ESET researchers have uncovered several high-profile espionage attacks aimed at government and diplomatic entities in Eastern Europe.
Analysis shows that these attacks were conducted using a previously unreported cyberespionage platform.
The platform is notable for its modular architecture, along with two prominent features: the AT protocol used by one of its plugins for GSM fingerprinting, and Tor, which is employed for its network communications. Due to these features, ESET researchers named the platform “Attor”.
“The attackers who use Attor are focusing on diplomatic missions and governmental institutions,” says Zuzana Hromcová, the ESET malware researcher who conducted the analysis. “These attacks, ongoing since at least 2013, are highly targeted at users of these Russian services, specifically those who are concerned about their privacy.”
Attor has a modular architecture: It consists of a dispatcher and loadable plugins that rely on the dispatcher for implementing basic functionalities. These plugins are delivered to the compromised computer as encrypted DLLs. They are only fully recovered in memory.
“As a result, without access to the dispatcher, it is difficult to obtain Attor’s plugins and to decrypt them,” explains Hromcová.
Attor targets specific processes —among these, processes associated with Russian social networks and some encryption/digital signature utilities; the VPN service HMA; end-to-end encryption email services Hushmail and The Bat!; and disk encryption utility TrueCrypt.
The victim’s usage of TrueCrypt is further inspected in another part of Attor.
“The way Attor determines the TrueCrypt version is unique. Attor uses TrueCrypt-specific control codes to communicate with the application, which shows that the authors of the malware must understand the open-source code of the TrueCrypt installer. We are not aware of this technique having been documented before,” comments Hromcová.
Among Attor’s capabilities implemented by its plugins, two stand out for their uncommon features: network communication and the fingerprinting of GSM devices. To ensure anonymity and untraceability, Attor uses Tor: Onion Service Protocol, with an onion address for its C&C server.
Attor’s infrastructure for C&C communications spans four components — the dispatcher providing encryption functions and three plugins implementing the FTP protocol, the Tor functionality and the actual network communication. “This mechanism makes it impossible to analyze Attor’s network communication unless all the pieces of the puzzle have been collected,” Hromcová says.
The most curious plugin in Attor’s arsenal collects information about both connected modem/phone devices and connected storage drives, as well as information about files present on these drives. According to ESET researchers, of primary interest is the fingerprinting of GSM devices connected to the computer via a serial port. Attor uses so-called “AT commands” to communicate with the device and retrieve identifiers — among others, IMSI, IMEI, MSISDN and software version.
“Unknown to many people these days, AT commands, which were originally developed in the 1980s to command modems, are still in use in most modern smartphones,” explains Hromcová.
Among possible reasons for Attor to use AT commands is that the platform targets modems and older phones. Alternatively, it may be used to communicate with some specific devices. Possibly, the attackers learn about a victim’s use of these devices using some other reconnaissance techniques.
“Fingerprinting a device can serve as a base for further data theft. If the attackers learn about the type of connected device, they can craft and deploy a customized plugin that would be able — using AT commands — to steal data from that device and make changes in it, including changing the device’s firmware,” Hromcová adds.