ESET researchers have uncovered a new version of one of the oldest malware families run by the Turla group, the ComRAT backdoor. Turla, also known as Snake, is an infamous cyber-espionage group that has been active for more than ten years. The most interesting feature of the updated backdoor is its use of the Gmail web UI to receive commands and exfiltrate data. ComRAT steals sensitive documents, and since 2017 it has attacked at least three governmental institutions. ESET has found indications that this latest version of ComRAT was still in use at the beginning of 2020, showing that the Turla group is still very active and a major threat for diplomats and militaries.
The main use of ComRAT is stealing confidential documents. In one case, its operators even deployed a .NET executable to interact with the victim’s central MS SQL Server database containing the organization’s documents. The malware operators used public cloud services such as OneDrive and 4shared to exfiltrate data. Turla’s latest backdoor can perform many other actions on compromised computers, such as executing additional programs and exfiltrating files.
The fact that the attackers try to evade security software is concerning. “This shows the level of sophistication of this group and its intention to stay on the same machines for a long time,” explains Matthieu Faou, who has investigated the infamous group for several years. “Additionally, the latest version of the ComRAT malware family, thanks to its use of the Gmail web interface, is able to bypass some security controls because it doesn’t rely on any malicious domain,” says Faou.
The backdoor upgrade was first discovered by ESET in 2017. It uses a completely new code base and is far more complex than its predecessors. The most recent iteration of the backdoor that ESET researchers have seen was compiled in November of last year.
“Based on the victimology and the other malware samples found on the same compromised machines, we believe that ComRAT is used exclusively by Turla,” says Faou.
ComRAT, also known as Agent.BTZ, is a malicious backdoor that became infamous after its use in a breach of the US military in 2008. The first version of this malware, likely released in 2007, exhibited worm capabilities by spreading through removable drives.