The ComRAT (Remote Access Trojan) hacking tool is a part of the arsenal of the infamous Turla APT (Advanced Persistent Threat). The ComRAT malware was first spotted over a decade ago in 2008. Cybersecurity experts believe that the Turla APT operates from Russia and is likely sponsored by the Kremlin as most of their targets appear to be individuals or institutions that are of interest to the Russian government. Many of the targets of the Turla APT are foreign government bodies, which are usually located in North America, Europe, Africa, the Middle East and Asia. Despite the fact that the ComRAT threat is a Trojan that was first discovered twelve years ago, it is being used in Turla's campaigns to this day. The latest Turla operation that employed the ComRAT threat was carried out in January 2020. This campaign targeted various governments located in the Eastern European region.
The cyber crooks from the Turla APT have made sure to improve the ComRAT threat over the years greatly. The ComRAT malware is able to detect and collect logs linked to the activity of anti-malware utilities. It is likely that this would allow the Turla APT to study how cybersecurity vendors identify their threats and therefore apply better evasion techniques. One of ComRAT's unique traits is that it does not rely on just an HTTP connection to contact the C&C (Command & Control) server. It also can be fed commands to execute by sending email attachments to a Gmail inbox operated by the attackers. The ComRAT implant will check the inbox for new email attachments periodically, and then decrypt their contents to see and follow the instructions of the malware operator. The results will be sent back to the Turla APT via the same email used before.
In the ComRAT campaign from 2020, the attackers appear to have used very few of the threat's features. The ComRAT was used for scanning the compromised host and detecting certain filetypes or filenames mainly. The collected information was then siphoned back to the attackers via an OneDrive or 4shared account.
The Turla APT is a well-known name in the world of cybercrime, and it is not likely that they will cease operating any time soon. The Turla hacking group consists of very experienced cybercriminals who always strive to improve their arsenal of tools.