Gazer/WhiteBear is Sophisticated Malware That Has Been Used Against High-profile Targets
Security researchers and ESET and Kaspersky Lab have unveiled details on a new backdoor used by the Russia-linked cyber-espionage group Turla in attacks against embassies and consulates worldwide.
The new piece of malware has been actively deployed in targeted attacks since at least 2016 and shows similarities with other tools used by Turla, an advanced persistent threat (APT) group that has been active for over a decade.
Also known as Waterbug, Venomous Bear and KRYPTON, the group’s primary tools are tracked as Turla (Snake and Uroburos) and Epic Turla (Wipbot and Tavdig). Most recently, the group has been refining its tools and switching to new malware.
A Forcepoint report published in February 2017 revealed that a threat group apparently connected to Turla was targeting the websites of ministries, embassies and other organizations from around the world as part of a reconnaissance campaign. Most of the attacks were carried out in April 2016.
In a 29-page report (PDF) published this week, ESET provides a comprehensive analysis of a backdoor they refer to as Gazer, which the security firm has attributed with high confidence to the Turla group. The malware has been used against targets in Southeastern Europe and those part of the former Soviet Union Republic, while the witnessed techniques, tactics and procedures (TTPs) are in-line with those usually associated with Turla.
Delivered via spearphishing emails alongside a first stage backdoor called Skipper – which Bitdefender analyzed a while ago (PDF) –, Gazer also shows similarities with other second stage backdoors used by the Turla group, including Carbon and Kazuar. Written in C++, it can receive encrypted tasks from a command and control (C&C) server, which usually is a legitimate, compromised website that acts as a first layer proxy (consistent with Turla’s modus operandi).
The malware was also found to use a custom library for 3DES and RSA encryption and to include 6 different persistence modes, either through Windows registry, by setting up tasks, or by creating or modifying existing LNK files. Communication with the C&C server is performed through HTTP GET requests, when retrieving tasks, or through HTTP POST requests, when sending the tasks results.
“Gazer makes extra efforts to evade detection by changing strings within its code, randomizing markers, and wiping files securely,” ESET says. In the most recent version, the malware contained phrases related to video games throughout its code.
Four versions of Gazer have been identified to date. The first has a compilation date of 2002, but ESET believes this was faked, because the certificate it is signed with was issued by Comodo for “Solid Loop Ltd” in 2015. The latest two versions are signed with a different certificate: “Ultimate Computer Support Ltd.”
“Gazer is a very sophisticated piece of malware that has been used against different targets in several countries around the world. Through the different versions we found and analyzed, we can see that this malicious backdoor is still being actively developed and used by its creators,” ESET concludes.
Kaspersky Lab also published their own analysis of the threat, which they refer to as WhiteBear. The security firm calls this “a parallel project or second stage of the Skipper Turla cluster of activity” (which was referred to last year as WhiteAtlas) and confirms the focus on embassies and consular operations around the world, but also mentions a change of focus to include defense-related organizations starting June 2017.
“WhiteBear infections appear to be preceded by a condensed spearphishing dropper, lack Firefox extension installer payloads, and contain several new components signed with a new code signing digital certificate, unlike WhiteAtlas incidents and modules,” the researchers say.
Although the WhiteBear infrastructure overlaps with other Turla campaigns, like those deploying KopiLuwak, the new backdoor “is the product of separate development efforts,” Kaspersky says. The security firm believes that WhiteBear might be a distinct project with a separate focus.
“WhiteBear activity reliant on this toolset seems to have diminished in June 2017. But Turla efforts continue to be run as multiple subgroups and campaigns. […] Infrastructure overlap with other Turla campaigns, code artifacts, and targeting are consistent with past Turla efforts. With this subset of 2016-2017 WhiteBear activity, Turla continues to be one of the most prolific, longstanding, and advanced APT we have researched,” Kaspersky concludes.
Related: Turla Cyberspies Use New Dropper in G20 Attacks
Related: Turla Malware Obtains C&C Address From Instagram Comments
