ESET researchers discovered an advanced malware piece of malware named
The researchers believe that the threat actor behind
“For example, in order to be able to report on the victim’s activities, Attor monitors active processes to take screenshots of selected applications. Only certain applications are targeted – those with specific substrings
The researchers believe that the malware was specifically developed to infect mainly Russian-speaking users, it targets popular Russian apps and services, including the social networks Odnoklassniki, and VKontakt, VoIP provider Multifon, IM apps
The malware implements a modular structure with a dispatcher and
The Attor malware makes sophisticated use of encryption to hide its components.
The plugins are delivered as DLLs asymmetrically encrypted with RSA, then they are recovered in memory, using the public RSA key embedded in the dispatcher.
“In total, the infrastructure for C&C communication spans four Attor components – the
“We were able to recover eight of Attor’s plugins, some in multiple versions – we list them in Table 2. Assuming the numbering of plugins is continuous, and that actors behind
The analysis of the samples of the malware revealed the presence of an interesting module designed to detect when users connected modems and older phones to their devices. The malware is able to collect info about the files present on connected devices.
“The most curious plugin in Attor’s arsenal collects information about both connected
“While Attor’s functionality of fingerprinting storage drives is rather standard, its fingerprinting of GSM devices is unique.”
ESET believes that the authors of the Attor malware developed this module to target users owning older mobile handsets, or even a custom GSM-capable platform.
“A more likely explanation of the plugin’s main motive is that it targets modems and older phones. Alternatively, it may be used to communicate with some specific devices (used by the victim or target organization) that are connected to the COM port or to the USB port using a USB-to-serial adaptor.” concludes the analysis. “In this scenario, it is possible the attackers have learned about the victim’s use of these devices using some other reconnaissance techniques.”