ESET researchers discover a previously unreported cyberespionage platform used in targeted attacks against diplomatic missions and governmental institutions, and privacy-concerned users
ESET researchers have discovered a new espionage platform with a complex architecture, a host of measures to make detection and analysis more difficult and two notable features. First, its GSM plugin uses the AT command protocol, and second, it uses Tor for its network communications. ESET researchers thus named the cyberespionage platform Attor.
Attor’s espionage operation is highly targeted – we were able to trace Attor’s operation back to at least 2013, yet, we only identified a few dozen victims. Despite that, we were able to learn more about the intended victims by analyzing artifacts in the malware.
For example, in order to be able to report on the victim’s activities, Attor monitors active processes to take screenshots of selected applications. Only certain applications are targeted – those with specific substrings in the process name or window title.
Besides standard services such as popular web browsers, instant messaging applications and email services, the list of targeted applications contains several Russian services, as detailed in Table 1.
Table 1. Domains misused in the campaign
Process name/window title substring
Context
ОДНОКЛАССНИКИ (transl. Classmates)
Russian social network (Odnoklassniki)
AGENTVKONTAKTE
Russian social network (VKontakte)
WEBMONEY
Online payment system used in Russia (WebMoney)
MAIL.YANDEX, ЯНДЕКС.ПОЧТА (transl. Yandex.Mail), MAIL.RU, POCHTA (transl. Mail), MAGENT
Russian email services (Mail.ru, Yandex.Mail)
ПРИГЛАШЕНИЕ ДРУЖИТЬ (transl. Friend request)
Russian text
ВАМ СООБЩЕНИЕ (transl. Message for you) ..
Support the originator by clicking the read the rest link below.
