Researchers have uncovered version of the ComRat backdoor, one of the Turla Group’s oldest malware families, that distinguishes itself by using Gmail’s web UI to receive commands and nick data.
The newly uncovered version of ComRAT, known for stealing sensitive documents and targeting at least three government entities and military organizations, including U.S. Cyber Command, was in use as late as early 2020.
“Thanks to its use of the Gmail web interface, [ComRAT v4] is able to bypass some security controls because it doesn’t rely on any malicious domain,” said ESET Researcher Matthieu Faou, who detailed his findings in a white paper. “This shows the level of sophistication of this group and its intention to stay on the same machines for a long time.” [....]
The ComRAT installer, a PowerShell script, “creates a Windows scheduled task and fills a registry value with the encrypted payload,” Faou wrote.
When a user logs in, the PowerShell loader executes, with the orchestrator embedding ”an encrypted communication module that will be injected into the default web browser” and interacting “with the ComRAT communication module through a named pipe,” he explained. Because the malware’s network communications is initiated in the browser process, it “is stealthier than if it was done directly by the orchestrator.”
Two C&C channels – one HTTP and the other email that uses Gmail’s web interface. Operators can send commands using either channel. “The backdoor will receive the command ID and the arguments, if any,” wrote Faou, who said the commands aren’t “surprising and allow control of almost everything on the machine: manage files, execute additional processes or gather logs.”
