Attor: spy platform with curious GSM fingerprinting

Thursday 3 October 09:30 - 10:00, Green room

Zuzana Hromcová (ESET)



Attor is a previously unreported cyber espionage platform that has been used in targeted attacks since 2014, focusing on diplomatic missions and governmental institutions. Its most interesting features are a complex modular architecture, elaborate network communication, and a unique plug-in to fingerprint GSM devices.

Highly targeted, with only a few dozen victims affected, Attor searches specifically for TrueCrypt‑protected hard drives and the processes of specific VPN applications. This suggests that the attackers have a special interest in security-conscious users. Furthermore, Attor’s operators are apparently focused on Russian targets.

The malware’s core lies in its dispatcher, which serves as a management and synchronization unit for additional plug-ins. It also provides an interface for the plug-ins to call Windows APIs and cryptographic functions indirectly.

The plug-ins themselves are heavily synchronized, with network communication alone being spread across four different components, each implementing a different layer, allowing the malware to communicate with its FTP C&C server residing in an onion domain. TOR is used for communication, aiming for anonymity and lack of traceability, and the overall setup makes it impossible to analyse the communication unless all pieces of the puzzle have been collected.

The capabilities of Attor rely on the plug-ins, which allow the attackers to customize the platform per victim. The most notable plug-in is able to detect connected GSM/GPRS modems or mobile devices; this allows Attor to speak to them directly using the AT command set, in order to collect sensitive information such as the IMEI, IMSI or MSISDN numbers, possibly identifying both the device and its subscriber. Other plug-ins provide persistence, an exfiltration channel, and more common spyware capabilities.

In this presentation we will dissect this cyber espionage platform, focusing on the architecture and the network communication workflow. We will document the functionality of the available plug-ins and review the many techniques Attor uses in its attempts to evade detection and analysis. We will also discuss the campaign, and its focus on high-profile and security-conscious targets.

 

 Related links

 

Zuzana-Hromcova-web.jpg

Zuzana Hromcová

Zuzana Hromcová is a reverse engineer, working at ESET since 2016. She is a part of the malware research team, providing detailed analyses of ongoing malicious campaigns and reporting on them. She is a regular speaker at local events, helping spread awareness about information security among students.

Zuzana recently earned her Master's degree in computer science from Comenius University in Bratislava, having graduated with honours. She majored in computer security, concluding her studies with a thesis dealing with securing a Linux desktop environment using SELinux mechanisms.


   Download slides    Watch video

Back to VB2019 Programme page

Other VB2019 papers

APT cases exploiting vulnerabilities in region-specific software

Shusei Tomonaga (JPCERT/CC)
Tomoaki Tani (JPCERT/CC)
Hiroshi Soeda (JPCERT/CC)
Wataru Takahashi (JPCERT/CC)

Shinigami's revenge: the long tail of Ryuk malware

Gabriela Nicolao (Deloitte)
Luciano Martins (Deloitte)

HELO, is that you? New challenges tracking Winnti activity

Stefano Ortolani (Lastline)
Jason Zhang (Lastline)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.