Skip to content

S0168 Gazer

Gazer is a backdoor used by Turla since at least 2016. 1

Item Value
ID S0168
Associated Names WhiteBear
Version 1.2
Created 16 January 2018
Last Modified 04 December 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
WhiteBear The term WhiteBear is used both for the activity group (a subset of G0010) as well as the malware observed. Based on similarities in behavior and C2, WhiteBear is assessed to be the same as S0168. 23

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Gazer communicates with its C2 servers over HTTP.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Gazer can establish persistence by creating a .lnk file in the Start menu.12
enterprise T1547.004 Winlogon Helper DLL Gazer can establish persistence by setting the value “Shell” with “explorer.exe, %malware_pathfile%” under the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.1
enterprise T1547.009 Shortcut Modification Gazer can establish persistence by creating a .lnk file in the Start menu or by modifying existing .lnk files to execute the malware through cmd.exe.12
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Gazer uses custom encryption for C2 that uses 3DES.12
enterprise T1573.002 Asymmetric Cryptography Gazer uses custom encryption for C2 that uses RSA.12
enterprise T1546 Event Triggered Execution -
enterprise T1546.002 Screensaver Gazer can establish persistence through the system screensaver by configuring it to execute the malware.1
enterprise T1564 Hide Artifacts -
enterprise T1564.004 NTFS File Attributes Gazer stores configuration items in alternate data streams (ADSs) if the Registry is not accessible.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Gazer has commands to delete files and persistence mechanisms from the victim.12
enterprise T1070.006 Timestomp For early Gazer versions, the compilation timestamp was faked.1
enterprise T1105 Ingress Tool Transfer Gazer can execute a task to download a file.12
enterprise T1027 Obfuscated Files or Information Gazer logs its actions into files that are encrypted with 3DES. It also uses RSA to encrypt resources.2
enterprise T1055 Process Injection Gazer injects its communication module into an Internet accessible process through which it performs C2.12
enterprise T1055.003 Thread Execution Hijacking Gazer performs thread execution hijacking to inject its orchestrator into a running thread from a remote process.12
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Gazer can establish persistence by creating a scheduled task.12
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Gazer versions are signed with various valid certificates; one was likely faked and issued by Comodo for “Solid Loop Ltd,” and another was issued for “Ultimate Computer Support Ltd.”12
enterprise T1033 System Owner/User Discovery Gazer obtains the current user’s security identifier.2

Groups That Use This Software

ID Name References
G0010 Turla 1