Cyber-espionage group Turla (a.k.a. Snake) now uses Gmail web interface for command and control, ESET discovers

Next story

Bratislava, Montreal, May 26, 2020 – ESET researchers have uncovered a new version of one of the oldest malware families run by the Turla group, the ComRAT backdoor. Turla, also known as Snake, is an infamous cyber-espionage group that has been active for more than ten years. The most interesting feature of the updated backdoor is its use of the Gmail web UI to receive commands and exfiltrate data. ComRAT steals sensitive documents, and since 2017 it has attacked at least three governmental institutions. ESET has found indications that this latest version of ComRAT was still in use at the beginning of 2020, showing that the Turla group is still very active and a major threat for diplomats and militaries.

The main use of ComRAT is stealing confidential documents. In one case, its operators even deployed a .NET executable to interact with the victim’s central MS SQL Server database containing the organization’s documents. The malware operators used public cloud services such as OneDrive and 4shared to exfiltrate data. Turla’s latest backdoor can perform many other actions on compromised computers, such as executing additional programs and exfiltrating files.

The fact that the attackers try to evade security software is concerning. “This shows the level of sophistication of this group and its intention to stay on the same machines for a long time,” explains Matthieu Faou, who has investigated the infamous group for several years. “Additionally, the latest version of the ComRAT malware family, thanks to its use of the Gmail web interface, is able to bypass some security controls because it doesn’t rely on any malicious domain,” says Faou.

The backdoor upgrade was first discovered by ESET in 2017. It uses a completely new code base and is far more complex than its predecessors. The most recent iteration of the backdoor that ESET researchers have seen was compiled in November of last year.

“Based on the victimology and the other malware samples found on the same compromised machines, we believe that ComRAT is used exclusively by Turla,” says Faou.

ComRAT, also known as Agent.BTZ, is a malicious backdoor that became infamous after its use in a breach of the US military in 2008. The first version of this malware, likely released in 2007, exhibited worm capabilities by spreading through removable drives.

For more technical details of ComRAT and a full and comprehensive list of Indicators of Compromise (IoCs), please read the full ESET white paper “From Agent.BTZ to ComRAT v4: a ten year journey” on WeLiveSecurity. Make sure to follow ESET research on Twitter for the latest news from ESET Research.


About ESET
For more than 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET is the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit or follow us on LinkedInFacebook, and Twitter.