A recently uncovered highly targeted cyber-espionage platform that uses Tor for network communication has remained under the radar for at least six years, ESET reports.
Referred to as Attor, due to the use of a GSM plugin that leverages the AT command protocol and the use of the Tor network, the espionage operation only hit a few dozen victims during the period it was active.
Attor is specifically aimed at Russian-speakers, and its list of targeted applications includes web browsers, instant messaging applications, email services, social networks popular in Russia (Odnoklassniki, VKontakte), the WebMoney payment system, and a VoIP service provided by Russian telecom operator Multifon.
To spy on users, Attor monitors active processes and takes screenshots of selected applications. While most of its victims are located in Russia, the platform was also used to target entities in Eastern Europe, such as diplomatic missions and governmental institutions.
“Attor is configured to capture screenshots of encryption/digital signature utilities, the VPN service HMA, end‑to‑end encryption email services Hushmail and The Bat!, and the disk encryption utility TrueCrypt,” ESET’s security researchers explain.
Based on the manner in which the victim’s use of TrueCrypt is inspected in Attor, the malware author likely understands the open-source code of the TrueCrypt installer, the researchers say.
The platform includes a dispatcher and loadable plugins, all of which are implemented as DLLs and dropped onto the target system at the first step of compromise.
The dispatcher works as a management and synchronization unit for the plugins. At system startup, it injects itself into almost all running processes and also loads the available plugins into them (it avoids system processes).< ..
Support the originator by clicking the read the rest link below.
