An modified version of the ComRAT malware that was used in recent attacks by Russia-linked cyber-espionage threat actor Turla will connect to Gmail to receive commands, ESET reports.
Also known as Snake, Venomous Bear, KRYPTON, and Waterbug, it is suspected the hacking community has been involved since at least 2006, based on the use of ComRAT, also known as Agent. BTZ and Chinch.
One of the group ‘s oldest malware families, ComRAT was used in 2008 to attack the US military and saw two major versions released until 2012, both of which were derived from the same code base. The hackers had made few modifications to the malware by 2017.
ComRAT v4, the version published in 2017, is much more complex than its predecessors, and is reported to have been in use even in this year’s attacks, according to ESET’s security researchers. ComRAT v4’s first report appears to have been collected in April 2017, while the latest is dated November 2019.
To date, Turla has used the malware to threaten at least three victims (two foreign ministries and a national parliament) to exfiltrate sensitive public cloud services such as OneDrive and 4shared.
Crafted in C++, ComRAT v4 is deployed using existing access methods, such as the backdoor PowerStallion PowerShell, and has two command and control (C&C) channels, namely HTTP (the same protocol used in the previous variant) and email (could receive commands and exfiltrate data via Gmail).
Based on the cookies stored in the configuration file, the malware will connect to the Gmail web interface to check an inbox and download attachments containing encrypted commands sent from another address by the attackers.
The new malware variant is internally called Chinch (same as previous versions), shares part of its network infrastructure with Mosquito, and Turla malware, such as a modified PowerShell loader, PowerStallion backdoor and RPC backdoor, has been observed to be dropped or dropped.
ComRAT v4, which is specifically designed to exfiltrate sensitive data, also helps attackers to deploy additional malware to compromised environments. Operators can also run commands to gather information from the compromised systems, such as groups or users of Active Directory, network details, and configurations of Microsoft Windows.
Components of the malware include an orchestrate inserted into explorer.exe that controls most of the functions, a communication module (DLL) injected into the orchestra’s default browser, and a Virtual FAT16 File System that includes configuration and logs.
The security researchers have noted a emphasis on evasion, with the hackers routinely exfiltrating log files related to security to determine whether or not their methods have been identified.
“The most interesting feature is that the Gmail web UI is used to receive commands and exfiltrate data. And it can bypass any security controls because it is not dependent on any malicious domain. We also found that this new version abandoned the use for persistence of a COM object hijacking, the method that gave the malware its common name, “the researchers note.
With ComRAT v4 still in use earlier this year, it’s clear that Turla remains an significant threat to diplomats and military personnel, ESET concludes.