Attor malware used in highly targeted attacks against diplomatic missions and government institutions

In a recent discovery by security researchers, a sophisticated malware program is being deployed for stealing information from diplomats along with users speaking Russian language inside Eastern Europe. Known as Attor, the malicious program's utilization dates back to 2013 cyber-attacks, however, its discovery happened only in 2018, states a report by ESET.

Researchers at ESET stated that the malware seemingly complemented some targeted espionage scheme that certain skilled threat actor perpetrated, where the focus is on a few specific targets. As per ESET's assessment, the assaults were carried out utilizing an earlier unreported spying interface that was prominent for having a modular form, while had 2 more significant features: the Tor service that was used for its exchange of messages across the network, and an AT protocol which a plugin of the spying attack used for fingerprinting of GSM devices. Consequent of these features, the security investigators feel fit to call the interface "Attor."

Malware researcher Zuzana Hromcova at ESET says the Attor attackers are concentrating on government institutions and diplomatic missions. According to her, the attacks, going on from 2013, bear an extremely targeted nature when culling Internauts who use Russian services, in particular people who're cautious of maintaining their privacy. www.infosecurity-magazine.com posted this, October 10, 2019.

Furthermore, like most malware there's certain modularized structure in Attor, but the sophistication in it is the way it conceals the modules with encryption, that's very rare, as also seen within malicious software that normally nation-sponsored hacker syndicates create.

Importantly, Attor utilizes a number of other tricks for concealing its messages so that no security product or end-user can see them.

First, its command-and-control server uses Tor which is used for maintaining non-traceability and anonymity.

Second, every plugin associated with network communication is solely activated when it runs during any web-browser process alternatively any IM app process else any other network application. The trick conceals network communication associated with data exfiltration within many genuine communications which that particular app makes, thereby reducing users' suspicion.

The fingerprinting, which Attor enables of GSM appliances, depicts its uniqueness; therefore, the feature is likely to get utilized for stealing even more data.

» SPAMfighter News - 10/17/2019