The security researchers at Kaspersky revealed an APT backdoor campaign that has been used to spy on consulates and embassies worldwide. The researchers have coined the term WhiteBear for the campaign.
The campaign is identified active since 2016 was associated with infamous Russian Turla APT group. The WhiteBear APT Campaign leverages compromised websites and hijacked satellite connections for command and control (C2) infrastructure.
Modus Operandi: The hacker delivers the malicious payload via spear phishing emails and compromises the targeted computers in two stages. In the first stage, the malware drops another backdoor dubbed Skipper, then installs the second stage backdoor, here in the case, Gazer backdoor.
The second-stage backdoor receives encrypted instructions from the hacker via C&C servers, using compromised, legitimate websites as a proxy. This helps them evade from some of the security solutions.
The researchers revealed that, earlier, the Turla APT group had used different second stage backdoor like; Carbon and Kazuar.
Most WhiteBear samples Kaspersky researchers received are signed with a valid code signing certificate issued by “Solid Loop Ltd”, a once-registered British organization
Sample MD5: b099b82acb860d9a9a571515024b35f0
Type PE EXE
Compilation timestamp 2002.02.05 17:36:10 (GMT)
Linker version 10.0 (MSVC 2010)
Signature “Solid Loop Ldt” UTCTime 15/10/2015 00:00:00 GMT – UTCTime 14/10/2016 23:59:59 GMT
Command and Control
From February to September 2016, WhiteBear activity was narrowly focused on embassies and consular operations around the world. By June 2017, WhiteBear activity shifted to include defense-related organizations.
WhiteBear targets over the course of a couple years are related to government foreign affairs, international organizations, and later, defense organizations. The geolocation of the incidents are below:
- South Asia
- Central Asia
- East Asia
- South America
Leveraging the automated malware detection process of Virus Total API, we could see Anti-Virus solution like Symantec, Kaspersky, McAfee, Microsoft etc. are capable of detecting the backdoor binary.
However, if the similar solution at your organization is unable to detect the threat, we recommend you to block the associated command and control center IP’s and URL and closely monitor the network activity.
This APT activity was also a matter of research for ESET security researcher and they name the backdoor as Gazer.