1. Home
  2. Software
  3. Gazer

Gazer

Gazer is a backdoor used by Turla since at least 2016. [1]

ID: S0168
Associated Software: WhiteBear
Type: MALWARE
Platforms: Windows
Contributors: Bartosz Jerzman
Version: 1.3
Created: 16 January 2018
Last Modified: 11 April 2024

Associated Software Descriptions

Name Description
WhiteBear

The term WhiteBear is used both for the activity group (a subset of G0010) as well as the malware observed. Based on similarities in behavior and C2, WhiteBear is assessed to be the same as S0168. [2][3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1546 .002 事件触发执行: Screensaver

Gazer can establish persistence through the system screensaver by configuring it to execute the malware.[1]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

Gazer uses custom encryption for C2 that uses 3DES.[1][2]
.002 加密通道: Asymmetric Cryptography

Gazer uses custom encryption for C2 that uses RSA.[1][2]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Gazer can establish persistence by creating a .lnk file in the Start menu.[1][2]
.004 启动或登录自动启动执行: Winlogon Helper DLL

Gazer can establish persistence by setting the value "Shell" with "explorer.exe, %malware_pathfile%" under the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.[1]
.009 启动或登录自动启动执行: Shortcut Modification

Gazer can establish persistence by creating a .lnk file in the Start menu or by modifying existing .lnk files to execute the malware through cmd.exe.[1][2]
Enterprise T1071 .001 应用层协议: Web Protocols

Gazer communicates with its C2 servers over HTTP.[1]
Enterprise T1480 .002 执行保护: Mutual Exclusion

Gazer creates a mutex using the hard-coded value {531511FA-190D-5D85-8A4A-279F2F592CC7} to ensure that only one instance of itself is running.[1]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

Gazer logs its actions into files that are encrypted with 3DES. It also uses RSA to encrypt resources.[2]
Enterprise T1070 .004 移除指标: File Deletion

Gazer has commands to delete files and persistence mechanisms from the victim.[1][2]
.006 移除指标: Timestomp

For early Gazer versions, the compilation timestamp was faked.[1]
Enterprise T1033 系统所有者/用户发现

Gazer obtains the current user's security identifier.[2]
Enterprise T1105 输入工具传输

Gazer can execute a task to download a file.[1][2]
Enterprise T1055 进程注入

Gazer injects its communication module into an Internet accessible process through which it performs C2.[1][2]
.003 Thread Execution Hijacking

Gazer performs thread execution hijacking to inject its orchestrator into a running thread from a remote process.[1][2]
Enterprise T1564 .004 隐藏伪装: NTFS File Attributes

Gazer stores configuration items in alternate data streams (ADSs) if the Registry is not accessible.[1]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Gazer can establish persistence by creating a scheduled task.[1][2]
Enterprise T1553 .002 颠覆信任控制: Code Signing

Gazer versions are signed with various valid certificates; one was likely faked and issued by Comodo for "Solid Loop Ltd," and another was issued for "Ultimate Computer Support Ltd."[1][2]

Groups That Use This Software

ID Name References
G0010 Turla

[1]

References

  1. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  2. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  1. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.