Gazer: A Stealthy Backdoor Attack

Gazer is a highly advanced piece of malware spotted by ESET in one of their new researchers. This new malware campaign is targeted against ministries, consulates, and embassies around the world. According to the reports, Gazer has managed to infect a number of computers worldwide, with the most victims being located in Europe. According to ESET's report, it has been active since 2016. 
 
Gazer is programmed using C++ and is believed that this is carried out by Turla group. Turla advanced persistent threat (APT)group is a notorious group that targets government and militaries. The factors that made to believe that gazer is is another tool in Turla's arsenal is that its target is inline with Turla’s traditional targets and its similarities in the mode of operation when compared with the other backdoors used by Turla group. Randomizing markers, secure wiping of files, changing strings within the code are the extra features that Gazer has added to evade detection. 
 
It has been found that the backdoor is delivered via spear phishing emails, even though there exist many ways to deliver Gazer in its attack. It hijacks the targeted Microsoft Windows machines in two steps. The spear-phishing email attachment acts as the initial point of infection. When the infected email is opened, it drops and runs another backdoor named 'Skipperbackdoor' which is the first step. The skipper then installs Gazer as a second step. Once Gazer has taken the control over the machine, it hides for a longer period of time on victim's computer with the intention to steal information. This itself explains the Gazer's success as a malware. 
 
Gazer has made used of Extensive encryption methods and the malware is designed to be really hard to spot. An encrypted container is used to store various malware components, its configuration files and to log their actions. It communicates with the command-and-control server through a set of encrypted commands. It uses custom 3DES and RSA encryption libraries to encrypt the data. 
 
All the organizations need to take care of all the newly arising sophisticated threats and must adopt layered defense mechanisms to reduce the chances of getting breached. Companies must focus on educating employees on how to identify phishing emails and do not click/respond to such emails. In order to detect unusual traffic patterns or connections, there should be a robust and frequent network monitoring mechanism. This must be made as a part of standard operating procedures. The best way to protect against the backdoor attacks is to properly consider protecting network endpoints. Hence anti-malware software protecting the endpoints, servers and other services must be kept up to date, in order to reduce the risk. 
 
ESET has released a detailed technical report on Gazer along with its global architecture and various gazer versions. 
 
Authored By - Athira Sajan
TCS Cyber Security Practice
Rate this article: 
0
No votes yet
Article category: