Posted on 05-26-2020.
Researchers from cybersecurity firm ESET have detected a modified version of ComRAT malware, which now targets Gmail users to steal confidential documents. In addition to misappropriation of documents, the trojan collects information about the network, Microsoft Windows configurations, and the Archive Directory groups or users. According to the ESET report, ComRAT—also known as Agent.BTZ and Chinch—is a Remote Access Trojan (RAT) operated by Turla, an infamous espionage group linked with Russia, that primarily attacks governmental and military organizations. Turla is reportedly responsible for an array of attacks, including some on Eastern Europe diplomats, embassies and consulates in the post-Soviet countries, and the United Kingdom-based tech, energy, and commercial organizations, among others.
“In the latter mode and using cookies stored in the configuration, it connects to the Gmail web interface in order to check the inbox and download specific mail attachments that contain encrypted commands. These commands are sent by the malware operators from another address, generally hosted on a different free email provider such as GMX,” the report detailed.Once the malware steals sensitive documents, it compresses and exfiltrates them to a cloud provider. Still, ComRAT can perform many other actions on the compromised systems, such as executing additional programs or exfiltrating files. The ESET team identified at least three targets, which include two Ministries of Foreign Affairs and a national parliament.
"Attackers' efforts have been slowed down, and they’re more deliberate in their attempts, meaning attempts are happening less frequently as attackers adapt," said Toni Gidwani, TAG security engineering manager.While some email service providers are investing effort in resisting and thwarting hacker attacks, some are already developing methods to prevent security breaches, which could potentially happen in the not so far future. Thus, the team behind Tutanota—an end-to-end encrypted email software, that is, in an ironic twist, blocked in Russia—is working on the development of a quantum computer resistant cryptography. The firm aims to protect its email application users against potential decryption of all currently encrypted emails. Written by Ana Alexandre Follow us on Twitter and Facebook and join our Telegram channel to know what’s up with crypto and why it’s important.