Cybersecurity company ESET has determined that the famous Russian hacker group Turla used Gmail to send commands to ComRAT, which they used to steal data from institutions of various states and to get the stolen data.
Cyber security researchers have announced that they have developed an advanced version of ComRAT, one of the known software tools of the Russian hacker group Turla, known for its attacks on institutions of various states.
In a statement made by cyber security company ESET, it was announced that Turla uses Gmail to send commands to ComRAT and access the data obtained. ESET stated that Turla uses unusual methods for cyber attack, and the use of Gmail is one of these unusual methods.
The Russian hacker group Turla has gained a reputation since 2004 for attacks on military and civilian institutions of different countries. The most effective of the tools used by the hacker group, ComRAT, dates back to 2007.
Thanks to ComRAT, which is determined to target the computers of many state institutions, including computers used by the US Central Command to control the Afghanistan and Iraq war regions, Turla is thought to have reached important information.
The current version of ComRAT was first detected by ESET in 2017. Since then, Turla’s cyber attack tool has targeted computers from two foreign ministries in Eastern Europe and a parliament in the Caucasus.
In the new research conducted by ESET, it was determined that the last version of ComRAT was still actively used in the beginning of 2020. ESET announced that Turla used an old HTTP communication channel next to Gmail’s user interface to send and control ComRAT.
The new version of ComRAT, which was determined to be compiled in November 2019, connects to Gmail to download mail attachments containing encrypted commands sent by other operators from Turla operators.
Details of the new version of Turla’s special attack vehicle ComRAT
The new version of ComRAT has a rather complicated new code structure compared to previous ComRAT versions. ESET has announced that the latest version has the old HTTP C&C protocol and Turla has shared some network infrastructures with another malware.
Thanks to the latest version called ComRAT V4, the information stolen was transmitted to the systems whose security was compromised by other vehicles of Turla. Cloud services such as 4shared and OneDrive were found to be used to export information sent to another compromised device.
ESET also announced that Turla is working hard to develop software tools and avoid security software. According to ESET, Turla is regularly expanding its security-related files to see if software samples are detected.
ComRAT is specially designed to bypass security software
Malware researcher Matthieu Faou, who worked at ESET, said that the latest version of ComRAT showed the level of development of Turla and that they were thinking of staying for a long time on the computer they managed to enter.
Faou said that the latest version of ComRAT could escape the control of security software because it uses the user interface of the web version of Gmail. Faou said that they determined that ComRAT was used by Turla as a result of their examination on the hacked computers.
In addition to determining the latest version of ComRAT by ESET, Kaspersky also detected a Turla software earlier this month. In a statement made by Kaspersky, it was announced that the tool called COMpfun was used in attacks against diplomatic institutions in Europe.