Gazer

Malware updated 6 months ago (2024-05-04T20:02:15.278Z)
Download STIX
Preview STIX
Gazer is a second-stage backdoor malware written in C++ that was unveiled by Turla in August. It was discovered to have been deployed through watering-hole attacks and spear-phishing campaigns, enabling more precise targeting of victims. The malware is attributed to Pensive Ursa due to strong similarities in code and Tactics, Techniques, and Procedures (TTPs) with another backdoor from Pensive Ursa’s arsenal known as Gazer. A unique feature of this campaign was the insertion of video game-related sentences throughout the code, which added an additional layer of obfuscation. Moreover, Gazer's Command and Control (C&C) server was encrypted using Turla's own library for 3DES and RSA. Our analysis of Gazer was based on the Crutch dropper with SHA-1 A010D5449D29A1916827FDB443E3C84C405CB2A5 and the Gazer dropper with SHA-1 1AE4775EFF21FB59708E8C2B55967CD24840C8D9. These droppers were found to be similar to Gazer Win64/Agent.VX. The MITRE ATT&CK framework, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations, was used to understand and classify the techniques employed in the Gazer campaigns. Despite its stealthiness, Gazer has plenty of similarities with previously used second-stage backdoors such as Carbon and Kazuar. These backdoors are believed to be recovery access tools used in case the main Turla backdoors, like Carbon or Gazer, are cleaned and operators can no longer access the compromised computers. This indicates a high level of sophistication and planning on the part of the attackers, demonstrating their preparedness for potential countermeasures.
Description last updated: 2024-05-04T18:49:21.207Z
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Kazuar Malware is associated with Gazer. Kazuar is a sophisticated multiplatform trojan horse malware that has been associated with the Russian-based threat group Turla, also known as Pensive Ursa, Uroburos, or Snake. This group, believed to be linked to the Russian Federal Security Service (FSB), has been operating since at least 2004 andUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Turla Threat Actor is associated with Gazer. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (Unspecified
3
Source Document References
Information about the Gazer Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more