Evolved Remote Access Trojan targets Middle East, Europe and Africa

June 17, 2020
remote access trojan rat malware

ESET’s group of Cybersecurity researchers recently released a malware analysis report. The Remote Access Trojan is targeting different Ministries of Foreign Affairs and parliament government in Europe, Africa, and the Middle East. The researchers linked the said attack to the known group Turla (also known as Snake) that believed to operate initially on the same mentioned location. The group emerged back in 2004. Unfortunately, they are still active, being responsible for numerous cyberattacks. One of which is the intelligence leaked in 2008 on the US’ Military plan in the Middle East, French Armed Forces in 2018, and the latest, the attack in the Austrian Foreign Ministry.

The attacker Turla has only been significantly known in the cyber world with their attack in 2007 using the Agent.BTZ program. This application is a worm that spreads through removal devices such as USB that said to be the primary tool that leads to US Military plans to be compromised. With over a decade of being in the business, the group was able to keep up with the latest trends in technology, especially when it comes to doing espionage. Hence, the discovery of their highly sophisticated new program ComRAT v4, which is the evolve variant of Agent.BTZ put them again on the pedestal.


How the RAT spreads: Understanding the anatomy of the RAT

The ComRAT v4 is malware spyware that has evolved to the point a Cybersecurity expert must be aware of to avoid falling victim . Such breakthroughs of spreading not only through removal devices, but they can also do it now through an infected system within the network. The infection usually starts from a phishing email or web scanning. It is a specially programmed backdoor masterpiece that heeds itself into a web browser that injects the malicious application to the data and mail server of the targeted victim organization. The payload installs the malicious program through software called PowerStallion. It is a power shell scripting that, once infected, can perform Command and Control, including installation of other backdoor programs and compromising credentials for continued reconnaissance.


The ComRAT’s purpose.

For data server hacking, its primary purpose is to steal and exfiltrate classified information from the infected system. The payload also includes the installation of the Command and Control program for the hackers to continue its remote access and persistent penetration to the whole infrastructure of the organization. While the payload of the remote access trojan is on the mail server subject, the hackers were able to cling the virus to the Gmail application. The next step is to scan through email subjects and extract their content once the given keyword has been satisfied.

This version of the ComRAT is more alarming than its predecessors because of its ingenuity to use the Virtual File System and hiding through Gmail UI. With this additional attribute, it can bypass any anti-malware program. Since the attack does not rely on any suspicious domain, nor any existing programs can scan virtual files.

Turla again has showcased their best of what they can do. It is another matter that security experts must consider and proactively work on with due care to be able to avoid being on the hooked with perpetrators.

About the author

Leave a Reply