Turla Hacker Group Steals Antivirus Logs To See If Its Malware Was Detected

An anonymous reader quotes a report from ZDNet: Security researchers from ESET have discovered new attacks carried out by Turla, one of Russia's most advanced state-sponsored hacking groups. The new attacks have taken place in January 2020. ESET researchers say the attacks targeted three high-profile entities, such as a national parliament in the Caucasus and two Ministries of Foreign Affairs in Eastern Europe. Targets could not be identified by name due to national security reasons. [...] The ComRAT malware, also known as Agent.BTZ, is one of Turla's oldest weapons, and the one they used to siphon data from the Pentagon's network in 2008. The tool has seen several updates across the years, with new versions discovered in 2014 and 2017, respectively.

The latest version, known as ComRAT v4, was first seen in 2017, however, in a report published today, ESET says they've spotted a variation of ComRAT v4 that includes two new features, such as the ability to exfiltrate antivirus logs and the ability to control the malware using a Gmail inbox. The first of these features is the malware's ability to collect antivirus logs from an infected host and upload it to one of its command and control servers. The exact motives of a hacker group will always remain unclear, but Matthieu Faou, the ESET researcher who analyzed the malware, told ZDNet that Turla operators might be collecting antivirus logs to "allow them to better understand if and which one of their malware sample was detected." The belief is that if Turla operators see a detection, they can then tweak their malware and avoid future detections on other systems, where they can then operate undetected.

FYI

[cygnusvis]

ComRAT = Communist RATS

DUrr

[Aighearach]

This story is kinda funny, can't tell if it is too stupid to believe, or just stupid enough to be what they would do.

At least these mysterious ministries now know that were hacked in the past, and there was concern they might have been discovered. Maybe look into that?

Pshaw!

[nuntius]

Why go through all that trouble, when you can simply run the antivirus at home in private before releasing your malware for others to see?

Some remote-access owners are notoriously protective of their "investments", going so far as to apply patches and system updates to keep others out.

More likely, this outfit decided to use the customer's own anti-virus to help counter any other would-be trespassers. Simple, low profile, and effective against casual threats.

Re:

[gtall]

Your assumption is that the only anti-virus stuff running is known anti-virus stuff.

Re:

[Impy the Impiuos Imp]

How would they know what such a log file is?

Attribution based on use in 2008? Really?

[kot-begemot-uk]

The ComRAT malware, also known as Agent.BTZ, is one of Turla's oldest weapons, and the one they used to siphon data from the Pentagon's network in 2008.

This means that it is in possession of at least a hundred other groups by now. If a malware is caught even once, it is no longer a guaranteed lead to its "origin". It will be disassembled, rebuilt and reused by whoever caught it. If it is caught by a nation state - for false flag attacks. If it is caught by a crime syndicate - for their own purposes.

Ex

Insert yet more anti-Russian BS

[notdecnet]

“Turla, one of Russia's most advanced hacker groups [zdnet.com], has created malware that gets its orders from email attachments sent to an arbitrary Gmail inbox.”

An ‘advanced’ hacker group uses gmail