New Malware Spies on Diplomats, High-Profile Government Targets

A new modular malware designed to target diplomatic and government entities was spotted by ESET researchers while being utilized in attacks aimed at Russian-speaking individuals for at least 7 years.

The espionage malware strain dubbed Attor by the researchers comes with some unusual capabilities including the use of encrypted modules, Tor-based communications, and a plugin designed for GSM fingerprinting using the AT protocol.

"The attackers who use Attor are focusing on diplomatic missions and governmental institutions," says ESET malware researcher Zuzana Hromcová.

"These attacks, ongoing since at least 2013, are highly targeted at users of these Russian services, specifically those who are concerned about their privacy."

 

Modular espionage platform

Attor is built using a modular architecture, with modules specifically developed for persistence, data collection, exfiltration, and communication with the malware's command and control (C2) server.

ESET found eight modules (also known as plugins), namely an installer/watchdog, a device monitor, an audio recorder, a screen grabber, a key/clipboard logger, a file uploader, a command dispatcher, and a communication module.

While analyzing the infection chain for the few dozen victims who were infected with Attor, ESET discovered that the malware was delivered using a dropper in the form of a dispatcher module that uses multiple encryption methods and evasion techniques.

This dispatcher will inject itself within most running processes on the compromised machines, except for Symantec security products and several system processes.

Attor then activates monitoring and data harvesting by loading plugins implemented as DLLs only in processes that present value for its operators such as web browsers and instant messengers.

"Attor targets specific processes —among these, processes associated with Russian social networks and some encryption/digital signature utilities; the VPN service HMA; end-to-end encryption email services Hushmail and The Bat!; and disk encryption utility TrueCrypt," says ESET.

The plugins "are stored on the disk in a compressed and encrypted form, with the valid form of the DLL only being recovered in memory, when the dispatcher loads the plugin. This probably is an attempt to thwart detection, as the plugin DLLs are never present unencrypted on disk."

"Attor has built-in mechanisms for adding new plugins, for updating itself, and for automatically exfiltrating collected data and log files," says ESET's in-depth Attor report.

The most notable plugin loaded by Attor is the device monitor one, a module that uses file metadata information harvested from connected phone/modem/storage devices for device fingerprinting.

More importantly, this plugin makes use of AT commands — developed during the 1980s — to communicate to GSM/GPRS modem/phone devices that get connected to infected systems' COM port.

ESET thinks that the GSM fingerprinting capabilities of this plugin are used to target modems and older phones and retrieve several subscriber and device identifiers such as IMSI, IMEI, MSISDN, and software version.

"Fingerprinting a device can serve as a base for further data theft. If the attackers learn about the type of connected device, they can craft and deploy a customized plugin that would be able — using AT commands — to steal data from that device and make changes in it, including changing the device’s firmware," adds Hromcová.

Elusive platform used in attacks against high-profile targets

Attor's use of Tor communication and evasion techniques has allowed it to stay undetected even though it has been used in highly-targeted attacks since at least 2013.

Even though ESET was able to analyze a few dozen cases of infection, the researchers weren't able to pinpoint the initial access vector or the full data the malware is designed to collect and exfiltrate.

"The versioning information in the plugins suggests there are other plugins that we have not yet seen," adds ESET.

"However, our research provides a deep insight into the malware, and suggests that it is well worth further tracking of the operations of the group behind this malware."

An extensive list of indicators of compromise (IOCs) including malware samples hashes, C2 server info, targeted apps, and file-based indicators among others at the end of ESET's Attor white paper.