ESET researchers have discovered an advanced espionage platform that has been used to spy on diplomats and Russian-speaking users in Eastern Europe. Dubbed Attor, the new piece of malware has been active since at least 2013, and implements a loadable-plugin architecture that can be used to customize the functionality to specific victims. The malware also comes with some unusual capabilities including the use of encrypted modules, Tor-based communications, and a plugin designed for GSM fingerprinting using the AT protocol.
The researchers believe that the threat actor behind Attor is a state-sponsored group involved in highly targeted attacks on selected targets – despite Attor being in operation for at least seven years ESET was able to identify only a few dozen victims.
“In order to be able to report on the victim’s activities, Attor monitors active processes to take screenshots of selected applications. Only certain applications are targeted – those with specific substrings in the process name or window title,” the report says.
ESET believes that Attor has been designed to target mainly Russian-speaking users. This conclusion is partly based on the fact that the list of targeted applications includes not only standard services such as popular web browsers, instant messaging applications and email services, but also several popular Russian apps and services, namely the social networks Odnoklassniki, and VKontakte, VoIP provider Multifon, IM apps Qip and Infium, search engine Rambler, email clients Yandex and Mail.ru, and payment system WebMoney.
The malware has a modular structure with a dispatcher and loadable plugins, all of which are implemented as dynamic-link libraries (DLLs). The attackers first compromise the target dropping the components on disk, then load the dispatcher DLL, which serves as a management and synchronization unit for the additional plugins.
“Attor’s plugins are delivered to the compromised computer as DLLs, asymmetrically encrypted with RSA. The plugins are only fully recovered in memory, using the public RSA key embedded in the dispatcher. As a result, it is difficult to obtain Attor’s plugins, and to decrypt them, without access to the dispatcher,” ESET said.
The researchers found eight of Attor’s plugins responsible for persistence of the platform (Installer/watchdog plugin), for collecting sensitive information (Device monitor, Screengrabber, Audio recorder, Key/clipboard logger) and for network communication with the C&C server (File uploader, Command dispatcher/SOCKS proxy, Tor client).
One of the most interesting plugins is the module designed to detect when users connected modems and older phones to their devices. It collects information about both connected modem/phone devices and connected storage drives, and about files present on these drives.
Attor’s device monitoring module implements a unique fingerprinting feature of GSM devices. Whenever a modem or a phone device is connected to a COM port, Device monitor uses AT commands to communicate with it. The researchers believe that the plugin’s main purpose lies in targeting modems and older phones, or it may be used to communicate with some specific devices (used by the victim or target organization) that are connected to the COM port or to the USB port using a USB-to-serial adaptor.
“In this scenario, it is possible the attackers have learned about the victim’s use of these devices using some other reconnaissance techniques,” the researchers said.
A more detailed analysis of the Attor malware, as well as Indicators of Compromise (IoCs) related to observed campaigns is available in the full white paper named ‘AT commands, TOR-based communications: Meet Attor, a fantasy creature and also a spy platform.’