Attor: spy platform with curious GSM fingerprinting

Presented at VB2019, Oct. 3, 2019, 9:30 a.m. (30 minutes).

Attor is a previously unreported cyber espionage platform that has been used in targeted attacks since 2014, focusing on diplomatic missions and governmental institutions. Its most interesting features are a complex modular architecture, elaborate network communication, and a unique plug-in to fingerprint GSM devices. Highly targeted, with only a few dozen victims affected, Attor searches specifically for TrueCrypt‑protected hard drives and the processes of specific VPN applications. This suggests that the attackers have a special interest in security-conscious users. Furthermore, Attor's operators are apparently focused on Russian targets. The malware's core lies in its dispatcher, which serves as a management and synchronization unit for additional plug-ins. It also provides an interface for the plug-ins to call Windows APIs and cryptographic functions indirectly. The plug-ins themselves are heavily synchronized, with network communication alone being spread across four different components, each implementing a different layer, allowing the malware to communicate with its FTP C&C server residing in an onion domain. TOR is used for communication, aiming for anonymity and lack of traceability, and the overall setup makes it impossible to analyse the communication unless all pieces of the puzzle have been collected. The capabilities of Attor rely on the plug-ins, which allow the attackers to customize the platform per victim. The most notable plug-in is able to detect connected GSM/GPRS modems or mobile devices; this allows Attor to speak to them directly using the AT command set, in order to collect sensitive information such as the IMEI, IMSI or MSISDN numbers, possibly identifying both the device and its subscriber. Other plug-ins provide persistence, an exfiltration channel, and more common spyware capabilities. In this presentation we will dissect this cyber espionage platform, focusing on the architecture and the network communication workflow. We will document the functionality of the available plug-ins and review the many techniques Attor uses in its attempts to evade detection and analysis. We will also discuss the campaign, and its focus on high-profile and security-conscious targets.

Presenters:

  • Zuzana Hromcová - ESET
    Zuzana Hromcová Zuzana Hromcová is a reverse engineer, working at ESET since 2016. She is a part of the malware research team, providing detailed analyses of ongoing malicious campaigns and reporting on them. She is a regular speaker at local events, helping spread awareness about information security among students.Zuzana recently earned her Master's degree in computer science from Comenius University in Bratislava, having graduated with honours. She majored in computer security, concluding her studies with a thesis dealing with securing a Linux desktop environment using SELinux mechanisms.

Links:

Similar Presentations: