Gazer

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Gazer is a second-stage backdoor malware written in C++ that was unveiled by Turla in August. It was discovered to have been deployed through watering-hole attacks and spear-phishing campaigns, enabling more precise targeting of victims. The malware is attributed to Pensive Ursa due to strong similarities in code and Tactics, Techniques, and Procedures (TTPs) with another backdoor from Pensive Ursa’s arsenal known as Gazer. A unique feature of this campaign was the insertion of video game-related sentences throughout the code, which added an additional layer of obfuscation. Moreover, Gazer's Command and Control (C&C) server was encrypted using Turla's own library for 3DES and RSA. Our analysis of Gazer was based on the Crutch dropper with SHA-1 A010D5449D29A1916827FDB443E3C84C405CB2A5 and the Gazer dropper with SHA-1 1AE4775EFF21FB59708E8C2B55967CD24840C8D9. These droppers were found to be similar to Gazer Win64/Agent.VX. The MITRE ATT&CK framework, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations, was used to understand and classify the techniques employed in the Gazer campaigns. Despite its stealthiness, Gazer has plenty of similarities with previously used second-stage backdoors such as Carbon and Kazuar. These backdoors are believed to be recovery access tools used in case the main Turla backdoors, like Carbon or Gazer, are cleaned and operators can no longer access the compromised computers. This indicates a high level of sophistication and planning on the part of the attackers, demonstrating their preparedness for potential countermeasures.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
WhiteBear
1
WhiteBear is a threat actor that has been associated with the Turla group, also known as Snake, Venomous Bear, Uroburos, and WhiteBear. This association was established through strong links identified between a Crutch dropper from 2016 and Gazer, a second-stage backdoor used by Turla in 2016-2017. W
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Mitre
Phishing
Dropper
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
KazuarUnspecified
2
Kazuar is a sophisticated multiplatform trojan horse malware, linked to the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, Snake), which has been operating since at least 2004. This group, believed to be connected to the Russian Federal Security Service (FSB), utilizes an ar
ComRATUnspecified
1
ComRAT, also known as Agent.BTZ, is a potent malware that has evolved over the years to become a significant threat in the cybersecurity landscape. Developed using C++ and employing a virtual FAT16 file system, ComRAT is often used to exfiltrate sensitive documents. The malware is a remote access tr
CrutchUnspecified
1
Crutch is a sophisticated malware attributed to the Turla group, first discovered by ESET researchers in December 2020. It's considered a second-stage backdoor, achieving persistence through DLL hijacking. One notable feature of Crutch v4 is its ability to automatically upload files found on local a
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TurlaUnspecified
3
Turla, also known as Pensive Ursa, is a sophisticated threat actor linked to Russia that has been active for many years. The group is known for its advanced cyber-espionage capabilities and has been associated with numerous high-profile breaches. According to the MITRE ATT&CK and MITRE Ingenuity dat
PensiveUnspecified
1
Pensive Ursa, also known as Turla or Uroburos, is a Russian-based threat group that has been active since at least 2004 and is linked to the Russian Federal Security Service (FSB). The group employs advanced and stealthy tools like Kazuar, a .NET backdoor used as a second stage payload. In 2023, Pen
Pensive UrsaUnspecified
1
Pensive Ursa, also known as Turla, Uroburos, Venomous Bear, and Waterbug, is a Russian-based advanced persistent threat (APT) group that has been operating since at least 2004. The group, linked to the Russian Federal Security Service (FSB), is renowned for its sophisticated cyber-espionage activiti
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Gazer Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
5 months ago
Jan Marsalek an Agent for Russia? The Double Life of the former Wirecard Executive
DARKReading
9 months ago
Upgraded Kazuar Backdoor Offers Stealthy Power
Trend Micro
10 months ago
Examining the Activities of the Turla APT Group
Unit42
10 months ago
Threat Group Assessment: Turla (aka Pensive Ursa)
MITRE
a year ago
A dive into Turla PowerShell usage | WeLiveSecurity
MITRE
a year ago
Turla Crutch: Keeping the “back door” open | WeLiveSecurity