Gazer

PC security researchers have received reports of a threat that is being used to spy on embassies, consulates, and similar operations currently. This threat, named Gazer, functions as a backdoor, allowing a con artist to gain access to a PC through a back channel, named as a backdoor because it functions similarly to how an unguarded back door would let a thief enter a house. Gazer is being used for spy operations. Using Gazer, con artists can learn what governments and diplomats are up to. Gazer has been active since at least 2016 and has been linked to the Russian Turla APT. The campaign that is been used to deliver Gazer is known as 'Whitebear' by PC security analysts and seems to be either running parallel to Turla or as a second stage of this threat campaign currently. Like its predecessors, Gazer is being delivered by compromising the victims' websites and hijacking satellite connections to connect to the threat's Command and Control servers. The Gazer campaign was active between February and September 2016 especially and was focused on diplomatic outposts around the world.

What is the Main Function of the Gazer Trojan

Gazer is a backdoor Trojan that is programmed using C++. While there are many ways to deliver Gazer in its attack, this threat is delivered using phishing email messages mostly. Once Gazer is installed, it carries out its attack in two stages. The first stage of the Gazer attack involves dropping another backdoor named 'Skipperbackdoor,' which then installs Gazer as its second step. Although Gazer was first made public in the summer of 2017, reports indicate that it has been used in targeted attacks against embassies and consulates since at least 2016, particularly in the period mentioned above. The first stage of the Gazer attack, involving the Skipper backdoor, had been observed in other campaigns carried out by this Russian group. In the second stage of the attack, these con artist had preferred to use Carbon and Kazuar, two known backdoor Trojans. The changes made into Gazer are relatively recent.

How Gazer Carries out Its Attack

Once Gazer is installed, Gazer receives encrypted instructions through its Command and Control servers. Gazer uses compromised websites, which may be legitimate Web pages that have been compromised, as a proxy connection. Gazer can evade detection in several ways. One is through the use of this proxy connection, which may take advantage of vulnerabilities in WordPress to compromise certain websites. Gazer uses a strong encryption in its connections to prevent messages and communications from being intercepted. Gazer contains encryption keys embedded in its resources, which it uses to encrypt all data that is used in its connections with its Command and Control server. Gazer uses code injection to allow the con artists to take control over the infected PC. Once Gazer is installed, it remains dormant in the background, hidden from the victim and gathering information from the infected PC.

The Gazer’s Role in Espionage

Gazer can communicate with other machines infected with Gazer. Gazer can forward commands that one affected PC receives to other infected PCs on the same network. At least four different versions of Gazer are being used in these attacks. The main difference between these versions is the use of different SSL certificates, some of them signed with a certificate issued by Comodo for 'Solid Loop Ltd.'. The most recent versions of Gazer use an SSL certificate signed for 'Ultimate Computer Support Ltd.' The main targets of the Gazer attacks seem to be embassies and consulates belonging to countries in Southeast Europe and from the former Soviet Union, particularly in the Baltics. Numerous computers, mainly located in Europe, have been infected with Gazer as part of this threat's espionage campaign.