Gazer

Malware updated 4 months ago (2024-05-04T20:02:15.278Z)

Download STIX

Preview STIX

Gazer is a second-stage backdoor malware written in C++ that was unveiled by Turla in August. It was discovered to have been deployed through watering-hole attacks and spear-phishing campaigns, enabling more precise targeting of victims. The malware is attributed to Pensive Ursa due to strong similarities in code and Tactics, Techniques, and Procedures (TTPs) with another backdoor from Pensive Ursa’s arsenal known as Gazer. A unique feature of this campaign was the insertion of video game-related sentences throughout the code, which added an additional layer of obfuscation. Moreover, Gazer's Command and Control (C&C) server was encrypted using Turla's own library for 3DES and RSA. Our analysis of Gazer was based on the Crutch dropper with SHA-1 A010D5449D29A1916827FDB443E3C84C405CB2A5 and the Gazer dropper with SHA-1 1AE4775EFF21FB59708E8C2B55967CD24840C8D9. These droppers were found to be similar to Gazer Win64/Agent.VX. The MITRE ATT&CK framework, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations, was used to understand and classify the techniques employed in the Gazer campaigns. Despite its stealthiness, Gazer has plenty of similarities with previously used second-stage backdoors such as Carbon and Kazuar. These backdoors are believed to be recovery access tools used in case the main Turla backdoors, like Carbon or Gazer, are cleaned and operators can no longer access the compromised computers. This indicates a high level of sophistication and planning on the part of the attackers, demonstrating their preparedness for potential countermeasures.

Description last updated: 2024-05-04T18:49:21.207Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Kazuar	Unspecified	2	Kazuar is a sophisticated multiplatform trojan horse malware, linked to the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, Snake), which has been operating since at least 2004. This group, believed to be connected to the Russian Federal Security Service (FSB), utilizes an ar

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Turla	Unspecified	3	Turla, a threat actor linked to Russia, is known for its sophisticated cyber-espionage activities. It has been associated with numerous high-profile attacks, employing innovative techniques and malware to infiltrate targets and execute actions with malicious intent. According to MITRE ATT&CK and MIT

Source Document References

Information about the Gazer Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	6 months ago	Jan Marsalek an Agent for Russia? The Double Life of the former Wirecard Executive
DARKReading	10 months ago	Upgraded Kazuar Backdoor Offers Stealthy Power
Trend Micro	a year ago	Examining the Activities of the Turla APT Group
Unit42	a year ago	Threat Group Assessment: Turla (aka Pensive Ursa)
MITRE	2 years ago	A dive into Turla PowerShell usage \| WeLiveSecurity
MITRE	2 years ago	Turla Crutch: Keeping the “back door” open \| WeLiveSecurity