← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Gazing at Gazer - Turlas new second stage backdoor
WHITE Turla Group AlienVault 2017-08-30 Modified: 2019-01-14
78
IOCs
HIGH VOLUME
Many domains in this report are compromised domains - traffic to them may not be malicious. Herein we release our analysis of a previously undocumented backdoor that has been targeted against embassies and consulates around the world leads us to attribute it, with high confidence, to the Turla group. Turla is a notorious group that has been targeting governments, government officials and diplomats for years. They are known to run watering hole and spearphishing campaigns to better pinpoint their targets. Although this backdoor has been actively deployed since at least 2016, it has not been documented anywhere. Based on strings found in the samples we analyzed, we have named this backdoor “Gazer”.
turlasnakerussia
Indicators of Compromise (78)
All hostname URL YARA FileHash-SHA1 IPv4 email
TYPEINDICATORDESCRIPTIONCREATED
hostname kennynguyen.esy.es 2017-08-30
hostname chagiocaxuanson.esy.es 2017-08-30
URL http://kennynguyen.esy.es/wp-content/plugins/wp-statistics/vendor/maxmind-db/reader/tests/MaxMind/Db/ 2017-08-30
URL http://chagiocaxuanson.esy.es/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/ 2017-08-30
YARA 8cf8708adef1860dd31af3834be0d14e0ac5b211 2017-08-30
YARA ab79c3c748d7aa5cb7b7eaf8603d8efff833af06 2017-08-30
URL http://169.255.137.203/rss_0.php 2017-08-30
URL http://217.171.86.137/config.php 2017-08-30
URL http://217.171.86.137/rss_0.php 2017-08-30
URL http://ales.ball-mill.es/ckfinder/core/connector/php/php4/CommandHandler/CommandHandler.php 2017-08-30
URL http://baby.greenweb.co.il/wp-content/themes/san-kloud/admin.php 2017-08-30
URL http://daybreakhealthcare.co.uk/wp-includes/themees.php 2017-08-30
URL http://dyskurs.com.ua/wp-admin/includes/map-menu.php 2017-08-30
URL http://giadinhvabe.net/wp-content/themes/viettemp/out/css/class.php 2017-08-30
URL http://hotnews.16mb.com/wp-content/themes/twentysixteen/template-parts/content-header.php 2017-08-30
URL http://outletpiumini.springwaterfeatures.com/wp-includes/pomo/settings.php 2017-08-30
URL http://shinestars-lifestyle.com/old_shinstar/includes/old/front_footer.old.php 2017-08-30
URL http://simplecreative.design/wp-content/plugins/calculated-fields-form/single.php 2017-08-30
URL http://soligro.com/wp-includes/pomo/db.php 2017-08-30
URL http://sonneteck.com/wp-content/plugins/yith-woocommerce-wishlist/plugin-fw/licence/templates/panel/ 2017-08-30
URL http://tekfordummies.com/wp-content/plugins/social-auto-poster/includes/libraries/delicious/Delicious.php 2017-08-30
URL http://warrixmalaysia.com.my/wp-content/plugins/jetpack/modules/contact-form/grunion-table-form.php 2017-08-30
URL http://weandcats.com/wp-content/plugins/broken-link-checker/modules/checkers/http-module.php 2017-08-30
URL http://www.aviasiya.com/murad.by/life/wp-content/plugins/wp-accounting/inc/pages/page-search.php 2017-08-30
URL http://zerogov.com/wp-content/plugins.deactivate/paypal-donations/src/PaypalDonations/SimpleSubsribe. 2017-08-30
URL http://zszinhyosz.pe.hu/wp-content/themes/twentyfourteen/page-templates/full-hight.php 2017-08-30
hostname ales.ball-mill.es 2017-08-30
