Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Gazer

Gazer is a backdoor used by Turla since at least 2016. (Citation: ESET Gazer Aug 2017)
ID: S0168
Associated Software: WhiteBear
Type: MALWARE
Platforms: Windows
Version: 1.3
Created: 16 Jan 2018
Last Modified: 11 Apr 2024

Associated Software Descriptions

Name Description
WhiteBear The term WhiteBear is used both for the activity group (a subset of G0010) as well as the malware observed. Based on similarities in behavior and C2, WhiteBear is assessed to be the same as S0168. (Citation: Securelist WhiteBear Aug 2017)(Citation: ESET Crutch December 2020)

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Gazer communicates with its C2 servers over HTTP.(Citation: ESET Gazer Aug 2017)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Gazer can establish persistence by creating a .lnk file in the Start menu.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017)

.004 Boot or Logon Autostart Execution: Winlogon Helper DLL

Gazer can establish persistence by setting the value “Shell” with “explorer.exe, %malware_pathfile%” under the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.(Citation: ESET Gazer Aug 2017)

.009 Boot or Logon Autostart Execution: Shortcut Modification

Gazer can establish persistence by creating a .lnk file in the Start menu or by modifying existing .lnk files to execute the malware through cmd.exe.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Gazer uses custom encryption for C2 that uses 3DES.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017)

.002 Encrypted Channel: Asymmetric Cryptography

Gazer uses custom encryption for C2 that uses RSA.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017)

Enterprise T1546 .002 Event Triggered Execution: Screensaver

Gazer can establish persistence through the system screensaver by configuring it to execute the malware.(Citation: ESET Gazer Aug 2017)

Enterprise T1480 .002 Execution Guardrails: Mutual Exclusion

Gazer creates a mutex using the hard-coded value `{531511FA-190D-5D85-8A4A-279F2F592CC7}` to ensure that only one instance of itself is running.(Citation: ESET Gazer Aug 2017)

Enterprise T1564 .004 Hide Artifacts: NTFS File Attributes

Gazer stores configuration items in alternate data streams (ADSs) if the Registry is not accessible.(Citation: ESET Gazer Aug 2017)

Enterprise T1070 .004 Indicator Removal: File Deletion

Gazer has commands to delete files and persistence mechanisms from the victim.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017)

.006 Indicator Removal: Timestomp

For early Gazer versions, the compilation timestamp was faked.(Citation: ESET Gazer Aug 2017)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Gazer logs its actions into files that are encrypted with 3DES. It also uses RSA to encrypt resources.(Citation: Securelist WhiteBear Aug 2017)

Enterprise T1055 .003 Process Injection: Thread Execution Hijacking

Gazer performs thread execution hijacking to inject its orchestrator into a running thread from a remote process.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Gazer can establish persistence by creating a scheduled task.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017)

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Gazer versions are signed with various valid certificates; one was likely faked and issued by Comodo for "Solid Loop Ltd," and another was issued for "Ultimate Computer Support Ltd."(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017)

Groups That Use This Software

ID Name References
G0010 Turla

(Citation: ESET Gazer Aug 2017)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.