Oh, ambassador! You literally are spoiling us: Super-stealthy spyware hits Euro embassy PCs
Gazer opens Windows onto diplomatic secrets
A highly advanced piece of malware, dubbed Gazer, has been found in embassies and consulates across Eastern Europe.
The software nasty was discovered by security shop Eset, which says the code uses a two-stage process to insert itself into Microsoft Windows machines. In a report published today, we're told the initial point of infection is a spearphishing email attachment, which when opened drops and runs malware dubbed Skipper. That code then downloads Gazer.
The Gazer nasty opens a backdoor on the infected machine, is written in C++, and is designed to be hard to spot. It hides out in an encrypted container, using RSA and 3DES algorithms to scramble its bytes, and communicates with its command-and-control center by going to legitimate websites that have been compromised. It has been active since 2016, according to Eset.
It also regularly cleans up after itself, wiping out files it creates and generally covering its tracks. The code itself is written to look like it might be related to a video game, with phrases like "Only single player is allowed" dotted around in the binaries.
Once installed and running, Gazer allows full remote code execution and activity monitoring by its operators. It can also get out onto the infected PC's network to spread, but doesn't automatically do so.
Based on the malware's similarity to other cyber weapons, it might be the work of the Turla hacking group – a Russian-speaking collective that is thought to be partly state sponsored by Putin's government. Given the choice of targets, it seems likely that diplomatic espionage was the goal of the malware's masterminds.
"Although we could not find irrefutable evidence that this backdoor is truly another tool in Turla's arsenal, several clues lead us to believe that this is indeed the case," the Eset team reports.
"First, their targets are in line with Turla's traditional targets: Ministries of Foreign Affairs and embassies. Second, the modus operandi of spearphishing, followed by a first stage backdoor and a second stage, stealthier backdoor, is what has been seen over and over again." ®