Gazer is a backdoor used by Turla since at least 2016. [1]

ID: S0168
Associated Software: WhiteBear

Contributors: Bartosz Jerzman

Platforms: Windows

Version: 1.0

Associated Software Descriptions

WhiteBearThe term WhiteBear is used both for the activity group (a subset of G0010) as well as the malware observed. Based on similarities in behavior and C2, WhiteBear is assessed to be the same as S0168. [2]

Techniques Used

EnterpriseT1116Code SigningGazer versions are signed with various valid certificates; one was likely faked and issued by Comodo for "Solid Loop Ltd," and another was issued for "Ultimate Computer Support Ltd."[1][2]
EnterpriseT1090Connection ProxyGazer identifies a proxy server if it exists and uses it to make HTTP requests.[1]
EnterpriseT1024Custom Cryptographic ProtocolGazer uses custom encryption for C2 using 3DES and RSA.[1][2]
EnterpriseT1107File DeletionGazer has commands to delete files and persistence mechanisms from the victim.[1][2]
EnterpriseT1096NTFS File AttributesGazer stores configuration items in alternate data streams (ADSs) if the Registry is not accessible.[1]
EnterpriseT1027Obfuscated Files or InformationGazer logs its actions into files that are encrypted with 3DES. It also uses RSA to encrypt resources.[2]
EnterpriseT1055Process InjectionGazer performs thread execution hijacking to inject its orchestrator into a running thread from a remote process. Gazer performs a separate injection of its communication module into an Internet accessible process through which it performs C2.[1][2]
EnterpriseT1060Registry Run Keys / Startup FolderGazer can establish persistence by creating a .lnk file in the Start menu.[1][2]
EnterpriseT1105Remote File CopyGazer can execute a task to download a file.[1][2]
EnterpriseT1053Scheduled TaskGazer can establish persistence by creating a scheduled task.[1][2]
EnterpriseT1180ScreensaverGazer can establish persistence through the system screensaver by configuring it to execute the malware.[1]
EnterpriseT1023Shortcut ModificationGazer can establish persistence by creating a .lnk file in the Start menu or by modifying existing .lnk files to execute the malware through cmd.exe.[1][2]
EnterpriseT1071Standard Application Layer ProtocolGazer communicates with its C2 servers over HTTP.[1]
EnterpriseT1033System Owner/User DiscoveryGazer obtains the current user's security identifier.[2]
EnterpriseT1099TimestompFor early Gazer versions, the compilation timestamp was faked.[1]
EnterpriseT1004Winlogon Helper DLLGazer can establish persistence by setting the value “Shell” with “explorer.exe, %malware_pathfile%” under the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.[1]


Groups that use this software: