Malware Profile Updated 25 days ago
Download STIX
Preview STIX
Gazer is a second-stage backdoor malware written in C++ that was unveiled by Turla in August. It was discovered to have been deployed through watering-hole attacks and spear-phishing campaigns, enabling more precise targeting of victims. The malware is attributed to Pensive Ursa due to strong similarities in code and Tactics, Techniques, and Procedures (TTPs) with another backdoor from Pensive Ursa’s arsenal known as Gazer. A unique feature of this campaign was the insertion of video game-related sentences throughout the code, which added an additional layer of obfuscation. Moreover, Gazer's Command and Control (C&C) server was encrypted using Turla's own library for 3DES and RSA. Our analysis of Gazer was based on the Crutch dropper with SHA-1 A010D5449D29A1916827FDB443E3C84C405CB2A5 and the Gazer dropper with SHA-1 1AE4775EFF21FB59708E8C2B55967CD24840C8D9. These droppers were found to be similar to Gazer Win64/Agent.VX. The MITRE ATT&CK framework, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations, was used to understand and classify the techniques employed in the Gazer campaigns. Despite its stealthiness, Gazer has plenty of similarities with previously used second-stage backdoors such as Carbon and Kazuar. These backdoors are believed to be recovery access tools used in case the main Turla backdoors, like Carbon or Gazer, are cleaned and operators can no longer access the compromised computers. This indicates a high level of sophistication and planning on the part of the attackers, demonstrating their preparedness for potential countermeasures.
What's your take? (Question 1 of 2)
10cfb8c8-b14e-49b6-aeee-229df5448723 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Kazuar is a sophisticated multiplatform trojan horse malware, linked to the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, Snake), which has been operating since at least 2004. This group, believed to be connected to the Russian Federal Security Service (FSB), utilizes an ar
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Turla, also known as Pensive Ursa, Snake, Uroburos, Waterbug, Venomous Bear, and KRYPTON, is a threat actor that has been active since at least 2004. This group, which is believed to be Russia-sponsored, primarily targets diplomatic and government organizations, private businesses, and non-governmen
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Gazer Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
a year ago
Turla Crutch: Keeping the “back door” open | WeLiveSecurity
Trend Micro
8 months ago
Examining the Activities of the Turla APT Group
a year ago
A dive into Turla PowerShell usage | WeLiveSecurity
3 months ago
Jan Marsalek an Agent for Russia? The Double Life of the former Wirecard Executive
7 months ago
Upgraded Kazuar Backdoor Offers Stealthy Power
8 months ago
Threat Group Assessment: Turla (aka Pensive Ursa)