Gazer
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 80 % (High) |
Infected Computers: | 5 |
First Seen: | August 31, 2017 |
Last Seen: | September 23, 2020 |
OS(es) Affected: | Windows |
PC security researchers have received reports of a threat that is being used to spy on embassies, consulates, and similar operations currently. This threat, named Gazer, functions as a backdoor, allowing a con artist to gain access to a PC through a back channel, named as a backdoor because it functions similarly to how an unguarded back door would let a thief enter a house. Gazer is being used for spy operations. Using Gazer, con artists can learn what governments and diplomats are up to. Gazer has been active since at least 2016 and has been linked to the Russian Turla APT. The campaign that is been used to deliver Gazer is known as 'Whitebear' by PC security analysts and seems to be either running parallel to Turla or as a second stage of this threat campaign currently. Like its predecessors, Gazer is being delivered by compromising the victims' websites and hijacking satellite connections to connect to the threat's Command and Control servers. The Gazer campaign was active between February and September 2016 especially and was focused on diplomatic outposts around the world.
Table of Contents
What is the Main Function of the Gazer Trojan
Gazer is a backdoor Trojan that is programmed using C++. While there are many ways to deliver Gazer in its attack, this threat is delivered using phishing email messages mostly. Once Gazer is installed, it carries out its attack in two stages. The first stage of the Gazer attack involves dropping another backdoor named 'Skipperbackdoor,' which then installs Gazer as its second step. Although Gazer was first made public in the summer of 2017, reports indicate that it has been used in targeted attacks against embassies and consulates since at least 2016, particularly in the period mentioned above. The first stage of the Gazer attack, involving the Skipper backdoor, had been observed in other campaigns carried out by this Russian group. In the second stage of the attack, these con artist had preferred to use Carbon and Kazuar, two known backdoor Trojans. The changes made into Gazer are relatively recent.
How Gazer Carries out Its Attack
Once Gazer is installed, Gazer receives encrypted instructions through its Command and Control servers. Gazer uses compromised websites, which may be legitimate Web pages that have been compromised, as a proxy connection. Gazer can evade detection in several ways. One is through the use of this proxy connection, which may take advantage of vulnerabilities in WordPress to compromise certain websites. Gazer uses a strong encryption in its connections to prevent messages and communications from being intercepted. Gazer contains encryption keys embedded in its resources, which it uses to encrypt all data that is used in its connections with its Command and Control server. Gazer uses code injection to allow the con artists to take control over the infected PC. Once Gazer is installed, it remains dormant in the background, hidden from the victim and gathering information from the infected PC.
The Gazer’s Role in Espionage
Gazer can communicate with other machines infected with Gazer. Gazer can forward commands that one affected PC receives to other infected PCs on the same network. At least four different versions of Gazer are being used in these attacks. The main difference between these versions is the use of different SSL certificates, some of them signed with a certificate issued by Comodo for 'Solid Loop Ltd.'. The most recent versions of Gazer use an SSL certificate signed for 'Ultimate Computer Support Ltd.' The main targets of the Gazer attacks seem to be embassies and consulates belonging to countries in Southeast Europe and from the former Soviet Union, particularly in the Baltics. Numerous computers, mainly located in Europe, have been infected with Gazer as part of this threat's espionage campaign.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.