ATTOR: Spy platform with curious GSM fingerprinting

Zuzana Hromcova/ESET

ATTOR is a previously unreported cyberespionage platform used in targeted attacks since 2014, focusing on diplomatic missions and governmental institutions. Its most interesting features are a complex modular architecture, elaborate network communication and a unique plugin to fingerprint GSM devices.

Highly targeted, with only a few dozen victims affected, ATTOR specifically searches for TrueCrypt-protected hard drives and the processes of specific VPN applications. This suggests the attackers have a special interest in security-conscious users. Furthemore, ATTOR’s operators are also apparently focused on Russian targets.

The malware’s core lies in its dispatcher, which serves as a management and synchronization unit for additional plugins. It also provides an interface for the plugins to call Windows API and cryptographic functions indirectly.

Plugins themselves are heavily synchronized, with network communication alone being spread across four different components, each implementing a different layer, allowing the malware to communicate with its FTP C&C server residing in an onion domain. TOR is used for communication, aiming for anonymity and untraceability, and the overall setup makes it impossible to analyze the communication unless all pieces of the puzzle have been collected.

The capabilities of ATTOR rely on the plugins, which allow the attackers to customize the platform per victim. The most notable plugin is able to detect connected GSM/GPRS modems or mobile devices; this allows ATTOR to speak to them directly using the AT command set, in order to collect sensitive information such as the IMEI, IMSI or MSISDN numbers, possibly identifying both the device and its subscriber. Other plugins provide persistence, an exfiltration channel, and more common spyware capabilities.

In this presentation we will dissect this cyberespionage platform, focusing on the architecture and the network communication workflow. We will document functionality of the available plugins and review the many techniques ATTOR uses in its attempts to evade detection and analysis. We will also discuss the campaign, and its focus on high-profile and security-conscious targets.

November 8 at 15:30 - 16:00, Stage A

Zuzana Hromcová is a reverse engineer, working at ESET since 2016. She is a part of the malware research team, providing detailed analyses of ongoing malicious campaigns and reporting on them. She is a regular speaker at local events, helping spreading awareness about information security among students.

Zuzana is a recent master graduate of Computer Science from Comenius University in Bratislava, having graduated with honors. She majored in computer security, concluding her studies with a thesis dealing with securing a Linux desktop environment using SELinux mechanisms.