ESET security researchers have discovered a new gazer backdoor campaign targeted at consulates, ministries, and embassies around the world to spy on governments and diplomats.
Activated since 2016, the malware campaign is taking advantage of a new gazer backdoor, called Gazer, and is believed to be conducted by the hijackers of advanced Turla hackers (APTs) previously linked to Russian intelligence.
Gazer, written in C ++, provides the gazer backdoor through phishing emails and computer hijackings in two phases: First, malware releases the gazer backdoor of Skipper, previously linked to Turla, and then installed Gazer Components.
In previous cyberbullying campaigns, the Turla hacker group used Carbon and Kazuar’s back doors as second-level malware, which has many similarities with Gazer, according to research [PDF] published by ESET.
Gazer receives encrypted commands from a remote control server and avoids detection by using legitimate and compromised sites (which mainly use WordPress CMS) as a proxy.
Instead of using the Crypto Windows API, Gazer uses the 3DES and RSA custom libraries to encrypt the data before sending it to the C & C server, a common tactic used by the Turt APT group.
Gazer uses the code injection technique to take control of a machine and hide for a long period of time in an attempt to steal the information.
Backdoor Gazer also has the ability to send commands received from an infected endpoint to other infected machines on the same network.
So far, ESET researchers have identified four different variants of Gazer’s malware in nature, mainly explaining the political goals of South East Europe and the former Soviet bloc.
It is interesting to note that earlier versions of Gazer have been signed with a valid certificate issued by Comodo for “Solid Loop Ltd”, while the latest version is signed with an SSL certificate issued to “Ultimate Computer Support Ltd”
According to researchers, Gazer has already infected a number of targets around the world, with most victims in Europe.
Meanwhile, Kaspersky Lab has also released nearly similar information on Gazer backdoor, but has defined APT’s “Whitebear” campaign.