Latest Modification of ComRAT Trojan Targets Gmail Users to Steal Confidential Documents

News and Analysis

Researchers from cybersecurity firm ESET have detected a modified version of ComRAT malware, which now targets Gmail users to steal confidential documents. In addition to misappropriation of documents, the trojan collects information about the network, Microsoft Windows configurations, and the Archive Directory groups or users.

According to the ESET report, ComRAT—also known as Agent.BTZ and Chinch—is a Remote Access Trojan (RAT) operated by Turla, an infamous espionage group linked with Russia, that primarily attacks governmental and military organizations. Turla is reportedly responsible for an array of attacks, including some on Eastern Europe diplomats, embassies and consulates in the post-Soviet countries, and the United Kingdom-based tech, energy, and commercial organizations, among others.

ComRAT Steals and Exfiltrates Stolen Data to a Cloud Provider

The latest modification of ComRAT v4 uses a completely new code base and is much more complex than its predecessors. The malware is designed to use Gmail’s web interface to receive commands and exfiltrate data.

“In the latter mode and using cookies stored in the configuration, it connects to the Gmail web interface in order to check the inbox and download specific mail attachments that contain encrypted commands. These commands are sent by the malware operators from another address, generally hosted on a different free email provider such as GMX,” the report detailed.

Once the malware steals sensitive documents, it compresses and exfiltrates them to a cloud provider. Still, ComRAT can perform many other actions on the compromised systems, such as executing additional programs or exfiltrating files.

The ESET team identified at least three targets, which include two Ministries of Foreign Affairs and a national parliament.

Turla Operators Remain Cautious

ESET further noted that Turla operators remain highly cautious and make efforts to evade security software. “For instance, they regularly exfiltrate security-related log files in order to understand whether their malware samples have been detected. This shows the level of sophistication of this group and its intention to stay on the same machines for a long time,” it is further said.

What’s most interesting about ComRAT v4, it gets commands and exfiltrates information via the Gmail web user interface, which enables it to bypass some security controls as it doesn’t rely on any malicious domain.

Efforts to Prevent Email-Related Security Breaches

Throughout 2019, Google’s Threat Analysis Group issued around 40,000 of nation-state cyberattack warnings. Although the figure might seem massive, it appears to be 25% less compared to the number of similar warnings issued to Google account holders in 2018.

“Attackers’ efforts have been slowed down, and they’re more deliberate in their attempts, meaning attempts are happening less frequently as attackers adapt,” said Toni Gidwani, TAG security engineering manager.

While some email service providers are investing effort in resisting and thwarting hacker attacks, some are already developing methods to prevent security breaches, which could potentially happen in the not so far future.

Thus, the team behind Tutanota—an end-to-end encrypted email software, that is, in an ironic twist, blocked in Russia—is working on the development of a quantum computer resistant cryptography. The firm aims to protect its email application users against potential decryption of all currently encrypted emails.

Written by Ana Alexandre

Follow us on Twitter and Facebook and join our Telegram channel to know what’s up with crypto and why it’s important.

Found a typo? Highlight text and press CTRL+ENTER

Subscribe to our Newsletter


Related posts

Tags: , ,