iteration of the backdoor we’ve seen was, to the best of our knowledge, compiled in November 2019.”
ComRAT v.4 was developed in C++, and, like its predecessors, is used to exfiltrate sensitive documents. It can also download and execute additional programs from its command-and-control (C2) server.
In the latest campaigns, Turla deployed ComRAT using its typical initial infection tools, including the PowerStallion PowerShell backdoor, according to ESET.
“Based on ESET telemetry, we believe that ComRAT is installed using an existing foothold such as compromised credentials or via another Turla backdoor,” researchers said “For instance, we’ve seen ComRAT installed by PowerStallion, their PowerShell-based backdoor we described in 2019. The ComRAT installer is a PowerShell script that creates a Windows scheduled task and fills a Registry value with the encrypted payload.”
Once it gains a foothold, the malware then uses public cloud services such as OneDrive and 4shared to exfiltrate data – a new trick, according to researchers. The new version also features a Virtual FAT16 File System formatted in FAT16, and a part of the network infrastructure is shared with another key Turla malware family called Mosquito.
“ComRAT v4 has several components: An orchestrator, injected into explorer.exe [that] controls most of ComRAT functions, including the execution of backdoor commands; a communication module (a DLL), injected into the default browser by the orchestrator; [and] a Virtual FAT16 File System, containing the configuration and the logs files,” ESET noted.
To talk to the C2, ComRAT v.4 uses either the Gmail web interface or an existing custom Turla protocol over HTTP.
“Its most interesting feature is the use of the Gmail web UI to receive commands and exfiltrate data,” according to the research. “Thus, it is able to bypass some security controls because it doesn’t rely on any malicious domain. We also noticed that this new version abandoned the use of COM object hijacking for persistence, the method that gave the malware its common name.”
Using cookies stored in the malware’s configuration file, it connects to the Gmail web interface in order to check the inbox and download specific mail attachments that contain encrypted commands.
“These commands are sent by the malware operators from another address, generally hosted on a different free email provider such as GMX,” said researchers.
As is typical for Turla, the recent campaigns were focused on stealing sensitive documents, according to the analysis.
“The main use of ComRAT is stealing confidential documents,” ESET researchers explained. “In one case, its operators even deployed a .NET executable to interact with the victim’s central MS SQL Server database containing the organization’s documents. These documents were then compressed and exfiltrated to a cloud storage provider such as OneDrive or 4shared. Cloud storage is mounted using the net use command.”
Aside from lifting documents, Turla also was seen gathering information about Active Directory groups inside the targeted organizations, fingerprinting the network, and recording Microsoft Windows configurations such as the group policies. It also periodically exfiltrated security-related log files to monitor whether ComRAT had been detected.
“This shows the level of sophistication of this group and its intention to stay on the same machines for a long time,” according to ESET researchers.
Matthieu Faou, security researcher with ESET, told Threatpost that two of the victims are located in Eastern Europe, and one of them in Caucasus.
“They have been regular Turla targets for many years,” he said. “The ComRAT activity is not a one-time attack but part of a more long-term espionage campaign…they are still targeting some of the same entities they have been targeting for more than five years. Thus, it may indicate that the group is engaged in long-term espionage rather than in short-term attacks based on geopolitical events.”
Overall, ComRAT v.4 is a “totally revamped malware family,” according to the report.
“The developers took inspiration from other Turla backdoors, such as Snake, to build a very complex piece of malware,” ESET researchers said. “We found indications that ComRAT v4 was still in use at the beginning of 2020, showing that the Turla group is still very active and a major threat for diplomats and militaries.”
Faou added, “It tells us they are still developing custom and complex pieces of malware in order to stay persistent for a long time in their target’s network. It is quite notable as more and more groups are mainly relying on generic or pen-test/red team tools.”
Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.