A new malware named Attor was discovered by the security researchers which has been deployed to spy on diplomats and Russian-speaking users in Eastern Europe. Even though the malware was in use since 2013, it was discovered only last year.
The malware has the signs of a targeted espionage campaign performed by a skilled actor focusing only a small selection of targets.
On analysis of the malware and its features, it was found that the Attor’s developers explicitly designed it to target Russian-speaking users. Most of the targets are located in Russia and the other targets are located in Eastern Europe which include diplomatic missions and governmental institutions.
It was clear that this malware was designed to target Russian users mainly from the Attor’s features that include the targeting of popular Russian apps and services like social networks Odnoklassniki and VKontakt, VoIP provider Multifon, IM apps Qip and Infium, search engine Rambler, email clients Yandex and Mail.ru, and payment system WebMoney.
Besides, Attor uses a highly-modularized architecture and is designed around a central component, called a dispatcher.
Most malware uses a modularized structure but Attor shows its sophistication by using encryption to hide the modules which is not commonly seen and is found usually in malware strains developed by nation-state hacker groups.
The Attor’s plugins are sent to the targetted computer as DLLs, asymmetrically encrypted with RSA. The plugins are only fully recovered in memory, using the public RSA key embedded in the dispatcher. So, it is difficult to obtain Attor’s plugins, and to decrypt them without access to the dispatcher.
The researchers have spent months working on Attor to decipher its secretsa and they managed to recover eight of Attor’s plugins.
The Slovak researcher said they found a module for taking screenshots, one for recording audio, one to upload files to a remote server, one for setting up a SOCKS proxy to disguise its traffic, a keyboard and clipboard logger, an installer watchdog, a device monitor, and a module to support communications via the Tor network.
GSM Fingerprinting Module
The most interesting plugin of all was the module that performed device monitoring. This module found in most malware usually works by creating a fingerprint of devices a user connects to a computer or laptop. While some other malware strains uses similar modules to detect when users plug in a USB thumb drive, to send malicious files on its storage.
Attor’s device monitor module was designed to detect when users connected modems and older phones to their devices. When connected, Attor would collect details about the files present on each device.
This module collects metadata and so it is considered as a plugin used for device fingerprinting. Attor’s device monitoring module also included a function that used ancient AT commands to fingerprint GSM-capable devices.
AT commands were developed in the 80s as a method to control with early versions of internet modems. They are still supported today, even on modern high-end smartphones.
However, the Attor gang ignored modern smartphones connected via USB. Stealing or planting malware on smartphones via the USB port would have been much easier than using AT commands via old serial ports.
The researchers belive that Attor developers created this module to target users who employed older mobile handsets — or even a custom GSM-capable platform used by one of their targets.
Many diplomatic and intelligence operations use custom GSM-capable platforms for secure communications.
It is however not known who has created this malware, but it is sure that it was used by some of the world’s most sophisticated espionage players.