11 October 2019

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

ESET researchers have discovered an advanced espionage platform that has been used to spy on diplomats and Russian-speaking users in Eastern Europe. Dubbed Attor, the new piece of malware has been active since at least 2013, and implements a loadable-plugin architecture that can be used to customize the functionality to specific victims. The malware also comes with some unusual capabilities including the use of encrypted modules, Tor-based communications, and a plugin designed for GSM fingerprinting using the AT protocol.

The researchers believe that the threat actor behind Attor is a state-sponsored group involved in highly targeted attacks on selected targets – despite Attor being in operation for at least seven years ESET was able to identify only a few dozen victims.

“In order to be able to report on the victim’s activities, Attor monitors active processes to take screenshots of selected applications. Only certain applications are targeted – those with specific substrings in the process name or window title,” the report says.

ESET believes that Attor has been designed to target mainly Russian-speaking users. This conclusion is partly based on the fact that the list of targeted applications includes not only standard services such as popular web browsers, instant messaging applications and email services, but also several popular Russian apps and services, namely the social networks Odnoklassniki, and VKontakte, VoIP provider Multifon, IM apps Qip and Infium, search engine Rambler, email clients Yandex and Mail.ru, and payment system WebMoney.

The malware has a modular structure with a dispatcher and loadable plugins, all of which are implemented as dynamic-link libraries (DLLs). The attackers first compromise the target dropping the components on disk, then load the dispatcher DLL, which serves as a management and synchronization unit for the additional plugins.

“Attor’s plugins are delivered to the compromised computer as DLLs, asymmetrically encrypted with RSA. The plugins are only fully recovered in memory, using the public RSA key embedded in the dispatcher. As a result, it is difficult to obtain Attor’s plugins, and to decrypt them, without access to the dispatcher,” ESET said.

The researchers found eight of Attor’s plugins responsible for persistence of the platform (Installer/watchdog plugin), for collecting sensitive information (Device monitor, Screengrabber, Audio recorder, Key/clipboard logger) and for network communication with the C&C server (File uploader, Command dispatcher/SOCKS proxy, Tor client).

One of the most interesting plugins is the module designed to detect when users connected modems and older phones to their devices. It collects information about both connected modem/phone devices and connected storage drives, and about files present on these drives.

Attor’s device monitoring module implements a unique fingerprinting feature of GSM devices. Whenever a modem or a phone device is connected to a COM port, Device monitor uses AT commands to communicate with it. The researchers believe that the plugin’s main purpose lies in targeting modems and older phones, or it may be used to communicate with some specific devices (used by the victim or target organization) that are connected to the COM port or to the USB port using a USB-to-serial adaptor.

“In this scenario, it is possible the attackers have learned about the victim’s use of these devices using some other reconnaissance techniques,” the researchers said.

A more detailed analysis of the Attor malware, as well as Indicators of Compromise (IoCs) related to observed campaigns is available in the full white paper named ‘AT commands, TOR-based communications: Meet Attor, a fantasy creature and also a spy platform.’

Back to the list

Latest Posts

Researchers warn of a spike in TCP DDoS reflection attacks targeting large corporations

Researchers warn of a spike in TCP DDoS reflection attacks targeting large corporations

The list of latest victims includes Amazon, IBM subsidiary SoftLayer, Eurobet Italia SRL, Korea Telecom, HZ Hosting and SK Broadband.
12 November 2019
One of the world’s most tech-savvy APT’s adds a new stealthy backdoor to its toolkit

One of the world’s most tech-savvy APT’s adds a new stealthy backdoor to its toolkit

Platinum group exploits Windows with hidden backdoor trojan mimicking common legitimate software.
11 November 2019
Hackers deliver NanoCore malware using a creatively crafted ZIP archive

Hackers deliver NanoCore malware using a creatively crafted ZIP archive

Attackers devised a new technique designed to bypass secure email gateways to deliver NanoCore RAT.
8 November 2019
Featured vulnerabilities
Spoofing attack in Microsoft Azure Stack
Medium Patched | 13 Nov, 2019
Privilege escalation in Windows Installer
Low Patched | 13 Nov, 2019
Information disclosure in Open Enclave SDK
Low Patched | 13 Nov, 2019