Security researchers from ESET have released a lengthy report that describes a new version of ComRAT malware (also known as Agent.BTZ) used by Turla APT, a threat actor that is known for its watering hole and spear-phishing campaigns against governments and diplomatic entities in Europe, Central Asia and the Middle East.
ComRAT is a Remote Access Trojan (RAT) that came to light after the group had used it in the attacks against the US military in 2008. The first version of the backdoor had worm capabilities and was spreading through removable drives.
In the following years, the malware authors has released several variants of ComRAT with a few changes to its functionality. In 2017, the researchers uncovered a new, far more advanced version of ComRAT (ComRAT v4) that used a new code base and included two new features, such as the ability to exfiltrate antivirus logs and the ability to control the malware using a Gmail inbox.
ESET said it detected new attacks using the ComRAT v4 malware in January 2020. The attacks were aimed at three high-profile entities, such as a national parliament in the Caucasus region and two Ministries of Foreign Affairs in Eastern Europe.
“The main use of ComRAT is stealing confidential documents. In one case, its operators even deployed a .NET executable to interact with the victim’s central MS SQL Server database containing the organization’s documents,” ESET said.
The ComRAT malware is typically installed using compromised credentials or the PowerStallion backdoor. The ComRAT installer is a PowerShell script that creates a Windows scheduled task and fills a Registry value with the encrypted payload.
ComRAT v4 consists of several components:
an orchestrator, injected into explorer.exe. It controls most of ComRAT functions including the execution of backdoor commands.
a communication module (a DLL), injected into the default browser by the orchestrator. It communicates with the orchestrator using a named pipe.
a Virtual FAT16 File System, containing the configuration and the logs files
The ComRAT v4 malware uses two different channels to comunicate with its C&C server: one mechanism involves the HTTP protocol and the other uses the Gmail web interface.
“In the latter mode and using cookies stored in the configuration, it connects to the Gmail web interface in order to check the inbox and download specific mail attachments that contain encrypted commands. These commands are sent by the malware operators from another address, generally hosted on a different free email provider such as GMX,” the researchers wrote.
Another interesting feature that ComRAT v4 has is an ability to collect antivirus logs from an infected host in order to understand whether the malware samples have been detected by security software.
“We found indications that ComRAT v4 was still in use at the beginning of 2020, showing that the Turla group is still very active and a major threat for diplomats and militaries,” the researchers concluded.