Today, researchers at ESET released a detailed analysis of the threat group Turla, including analysis of an updated version of the group’s ComRAT malware family. ComRAT, also known as Agent.BTZ or Chinch, is believed to have been released in 2007 and initially gained notoriety after it was used in a breach against the US military in 2008. This new major version was first spotted in mid-2017 and is known to still be in use as recently as January 2020. Unlike updates to its predecessors, ComRAT v4 uses a completely different code base and became much more complex. The following characteristics are some of the main highlights listed by ESET in their summary:
- At least three government targets identified
- Used to exfiltrate sensitive documents to various cloud storage providers (including Microsoft OneDrive)
- Complex backdoor developed in C++
- It uses a Virtual FAT16 File System
- Deployed using existing access methods, such as the PowerStallion PowerShell backdoor.
- Two Command and Control (C2) channels
- HTTP protocol from ComRAT v3 (legacy)
- ComRAT v4 adds Gmail as a new way to receive commands and exfiltrate data
- Can receive commands through a C2 such for executing additional applications or exfiltrating data