Researchers at ESET have discovered several high-profile espionage attacks aimed at government and diplomatic entities in Eastern Europe.
According to the analysis, the attacks were conducted using a previously unreported cyber-espionage platform, which is notable for its modular architecture, along with two prominent features: the AT protocol used by one of its plugins for GSM fingerprinting, and Tor, which is employed for its network communications. Given these features, ESET researchers have named the platform Attor.
“The attackers who use Attor are focusing on diplomatic missions and governmental institutions,” said Zuzana Hromcová, ESET malware researcher. “These attacks, ongoing since at least 2013, are highly targeted at users of these Russian services, specifically those who are concerned about their privacy.”
ESET explained that Attor consists of a dispatcher and loadable plugins that rely on the dispatcher for implementing basic functionalities. The plugins are delivered by to the compromised computer as encrypted DLLs and are only fully recovered in memory. “As a result, without access to the dispatcher, it is difficult to obtain Attor’s plugins and to decrypt them,” added Hromcová.
The platform targets specific processes, including processes associated with Russian social networks and some encryption/digital signature utilities.
Among Attor’s capabilities implemented by its plugins, two stand out for their uncommon features: network communication and the fingerprinting of GSM devices.
Attor’s infrastructure for C&C communications spans four components – the dispatcher providing encryption functions and three plugins implementing the FTP protocol, the Tor functionality and the actual network communication. “This mechanism makes it impossible to analyze Attor’s network communication unless all the pieces of the puzzle have been collected,” explained Hromcová.
“Fingerprinting a device can serve as a base for further data theft. If the attackers learn about the type of connected device, they can craft and deploy a customized plugin that would be able – using AT commands – to steal data from that device and make changes in it, including changing the device’s firmware,” concluded Hromcová.