Software: Gazer, WhiteBear

From enterprise
Jump to: navigation, search
Gazer, WhiteBear
Software
ID S0168
Aliases Gazer, WhiteBear
Type Malware
Contributors Bartosz Jerzman

Gazer is a backdoor used by Turla since at least 2016.1

Alias Descriptions

  • Gazer - 1
  • WhiteBear - The term WhiteBear is used both for the activity group (a subset of Turla) as well as the malware observed. Based on similarities in behavior and C2, WhiteBear is assessed to be the same as Gazer.2

Techniques Used

  • Process Injection - Gazer performs thread execution hijacking to inject its orchestrator into a running thread from a remote process. Gazer performs a separate injection of its communication module into an Internet accessible process through which it performs C2.12
  • Winlogon Helper DLL - Gazer can establish persistence by setting the value “Shell” with “explorer.exe, %malware_pathfile%” under the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.1
  • Scheduled Task - Gazer can establish persistence by creating a scheduled task. 12
  • Shortcut Modification - Gazer can establish persistence by creating a .lnk file in the Start menu or by modifying existing .lnk files to execute the malware through cmd.exe. 12
  • Obfuscated Files or Information - Gazer logs its actions into files that are encrypted with 3DES. The malware also stores configuration items in alternate data streams if the Registry is not accessible.1 It also uses RSA to encrypt resources.2
  • Connection Proxy - Gazer identifies a proxy server if it exists and uses it to make HTTP requests.1
  • File Deletion - Gazer has commands to delete files and persistence mechanisms from the victim.12
  • Code Signing - Gazer versions are signed with various valid certificates; one was likely faked and issued by Comodo for "Solid Loop Ltd," and another was issued for "Ultimate Computer Support Ltd."12
  • Timestomp - For early Gazer versions, the compilation timestamp was faked.1
  • Screensaver - Gazer can establish persistence through the system screensaver by configuring it to execute the malware.1

Groups

The following groups use this software: