Threat Watch

Turla Group Continues to Use ComRAT Malware in Recent Attacks

Today, researchers at ESET released a detailed analysis of the threat group Turla, including analysis of an updated version of the group’s ComRAT malware family. ComRAT, also known as Agent.BTZ or Chinch, is believed to have been released in 2007 and initially gained notoriety after it was used in a breach against the US military in 2008. This new major version was first spotted in mid-2017 and is known to still be in use as recently as January 2020. Unlike updates to its predecessors, ComRAT v4 uses a completely different code base and became much more complex. The following characteristics are some of the main highlights listed by ESET in their summary:

  • At least three government targets identified
  • Used to exfiltrate sensitive documents to various cloud storage providers (including Microsoft OneDrive)
  • Complex backdoor developed in C++
  • It uses a Virtual FAT16 File System
  • Deployed using existing access methods, such as the PowerStallion PowerShell backdoor.
  • Two Command and Control (C2) channels
    • HTTP protocol from ComRAT v3 (legacy)
    • ComRAT v4 adds Gmail as a new way to receive commands and exfiltrate data
  • Can receive commands through a C2 such for executing additional applications or exfiltrating data

ANALYST NOTES

ComRAT v4 is a complex malware with the goal of going unnoticed for as long as possible. By using the Gmail web interface to receive commands and public cloud storage providers to exfiltrate stolen data, it is able to completely evade detection by most network-based security tools, because it doesn’t use any known malicious domain names or IP addresses. Installation is believed to happen though existing access such as compromised credentials or a previously installed backdoor. During its installation, a scheduled task is created at C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Consolidator which typically writes an encrypted payload to the registry at HKLM\SOFTWARE\Microsoft\SQMClient\Windows.WSqmCons. Having endpoint and network monitoring in place is crucial in aiding SOC analysts or security teams to identify suspicious events like these. Managed security services such as the Binary Defense Security Operations Center (SOC) provide 24/7 monitoring to quickly detect, contain and alert security teams to threats before they spread too far.

Source: https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/