Skip to main content

Turla malware siphons antivirus logs to determine whether it has been detected

(Image credit: Image Credit: JMiks / Shutterstock)

Cybersecurity researchers at ESET have uncovered an updated version of the ComRAT malware - and it has a couple of nifty new features.

ComRAT is a remote access trojan built by Turla, a world-famous hacking group linked to the Russian government. It has been in use for more than a decade, mutating across multiple iterations over the years.

The latest version (v4), which seems to have used the 2017 variant as a base, boasts two new features: the ability to read and forward antivirus log files and to receive instructions via Gmail.

By gaining access to antivirus logs, ComRAT now allows its operators to determine whether their intrusion has been detected and how they might avoid detection in future.

Further, while RATs usually need to connect to a command & control (CnC) server, the new ComRAT variant is able to open up Gmail, download an email attachment and execute the instructions found inside the file.

ESET claims this feature allows the malware to bypass some security controls, because it is not dependent on any single malicious domain.

According to the researchers, ComRAT v4 was seen in action at the beginning of 2020, “showing that the Turla group is still very active and a major threat for diplomats and militaries.”