‘Active Gazer backdoor since 2016 focuses on embassies and ministries’

Security firm ESET has discovered a backdoor it has named Gazer itself. The malware is said to be used by the Turla group to penetrate embassies and foreign ministries, especially in southeastern European and former Soviet countries.

According to the company, the malware has been in use since at least 2016, but has not been discovered so far. This is due to the way the malicious software evades detection, for example by securely deleting files and applying different strings in different versions of the malware. ESET says it is reasonably certain that Gazer is the work of the Turla group, which was previously found to be hijacking satellite links and associated with Russia.

There are various indications for this, for example the choice of targets such as embassies. Also the way of infecting systems would point to Turla. In this case, a first stage backdoor is first sent via targeted phishing emails, after which it downloads the second, more difficult to detect backdoor. The first backdoor, named Skipper, is said to have been deployed by the group earlier and was found along with Gazer in most cases.

Moreover, there are many similarities between Gazer and other Turla tools, such as Carbon and Kazuar, according to ESET in a more comprehensive analysis. For example, they are written in C++ and all use encrypted communication with a command-and-control server. The group mainly uses legitimate WordPress sites acquired as proxies to communicate with the c2 server. Turla was previously found to use Instagram comments for c2 communication, according to ESET.

A notable aspect is that it uses homemade encryption, which does not come from a public library or relies on the Windows API. Through the c2 server, the backdoor can receive various commands via http requests, such as uploading and downloading files, modifying the configuration and executing a command. Before attempting to contact the server, Gazer checks for Internet access by visiting the servers of Google and Microsoft, among others.

Another detail is that the latest version of Gazer contains strings that refer to game jargon. For example, the text ‘only single player is allowed’ appears in the code, which ESET says is an attempt at humor. The researchers do not say how many targets were hit by Gazer.

The ‘single player’ phrase