US Cyber Command has published technical details of malware implants deployed by Russia-linked hacker groups against multiple ministries of foreign affairs and national parliaments to conduct cyber espionage, steal data and install malware. US Cyber Command’s Cyber National Mission Force (CNMF) unit and the Cybersecurity and Infrastructure Security Agency (CISA) have uploaded malware samples to the Virus Total online virus scan platform.

CISA, the FBI and CNMF have also released two joint advisories describing a new variant of the ComRAT malware and the Zebrocy backdoor used by Russia-linked Turla and APT 28 hacker groups.

The Turla group, also tracked as Snake, Venomous Bear, Uroburos, Group 88, Waterbug, Turla Team, and Waterbug, has been operating for at least ten years, mainly focusing on governments across Europe, Central Asia and the Middle East. The group is known for its attacks on a number of major organizations including the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014.

“FBI has high-confidence that Russian-sponsored APT actor Turla, which is an espionage group active for at least a decade, is using ComRAT malware to exploit victim networks. The group is well known for its custom tools and targeted operations,” CISA said.

The CISA’s report analyzes a new version of the ComRAT malware used by the Turla group in attacks on ministries of foreign affairs and national parliaments.

“This new variant of ComRAT contains embedded 32-bit and 64-bit DLLs used as communication modules. The communication module (32-bit or 64-bit DLL) is injected into the victim system's default browser. The ComRATv4 file and the communication module communicate with each other using a named pipe. The named pipe is used to send Hypertext Transfer Protocol (HTTP) requests and receive HTTP responses to and from the communication module for backdoor commands. It is designed to use a Gmail web interface to receive commands and exfiltrate data. The ComRAT v4 file contains a Virtual File System (VFS) in File Allocation Table 16 (FAT16) format, which includes the configuration and logs files,” the report said.

In a separate advisory CISA shared technical details on Zebrocy backdoor also spotted in attacks targeting embassies and ministries of foreign affairs from Eastern Europe and Central Asia.

“Two Windows executables identified as a new variant of the Zebrocy backdoor were submitted for analysis. The file is designed to allow a remote operator to perform various functions on the compromised system,” CISA said.

While the agency did not name the threat actor behind the malware, the Zebrocy backdoor was previously linked to the APT 28 (aka Sofacy, Fancy Bear, Sednit, STRONTIUM) hacker group believed to have ties to Russia.