Security News > 2020 > May > New ComRAT Malware Uses Gmail to Receive Commands and Exfiltrate Data

New ComRAT Malware Uses Gmail to Receive Commands and Exfiltrate Data
2020-05-26 06:47

Cybersecurity researchers today uncovered a new advanced version of ComRAT backdoor, one of the earliest known backdoors used by the Turla APT group, that leverages Gmail's web interface to covertly receive commands and exfiltrate sensitive data.

The ComRAT v4, as the new successor is called, uses an entirely new code base and is far more complex than its earlier variants, according to ESET. The firm said the first known sample of the malware was detected in April 2017.

The PowerShell loader injects a module called ComRAT orchestrator into the web browser, which employs two different channels - a legacy and an email mode - to receive commands from a C2 server and exfiltrate information to the operators.

"Version four of ComRAT is a totally revamped malware family released in 2017," ESET researcher Matthieu Faou said.

"Its most interesting features are the Virtual File System in FAT16 format and the ability to use the Gmail web UI to receive commands and exfiltrate data. Thus, it is able to bypass some security controls because it doesn't rely on any malicious domain."


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/3q-UVnrYyXo/gmail-malware-hacker.html