ESET researchers discover Attor, a spy platform with GSM fingerprinting

Next story

Attor targets governments and diplomats in Eastern Europe; as well as users of Russian social networks concerned about online privacy

BRATISLAVA - ESET researchers have uncovered several high-profile espionage attacks aimed at government and diplomatic entities in Eastern Europe. Analysis shows that these attacks were conducted using a previously unreported cyberespionage platform. The platform is notable for its modular architecture, along with two prominent features: the AT protocol used by one of its plugins for GSM fingerprinting, and Tor, which is employed for its network communications. Due to these features, ESET researchers named the platform “Attor.”

“The attackers who use Attor are focusing on diplomatic missions and governmental institutions. These attacks, ongoing since at least 2013, are highly targeted at users of these Russian services, specifically those who are concerned about their privacy,” says Zuzana Hromcová, the ESET malware researcher who conducted the analysis.

Attor has a modular architecture: It consists of a dispatcher and loadable plugins that rely on the dispatcher for implementing basic functionalities. These plugins are delivered to the compromised computer as encrypted DLLs. They are only fully recovered in memory. “As a result, without access to the dispatcher, it is difficult to obtain Attor’s plugins and to decrypt them,” explains Hromcová.

Attor targets specific processes —among these, processes associated with Russian social networks and some encryption/digital signature utilities; the VPN service HMA; end-to-end encryption email services Hushmail and The Bat!; and disk encryption utility TrueCrypt.

The victim’s usage of TrueCrypt is further inspected in another part of Attor. “The way Attor determines the TrueCrypt version is unique. Attor uses TrueCrypt-specific control codes to communicate with the application, which shows that the authors of the malware must understand the open-source code of the TrueCrypt installer. We are not aware of this technique having been documented before,” comments Hromcová.

Among Attor’s capabilities implemented by its plugins, two stand out for their uncommon features: network communication and the fingerprinting of GSM devices. To ensure anonymity and untraceability, Attor uses Tor: Onion Service Protocol, with an onion address for its C&C server.

Attor’s infrastructure for C&C communications spans four components — the dispatcher providing encryption functions and three plugins implementing the FTP protocol, the Tor functionality and the actual network communication. “This mechanism makes it impossible to analyze Attor’s network communication unless all the pieces of the puzzle have been collected,” explains Hromcová.

The most curious plugin in Attor’s arsenal collects information about both connected modem/phone devices and connected storage drives, as well as information about files present on these drives. According to ESET researchers, of primary interest is the fingerprinting of GSM devices connected to the computer via a serial port. Attor uses so-called “AT commands” to communicate with the device and retrieve identifiers — among others, IMSI, IMEI, MSISDN and software version.

“Unknown to many people these days, AT commands, which were originally developed in the 1980s to command modems, are still in use in most modern smartphones,” explains Hromcová.

Among possible reasons for Attor to use AT commands is that the platform targets modems and older phones. Alternatively, it may be used to communicate with some specific devices. Possibly, the attackers learn about a victim’s use of these devices using some other reconnaissance techniques.

“Fingerprinting a device can serve as a base for further data theft. If the attackers learn about the type of connected device, they can craft and deploy a customized plugin that would be able — using AT commands — to steal data from that device and make changes in it, including changing the device’s firmware,” concludes Hromcová.

For more details, read the blog post, “AT commands, TOR-based communications: Meet Attor, a fantasy creature and also a spy platform,” on WeLiveSecurity and find the whitepaper here. Make sure to follow ESET research on Twitter for the latest news from ESET Research.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single ‘in-the-wild’ malware without interruption since 2003. For more information, visit or follow us on LinkedInFacebook and Twitter.