New Turla ComRAT backdoor uses Gmail for Command and Control

Researchers uncovered a new advanced variant of Turla’s ComRAT backdoor that leverages Gmail’s web interface as C2 infrastructure.

Cybersecurity researchers discovered a new version of the ComRAT backdoor, also known as Agent.BTZ, which is a malware that was employed in past campaigns attributed to the Turla APT group.

Earlier versions of Agent.BTZ were used to compromise US military networks in the Middle East in 2008.

The new variant leverages Gmail’s web interface to covertly receive commands and exfiltrate sensitive data.

ComRAT v4 appeared in the threat landscape in 2017 and is still used by threat actors, recently a new variant was used in attacks against two Ministries of Foreign Affairs in Eastern Europe and a national parliament in the Caucasus region.

This new version was developed from scratch and is far more complex than its predecessors. 

The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

ComRAT is a sophisticated backdoor developed in C++, it could perform many malicious actions on the infected systems, such as executing additional payloads or exfiltrating files.

The backdoor uses a Virtual FAT16 File System formatted in FAT16, it is deployed using existing access methods, including the PowerStallion PowerShell backdoor.

ComRAT leverages the following C2 channels:

• HTTP: It uses exactly the same protocol as ComRAT v3
• Email: It uses the Gmail web interface to receive commands and exfiltrate data

The main components of the of the ComRAT v4 are:

• an orchestrator, which is injected into explorer.exe process and is used to control most of ComRAT functions.
• a communication module (a DLL), which is injected into the default browser by the orchestrator. It communicates with the orchestrator using a named pipe.
• a Virtual FAT16 File System, containing the configuration and the logs files.

“The main use of ComRAT is discovering, stealing and exfiltrating confidential documents. In one case, its operators even deployed a .NET executable to interact with the victim’s central MS SQL Server database containing the organization’s documents.” reads the report published by the experts.

To evade detection, ComRAT files, with the exception of the orchestrator DLL and the scheduled task for persistence, are stored in a virtual file system (VFS). The default VFS container file is hardcoded in the orchestrator components that drops the first time it is executed.

The C&C “mail” mode was specific to the Gmail email provider.

The orchestrator reads the email address in /etc/transport/mail/mailboxes/0/command_addr by parsing the inbox HTML page (using Gumbo HTML parser) and the cookies to authenticate on Gmail in /etc/transport/mail/mailboxes/0/cookie.
The cookies have a limited lifetime so they should be updated from each interaction.

The Gmail parser could get the list of emails with subject lines that match those in a “subject.str” file in the VFS.

The comRAT backdoor downloads the attachments (e.g. “document.docx,” “documents.xlsx”) from each email that meets the above criteria, then it deleted the emails to avoid processing them twice.

Despite their extensions, the attachments are not Office documents, but rather encrypted blobs of data that include a specific command to be executed.

The backdoor creates an attachment containing the result of the commands, its name consists of 20 random digits and of the .jpg.bfe so-called double extension.

The analysis of the time of day that commands were sent in a one-month period reveals that the operators are working in the UTC+3 or UTC+4 time zone.

“Version four of ComRAT is a totally revamped malware family released in 2017,” ESET concludes. “Its most interesting features are the Virtual File System in FAT16 format and the ability to use the Gmail web UI to receive commands and exfiltrate data. Thus, it is able to bypass some security controls because it doesn’t rely on any malicious domain.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Tesla, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]