ESET researchers stumbled upon a new malware they say is designed to target diplomatic and government entities. The researchers say it has been utilized in attacks targeting Russian-speakers for at least 7 years.
The malware the researchers named “Attor” offers the unusual capabilities of GSM fingerprinting mobile devices via the AT protocol, the use of encrypted modules, and Tor-based communications. It’s the combination of the use of AT commands & Tor that give the malware its name.
Attor is built with a modular architecture, each module is developed for persistence, data collection, an exfiltration channel, communication with the malware’s (C2) command and control server, and some further surveillance capabilities like the recording audio, keystroke logging and screen captures.
Some of the applications targeted by the malware indicate the attackers are interested in privacy minded users. The malware targets included encryption tools like TrueCrypt, VPN applications, secure mail clients including Bat! and HushMail, and the secure web browser, Dragon.
According to the report, “Attor’s core lies in its dispatcher, which serves as a management and synchronization unit for additional plugins. It also provides an interface for the plugins to call Windows APIs and cryptographic functions indirectly.”
A dropper delivers this main dispatcher and several plugins, the dispatcher will worm itself into most running processes on the compromised device, except for Symantec security products and some system processes. The dispatcher itself is a dynamic-link library.
Once inside a device Attor started monitoring and data harvesting by loading plugins for thinks like email services, office software, archiving utilities, cloud storage, file sharing tools, VoIP applications and messaging services. Attor also targets specific processes associated with Russian social networks.
“Attor has built-in mechanisms for adding new plugins, for updating itself, and for automatically exfiltrating collected data and log files,” says ESET’s report, adding that the plugins are hard to detect as they “are stored on the disk in a compressed and encrypted form, with the valid form of the DLL only being recovered in memory, when the dispatcher loads the plugin. This probably is an attempt to thwart detection, as the plugin DLLs are never present unencrypted on disk.”
One plugin Attor loads for device monitoring uses file metadata information harvested from connected phone, modem, and storage devices for fingerprinting. ESET says that these GSM fingerprinting capabilities are for targeting older modems and phones allowing the retrieval of subscriber and device based on identifiers like IMSI, IMEI, MSISDN, and software version.
ESET was able to analyze a few dozen infected devices, but researchers aren’t able to pinpoint the initial access vector. They also are unsure of the full data the malware is able to collect and share. Because of Attor’s use of Tor and other encryption techniques it has been largely undetected, although the malware has been used in targeted attacks since at least 2013.
According to ESET, “The versioning information in the plugins suggests there are other plugins that we have not yet seen”, adding that the research “provides a deep insight into the malware, and suggests that it is well worth further tracking of the operations of the group behind this malware.”