A recently uncovered highly targeted cyber-espionage platform that uses Tor for network communication has remained under the radar for at least six years, ESET reports.
Referred to as Attor, due to the use of a GSM plugin that leverages the AT command protocol and the use of the Tor network, the espionage operation only hit a few dozen victims during the period it was active.
Attor is specifically aimed at Russian-speakers, and its list of targeted applications includes web browsers, instant messaging applications, email services, social networks popular in Russia (Odnoklassniki, VKontakte), the WebMoney payment system, and a VoIP service provided by Russian telecom operator Multifon.
To spy on users, Attor monitors active processes and takes screenshots of selected applications. While most of its victims are located in Russia, the platform was also used to target entities in Eastern Europe, such as diplomatic missions and governmental institutions.
“Attor is configured to capture screenshots of encryption/digital signature utilities, the VPN service HMA, end‑to‑end encryption email services Hushmail and The Bat!, and the disk encryption utility TrueCrypt,” ESET’s security researchers explain.
Based on the manner in which the victim’s use of TrueCrypt is inspected in Attor, the malware author likely understands the open-source code of the TrueCrypt installer, the researchers say.
The platform includes a dispatcher and loadable plugins, all of which are implemented as DLLs and dropped onto the target system at the first step of compromise.
The dispatcher works as a management and synchronization unit for the plugins. At system startup, it injects itself into almost all running processes and also loads the available plugins into them (it avoids system processes).
The plugins also rely on the dispatcher for implementing basic functionalities. Given that they are loaded into the same process, they also share the same address space with the dispatcher.
Asymmetrically encrypted with RSA, the plugins can only be fully recovered in memory, using a public RSA key embedded in the dispatcher.
The security researchers recovered eight of Attor’s plugins, responsible for persistence, data collection, and communication with the command and control (C&C) server: device monitor, screengrabber, audio recorder, file uploader, command dispatcher/SOCKS proxy, key/clipboard logger, Tor client, and installer/watchdog.
Attor’s built-in mechanism also allows it to add new plugins, update itself, and automatically exfiltrate collected data and log files.
Only two of the plugins communicate with the C&C, namely the file uploader and the command dispatcher. The former exfiltrates the data gathered by other plugins, while the latter downloads commands and additional tools from the C&C server.
Attor uses dedicated folders to store data, both the sensitive information collected on its victims, and the freshly downloaded plugins and platform updates. The dispatcher monitors the shared folders to load new plugins and updates, meaning that it never communicates with the C&C.
Overall, Attor’s infrastructure for C&C communication is composed of four components, namely the dispatcher providing encryption functions, and three plugins that implement the FTP protocol, the Tor functionality, and the actual network communication.
In addition to using a C&C server on the Tor network, the platform keeps network communication hidden by only activating related plugins if running within the process of a browser, an instant messaging app, or other network software.
One of Attor’s plugins was designed to collect information on connected modem/phone devices and storage drives, and on the files they store. It gathers metadata, which suggests it was meant for device fingerprinting.
As soon as a modem or a phone is connected to a COM port, the device monitor plugin leverages AT commands to communicate with the device.
Also known as the Hayes command set and developed in the 1980s, the AT commands are still in use in smartphones and were recently said to allow for the bypass of security mechanisms. Researchers have demonstrated (PDF) that these commands can be used to send SMS messages, emulate on-screen touch events, or leak sensitive information.
Given that only devices connected via a COM port are targeted, the researchers speculated that Attor only targets modems and older phones or that it is meant to be used to communicate with some specific devices in the victims’ environments.
The information it retrieves on the targeted devices includes name of manufacturer, model number, IMEI number and software version, and MSISDN and IMSI number. The plugin uses only a small number of AT commands, ESET points out.