The version of ComRAT v4 (the creator of this malware called “Chinch”) uses a completely new code base and is far more complex than the previous generation. According to ESET security researchers, the main purpose of ComRAT is to recognize, steal, filter, and sometimes even provide .NET implementations to interact with MS databases. SQL Server victim contains organizational documents.
ComRAT v4 mail mode reads authenticated email addresses and temporary files (cookies) stored in VFS (virtual file system), connects to Gmail’s main HTML interface, analyzes syntax for HTML This last page will give you a list of emails with topics that match the subject.str file from VFS.
For each e-mail that meets the above criteria, ComRAT downloads the available attachments and deletes the e-mail so that it is not repeated a second time. Regardless of whether they contain the same format as Word (.docx) or Excel (.xlsx) files in the name, the actual attachment is not a document file, but an encrypted binary data file that contains a special executable file. especially reading/writing files, running additional processes, collecting activity history, etc.
The results of the execution commands are then encrypted and stored as an attachment and sent in an email to the destination address available in the VFS file.
Based on one month’s Gmail distribution patterns, ESET said the guys behind this campaign operate in the UTC + 3 or UTC + 4 time zone.
“ComRAT v4 was first launched in 2017 and has been active since,” said ESET security experts at THN. The company found that it had at least three targets targeted by malware, including the Foreign Office of two Western European countries and the Caucasian Parliament.
Backdoor ComRAT has long been used by the Turla APT team. The group, also known as Snake, has been operating for more than a decade with a “track record” of offensive campaigns targeting embassies and military organizations from around 2004 or earlier.
Turla’s espionage began with Agent.BTZ in 2007, later evolving into ComRAT – a remote control tool to add the ability to steal information from the local network. It was the early versions of Agent.BTZ that infiltrated the US military network in the Middle East in 2008. In the last few years, Turla was determined to be behind the attacks on the French Armed Forces (FAF) network. ) 2018 and the Austrian Foreign Ministry earlier this year.