Cybersecurity researchers has uncovered a new advanced version of ComRAT backdoor, one of the earliest known backdoors used by the Turla APT group, that leverages Gmail’s web interface to covertly receive commands and exfiltrate sensitive data.
“ComRAT v4 was first seen in 2017 and known still to be in use as recently as January 2020,” cybersecurity firm ESET said in a report shared with The Hacker News. “We identified at least three targets: two Ministries of Foreign Affairs in Eastern Europe and a national parliament in the Caucasus region.”
Turla, also known as Snake, has been active for over a decade with a long history of the watering hole and spear-phishing campaigns against embassies and military organizations at least since 2004.
ComRAT is typically installed via PowerStallion, a lightweight PowerShell backdoor used by Turla to install other backdoors. In addition, the PowerShell loader injects a module called ComRAT orchestrator into the web browser, which employs two different channels — a legacy and an email mode — to receive commands from a C2 server and exfiltrate information to the operators.
“The main use of ComRAT is discovering, stealing, and exfiltrating confidential documents,” the researchers said. “In one case, its operators even deployed a .NET executable to interact with the victim’s central MS SQL Server database containing the organization’s documents.”
“Thanks to its use of the Gmail web interface, [ComRAT v4] is able to bypass some security controls because it doesn’t rely on any malicious domain,” said ESET researcher Matthieu Faou, who detailed his findings in a white paper. “This shows the level of sophistication of this group and its intention to stay on the same machines for a long time.”
Faou noted that Turla operators are focused on evading detection and “regularly exfiltrate security-related log files” to divine whether malware samples had been detected. The first ComRAT v4 sample was likely first compiled in April 2017 with the most recent iteration apparently compiled in November 2019. Faou wrote that the latest ComRAT version uses compromised credentials or another existing foothold like Turla backdoor, noting that ESET researchers observed the backdoor being installed by PowerStallion.
The ComRAT installer, a PowerShell script, “creates a Windows scheduled task and fills a registry value with the encrypted payload,” Faou wrote.
When a user logs in, the PowerShell loader executes, with the orchestrator embedding ”an encrypted communication module that will be injected into the default web browser” and interacting “with the ComRAT communication module through a named pipe,” he explained. Because the malware’s network communications is initiated in the browser process, it “is stealthier than if it was done directly by the orchestrator.”
Two C&C channels – one HTTP and the other email that uses Gmail’s web interface. Operators can send commands using either channel. ComRAT developers, the researchers believe, are experienced and put considerable time into designing the malware architecture and used a number of design patterns.
(Image Courtesy: www. i2.cdn.turner.com)