The group Turla—also known as Snake or Uroburos—is still making a name for itself. In December last year, we discussed how this Russian cybercriminal group had attacked the Iranian APT34 to steal its work and frame them for their own attacks. Turla infiltrated the group’s command and control (C2) infrastructure and stole data including files relating to the group’s internal structure, as well as the outfeed of its keylogger, and all its operative activity. Thanks to all this information, Turla was able to carry out cyberattacks in at least 35 different countries, using this infrastructure and making the cybersecurity community believe that APT34 was behind the incidents.

All of this gives an idea of the capabilities, resources, and sophistication of Turla. These actions go far beyond simple, indiscriminate malware campaigns or even targeted attacks on valuable organizations; Turla is able to attack other cyberattackers and cybersecurity communities.  Now, they have once again proven this with ComRAT.

The backdoor_

ComRAT—also known as Agent.BTZ—works like a remote access Trojan, meaning it is able to steal sensitive documents from highly protected systems.  To give an example, in one of the recent cyberattacks where ComRAT was used, the attackers employed a .NET executable to interact with the SM SQL Server where sensitive information was stored. They then used public cloud services such as OneDrive or 4shared to extract the data.

Since 2017, the group has used these methods to attack at least three government agencies. This is why cybersecurity specialists consider Turla to be a threat to military personnel and diplomats working abroad. However, now the latest version of ComRAT (v4) has appeared; it is even more dangerous than the previous versions, as it contains new features:

  • Use of the Gmail interface as a command and control server: ComRAT v4 can take over the victim’s browser, load cookies, and then log in using the Gmail dashboard. Once inside Gmail, it “reads” the most recent emails, where it finds messages, sent by the cyberattackers, containing malicious files, which it proceeds to download. Then, once these files have been downloaded and executed, they can take full control of the victim’s system.
  • Gathering of logs from less advanced antivirus solutions: Cybersecurity researchers have also discovered that ComRAT v4 gathers credentials for less advanced antivirus solutions on the systems that it has infected. The reasons for this are not clear, but it seems that this may allow the attackers to study the antivirus systems in order to to improve their own malware or decide whether to attack other systems.

Advanced solutions and zero trust by default_

Turla’s capacities, along with its new features, such as ComRAT, indicate why organizations that handle sensitive data and are often targeted by sophisticated attacks need to have advanced solutions that go beyond standard cybersecurity.

Not only are traditional antivirus solutions inefficient, they can also be a target in and of themselves, as the antivirus analysis function of ComRAT v4 indicates. This is why they need to have solutions that, on the one hand, are secure, and on the other hand, provide services that by nature distrust any process and also detect any anomalous behavior. This way, they can avoid incidents such as attackers taking over their browsers and downloading files from Gmail, which the Turla backdoor is able to do. In this sense, the Zero-Trust Application Service classifies all running processes, with no ambiguities or false positives. This service is one of the main components of Cytomic EPDR.

EDPR contains EDR functions that prevent and detect any kind of malware, both with files and fileless, known and unknown. What’s more, it extends these options with a full range of capacities to stop threats from reaching devices and servers, thus reducing the attack surface. This way, even the most dangerous groups like Turla will have much more trouble gaining access to valuable information.