Gazer
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| WhiteBear | The term WhiteBear is used both for the activity group (a subset of G0010) as well as the malware observed. Based on similarities in behavior and C2, WhiteBear is assessed to be the same as S0168. (Citation: Securelist WhiteBear Aug 2017)(Citation: ESET Crutch December 2020) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Gazer communicates with its C2 servers over HTTP.(Citation: ESET Gazer Aug 2017) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Gazer can establish persistence by creating a .lnk file in the Start menu.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017) |
| .004 | Boot or Logon Autostart Execution: Winlogon Helper DLL |
Gazer can establish persistence by setting the value “Shell” with “explorer.exe, %malware_pathfile%” under the Registry key |
||
| .009 | Boot or Logon Autostart Execution: Shortcut Modification |
Gazer can establish persistence by creating a .lnk file in the Start menu or by modifying existing .lnk files to execute the malware through cmd.exe.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017) |
||
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Gazer uses custom encryption for C2 that uses 3DES.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017) |
| .002 | Encrypted Channel: Asymmetric Cryptography |
Gazer uses custom encryption for C2 that uses RSA.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017) |
||
| Enterprise | T1546 | .002 | Event Triggered Execution: Screensaver |
Gazer can establish persistence through the system screensaver by configuring it to execute the malware.(Citation: ESET Gazer Aug 2017) |
| Enterprise | T1564 | .004 | Hide Artifacts: NTFS File Attributes |
Gazer stores configuration items in alternate data streams (ADSs) if the Registry is not accessible.(Citation: ESET Gazer Aug 2017) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Gazer has commands to delete files and persistence mechanisms from the victim.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017) |
| .006 | Indicator Removal: Timestomp |
For early Gazer versions, the compilation timestamp was faked.(Citation: ESET Gazer Aug 2017) |
||
| Enterprise | T1055 | .003 | Process Injection: Thread Execution Hijacking |
Gazer performs thread execution hijacking to inject its orchestrator into a running thread from a remote process.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Gazer can establish persistence by creating a scheduled task.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017) |
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Gazer versions are signed with various valid certificates; one was likely faked and issued by Comodo for "Solid Loop Ltd," and another was issued for "Ultimate Computer Support Ltd."(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017) |
References
- ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
- Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
- Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.