BleepingComputer cybersecurity experts: The malware group submitted a ZIP archive with the decryptors to VirusTotal and now it plans to switch to cryptojacking.
ESET cyber security experts discover Attor, a new cyber espionage platform with a GSM plugin that uses the AT command protocol and Tor for its network communications
A new cyber espionage platform with a complex architecture has been discovered by ESET cyber security experts. It’s dubbed Attor. It hosts measures to make detection and analysis more difficult and two notable features: a GSM plugin that uses the AT command protocol, and Tor for its network communications. The company’s researchers were able to trace Attor’s operation back to at least 2013, yet they only identified a few dozen victims. Despite that, experts learned more about the intended victims by analyzing artifacts in the malware. For example, in order to be able to report on the victim’s activities, Attor monitors active processes to take screenshots of selected applications. But only certain are targeted: those with specific substrings in the process name or window title.
The targets are Russian-speakers, and Eastern Europe diplomatic missions and governmental institutions
According to the cyber security experts – besides standard services such as popular web browsers, instant messaging applications and email services – Attor targets applications that contain several Russian services. The list includes the two most popular social networks in Russia (Odnoklassniki, VKontakte) and a VoIP service provided by a Russian telecom operator (Multifon). For ESET the cyber espionage platform is specifically targeting Russian-speakers, which is further supported by the fact that most of the targets are located in Russia. Other targets are located in Eastern Europe, and they include diplomatic missions and governmental institutions. In addition to its geographical and language targeting, Attor’s creators appear to be specifically interested in users concerned about their privacy. The platform is configured to capture screenshots of encryption/digital signature utilities, the VPN service HMA, end‑to‑end encryption email services Hushmail and The Bat!, and the disk encryption utility TrueCrypt.