“Gazer” – a New Backdoor Used in Cyber espionage

LONDON, UK. – August 31, 2017 – Researchers from ESET reported on the advanced backdoor “Gazer” for cyber espionage, created by the infamous hacker group Turla. At the moment, four versions of this malware are detected in Europe, Asia and South America. The malicious campaign continues from 2016, and its primary targets are embassies, consulates, as well as international and defense organizations. The backdoor is delivered via spearphishing in two steps: first, adversaries drop Skipper backdoor on a targeted system, and then it downloads and installs “Gazer”. Backdoor uses compromised legitimate websites as a proxy to communicate with command & control servers. Discovered versions of the backdoor are signed with valid SSL certificates and use various techniques to inject code in Windows processes, web browsers, email programs, etc.
The campaign of APT group Turla is not finished yet, and hackers continue to modify “Gazer” backdoor: its version compiled in 2017 differs significantly from earlier assemblies. Adversaries improve the backdoor to make its detection by information security solutions even more difficult. You can use APT Framework Advanced SIEM use case in the S.M.A. cloud to detect this attack at different stages of the Cyber Kill Chain.