Security News > 2020 > May > Turla APT Revamps One of Its Go-To Spy Tools

Turla APT Revamps One of Its Go-To Spy Tools
2020-05-26 15:28

The Turla APT group has been spotted using an updated version of the ComRAT remote-access trojan to attack governmental targets.

According to ESET researchers, ComRAT is one of Turla's oldest weapons, released in 2007 - but the firm found that Turla used an updated version in attacks against at least three targets earlier this year: Two Ministries of Foreign Affairs and a national parliament.

In the latest campaigns, Turla deployed ComRAT using its typical initial infection tools, including the PowerStallion PowerShell backdoor, according to ESET. "Based on ESET telemetry, we believe that ComRAT is installed using an existing foothold such as compromised credentials or via another Turla backdoor," researchers said "For instance, we've seen ComRAT installed by PowerStallion, their PowerShell-based backdoor we described in 2019. The ComRAT installer is a PowerShell script that creates a Windows scheduled task and fills a Registry value with the encrypted payload.".

To talk to the C2, ComRAT v.4 uses either the Gmail web interface or an existing custom Turla protocol over HTTP. "Its most interesting feature is the use of the Gmail web UI to receive commands and exfiltrate data," according to the research.

"We found indications that ComRAT v4 was still in use at the beginning of 2020, showing that the Turla group is still very active and a major threat for diplomats and militaries."


News URL

https://threatpost.com/turla-apt-revamps-comrat/156051/