ESET security researchers have discovered a new version of the ComRAT backdoor controlled using the Gmail web interface and used by the state-backed Russian hacker group Turla for harvesting and stealing in attacks against governmental institutions.

Using Gmail for command-and-control purposes fits right in with other exploits of the Russian-speaking Turla group (also tracked as Waterbug, Snake, or VENOMOUS BEAR) seeing that they are known for using unorthodox methods of achieving their cyber-espionage goals.

In the past, they’ve developed backdoor trojans with their own APIs designed to reverse communication flows, used comments on Britney Spears Instagram photos to control malware, sent PDF email attachments with commands to control servers infected with their Outlook backdoor, and hijacked the infrastructure and malware of Iranian-sponsored OilRig to use in their own campaigns.

Abusing Gmail for cyber-espionage

The ComRAT (also known as Agent.BTZ and Chinch) remote access trojan (RAT) is one of the oldest tools in Turla’s arsenal and it has been deployed in attacks going back to at least 2007.

It reached notoriety after being used to compromise US military systems in 2008, including but not limited to computers used by Central Command to oversee combat zones in Afghanistan and Iraq.

Turla uses Gmail’s web UI as one of the two command and control channels for the updated malware, the other being a legacy HTTP comm channel.

This latest ComRAT iteration compiled in November 2019 connects to Gmail to download mail attachments containing encrypted commands sent by the Turla operators from other email providers.

Since 2017, when the current ComRAT version was first seen by ESET, Turla used it in attacks against two Ministries of Foreign Affairs and a national parliament.

“ESET has found indications that this latest version of ComRAT was still in use at the beginning of 2020, showing that the Turla group is still very active and a major threat for diplomats and militaries.”

A Turla exclusive

While the backdoor upgrade features an entirely new codebase and shows a lot more complexity when compared to previous versions, it still uses the Chinch internal name, it has the old HTTP C&C protocol enabled, and it shares some of the network infrastructure with Turla’s Mosquito malware.

ComRAT v4 was dropped on previously compromised systems by using stolen credentials or other Turla backdoors, or has dropped other known malware associated with the group including the PowerStallion backdoor, the RPC backdoor, or a custom PowerShell loader.

Once deployed on a compromised device, ComRAT was used by the Russian cyberspies to steal confidential documents, and they took advantage of public cloud services like 4shared and OneDrive to exfiltrate the stolen data.

“In one case, its operators even deployed a .NET executable to interact with the victim’s central MS SQL Server database containing the organization’s documents,” ESET found.

They also collected and exfiltrated information on the organization’s network infrastructure, Active Directory groups, and Windows policies, and were observed while making efforts to evade security software.

Turla “regularly exfiltrate security-related log files in order to understand whether their malware samples have been detected.”

Designed to bypass security software

“This shows the level of sophistication of this group and its intention to stay on the same machines for a long time,” ESET malware researcher Matthieu Faou explained.

“Additionally, the latest version of the ComRAT malware family, thanks to its use of the Gmail web interface, is able to bypass some security controls because it doesn’t rely on any malicious domain.

“Based on the victimology and the other malware samples found on the same compromised machines, we believe that ComRAT is used exclusively by Turla,” Faou concluded.

More details on the interworking of the ComRAT malware can be found in ESET’s report and in the white paper, while a list of indicators of compromise (IOCs) are available on GitHub.

Earlier this month, Kaspersky also spotted what it believes it “with a medium-to-low level of confidence” to be another Turla malware, a RAT variant dubbed COMpfun controlled using uncommon HTTP status codes and used in attacks against European diplomatic entities.

COMpfun, just as early versions of ComRAT, also has the ability to infect other (potentially air-gapped) devices by monitoring for and spreading to any removable devices connected to compromised computers.

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.