hostname baby.greenweb.co.il 2017-08-30
hostname hotnews.16mb.com 2017-08-30
FileHash-SHA1 029aa51549d0b9222db49a53d2604d79ad1c1e59 2017-08-30
FileHash-SHA1 0f97f599fab7f8057424340c246d3a836c141782 2017-08-30
FileHash-SHA1 11b35320fb1cf21d2e57770d8d8b237eb4330eaa 2017-08-30
FileHash-SHA1 22542a3245d52b7bcdb3eaef5b8b2693f451f497 2017-08-30
FileHash-SHA1 228da957a9ed661e17e00efba8e923fd17fae054 2017-08-30
FileHash-SHA1 23f1e3be3175d49e7b262cd88cfd517694dcba18 2017-08-30
FileHash-SHA1 267f144d771b4e2832798485108decd505cb824a 2017-08-30
FileHash-SHA1 27fa78de705ebaa4b11c4b5fe7277f91906b3f92 2017-08-30
FileHash-SHA1 295d142a7bdced124fdcc8edfe49b9f3acceab8a 2017-08-30
FileHash-SHA1 2b9faa8b0fcadac710c7b2b93d492ff1028b5291 2017-08-30
FileHash-SHA1 35f205367e2e5f8a121925bbae6ff07626b526a7 2017-08-30
FileHash-SHA1 37ff6841419adc51eeb8756660b2fb46f3eb24ed 2017-08-30
FileHash-SHA1 3944253f6b7019eed496fad756f4651be0e282b4 2017-08-30
FileHash-SHA1 411ef895fe8dd4e040e8bf4048f4327f917e5724 2017-08-30
FileHash-SHA1 4701828dee543b994ed2578b9e0d3991f22bd827 2017-08-30
FileHash-SHA1 475c59744accb09724dae610763b7284646ab63f 2017-08-30
FileHash-SHA1 4b6ef62d5d59f2fe7f245dd3042dc7b83e3cc923 2017-08-30
FileHash-SHA1 522e5f02c06ad215c9d0c23c5a6a523d34ae4e91 2017-08-30
FileHash-SHA1 52f6d09cccdbc38d66c184521e7ccf6b28c4b4d9 2017-08-30
FileHash-SHA1 5838a51426ca6095b1c92b87e1be22276c21a044 2017-08-30
FileHash-SHA1 63c534630c2ce0070ad203f9704f1526e83ae586 2017-08-30
FileHash-SHA1 6dec3438d212b67356200bbac5ec7fa41c716d86 2017-08-30
FileHash-SHA1 6fd611667ba19691958b5b72673b9b802edd7ff8 2017-08-30
FileHash-SHA1 75831df9cbcfd7bf812511148d2a0f117324a75f 2017-08-30
FileHash-SHA1 795c6ee27b147ff0a05c0477f70477e315916e0e 2017-08-30
FileHash-SHA1 7a6f1486269abdc1d658db618dc3c6f2ac85a4a7 2017-08-30
FileHash-SHA1 7ced96b08d7593e28fee616eccbc6338896517cf 2017-08-30
FileHash-SHA1 7f54f9f2a6909062988ae87c1337f3cf38d68d35 2017-08-30
FileHash-SHA1 7fac4fc130637afab31c56ce0a01e555d5dea40d 2017-08-30
FileHash-SHA1 8184ad9d6bbd03e99a397f8e925fa66cfbe5cf1b 2017-08-30
FileHash-SHA1 950f0b0c7701835c5fbdb6c5698a04b8afe068e6 2017-08-30
FileHash-SHA1 9e6de3577b463451b7afce24ab646ef62ad6c2bd 2017-08-30
FileHash-SHA1 9ff4f59ca26388c37d0b1f0e0b22322d926e294a 2017-08-30
FileHash-SHA1 a5eec8c6aadf784994bf68d9d937bb7af3684d5c 2017-08-30
FileHash-SHA1 b151cd7c4f9e53a8dcbdeb7ce61ccdd146eb68ab 2017-08-30
FileHash-SHA1 b548863df838069455a76d2a63327434c02d0d9d 2017-08-30
FileHash-SHA1 bae3ae65c32838fb52a0f5ad2cde8659d2bff9f3 2017-08-30
FileHash-SHA1 c1288df9022bcd2c0a217b1536dfa83928768d06 2017-08-30
FileHash-SHA1 c380038a57ffb8c064851b898f630312fabcbba7 2017-08-30
FileHash-SHA1 c3e6511377dfe85a34e19b33575870dda8884c3c 2017-08-30
FileHash-SHA1 cecc70f2b2d50269191336219a8f893d45f5e979 2017-08-30
FileHash-SHA1 dbb185e493a0fdc959763533d86d73f986409f1b 2017-08-30
FileHash-SHA1 e05ab6978c17724b7c874f44f8a6cbfb1c56418d 2017-08-30
FileHash-SHA1 e40bb5beec5678537e8fe537f872b2ad6b77e08a 2017-08-30
FileHash-SHA1 e8a2bad87027f2bf3ecae477f805de13fccc0181 2017-08-30
FileHash-SHA1 fcabeb735c51e2b8eb6fb07bda8b95401d069bd8 2017-08-30
IPv4 169.255.137.203 2017-08-30
IPv4 217.171.86.137 2017-08-30
email admin@solidloop.org 2017-08-30
References (1)
↗ https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf