Turla Hacker Group Steals Antivirus Logs To See If Its Malware Was Detected

by

An anonymous reader quotes a report from ZDNet: Security researchers from ESET have discovered new attacks carried out by Turla, one of Russia's most advanced state-sponsored hacking groups. The new attacks have taken place in January 2020. ESET researchers say the attacks targeted three high-profile entities, such as a national parliament in the Caucasus and two Ministries of Foreign Affairs in Eastern Europe. Targets could not be identified by name due to national security reasons. [...] The ComRAT malware, also known as Agent.BTZ, is one of Turla's oldest weapons, and the one they used to siphon data from the Pentagon's network in 2008. The tool has seen several updates across the years, with new versions discovered in 2014 and 2017, respectively.

The latest version, known as ComRAT v4, was first seen in 2017, however, in a report published today, ESET says they've spotted a variation of ComRAT v4 that includes two new features, such as the ability to exfiltrate antivirus logs and the ability to control the malware using a Gmail inbox. The first of these features is the malware's ability to collect antivirus logs from an infected host and upload it to one of its command and control servers. The exact motives of a hacker group will always remain unclear, but Matthieu Faou, the ESET researcher who analyzed the malware, told ZDNet that Turla operators might be collecting antivirus logs to "allow them to better understand if and which one of their malware sample was detected." The belief is that if Turla operators see a detection, they can then tweak their malware and avoid future detections on other systems, where they can then operate undetected.