ESET reveals details of cyber-espionage by hackers working via a backdoor called Gazer.
Security researchers at ESET released new research yesterday (August 30) around the discovery of an advanced backdoor used by notorious hacker group Turla.
The backdoor, dubbed Gazer, has been targeting embassies and consulates globally.
ESET’s research team is the first to discover the advanced backdoor malware, despite evidence of it being active since 2016. According to the team, Gazer uses advanced methods to spy on its targets, “embedding itself out of sight on victim’s computers in an attempt to steal information for a long period of time”.
It has managed to infect a number of computers around the world, with most of the affected machines located in Europe.
A two-stage infection process
ESET examined a series of espionage campaigns carried out using Gazer, and identified south-eastern European countries and former Soviet countries as the prime targets.
The second-stage backdoor receives encrypted instructions from the Turla via command-and-control servers, using compromised, legitimate websites as a proxy.
According to ESET: “Another notable similarity between Gazer and past creations of the Turla cyber-espionage group become obvious when the malware is analysed.
“Gazer makes extra efforts to evade detection by changing strings within its code, randomising markers and wiping files securely.”
ESET also noted Turla’s sense of humour in its modification of code strings: “In the most recent example of the Gazer backdoor malware found by ESET’s research team, clear evidence was seen that someone had modified most of its strings and inserted phrases related to video games throughout its code.”
The security group was firm in its warning about the continued deployment of sophisticated backdoors such as Gazer by espionage groups: “In conclusion, Gazer is a very sophisticated piece of malware that has been used against different targets in several countries around the world. Through the different versions we found and analysed, we can see that this malicious backdoor is still being actively developed and used by its creators.”