Gazer

Gazer is a sophisticated backdoor trojan used by the Turla APT group, along with previously identified trojans Skipper, Kazuar, and Carbon. It is used as a second-stage backdoor, typically deployed after an initial, less-sophisticated backdoor is installed on the target. Gazer receives encrypted tasks from its C2 server to be executed by the infected machine or another machine on the network and uses an encrypted container to store the components and configuration. The C2 servers used are all compromised, legitimate websites - many of which use the WordPress CMS - acting as a first layer proxy. Gazer avoids detection by wiping files securely, changing the strings, and randomizing markers via different backdoor versions. Additionally, it uses its own customized library for 3DES and RSA encryption.

Reporting

  • August 2017: New Backdoor Trojan Deployed in Cyber-Espionage Campaign Targeting Embassies. (Bleeping Computer)

Technical Details

  • ESET provides technical details and analysis on the Gazer trojan, here.