Attor
The Attor is a spyware toolkit that targets mobile devices exclusively. Cybersecurity researchers suspect that the Attor malware has been used for many years, but it was only spotted recently due to the nature of its targets – high-profile diplomatic and government figures, often with links to the Russian government. The low infection count paired with Attor's modular design has allowed its operators to keep their operation under the radar for several years, and it is not clear how much information they have managed to collect during this period. Although the majority of the Attor's victims are in the Russia region, there have been several cases in which devices in Eastern Europe were also planted with the Attor spy kit.
Attor Originates from Russia and Packs Interesting Features
The modular design of the Attor malware toolkit is certainly one of the most intriguing features of this project. It allows the attackers to tailor each sample of their malware so that it will fit their needs for their particular target – this makes the Attor malware extremely lightweight and minimizes the traces it leaves behind. Furthermore, some of Attor's modules are very interesting – it has a GSM fingerprinting component that makes use of the Hayes command set (AT commands) that was first put to use in the 80s. These commands were used to command modems and phones previously, and they are still been used today broadly – just not that often. The use of AT commands may allow the Attor malware to bypass certain security mechanisms and collect more information than it should have access to. The tailored versions of the Attor malware reveal that the attackers are likely to perform and have reconnaissance operations to learn more about the devices of their targets and maximize the efficiency of their attack.
The full extent of Attor's features is not yet clear, but the threat can collect hardware and software information about the infected device, enumerate applications and processes, record audio, take screenshots of various applications and much more. Its authors also appear to emphasize spying on TrueCrypt, VPN applications, secure mail applications and secure Web browsers.
Attor's Authors Focus on a Modular Design and Complicated Backbone Network Infrastructure
The network infrastructure behind the Attor malware is not simple either – the threat's operators have opted to use a complicated system of TOR servers and domains for individual components of their malware. This makes it very hard to track the threat's activity since researchers would need to identify all parts of the network to collect the data necessary to track the operation.
The Attor malware appears to have been used in two major campaigns – one from 2018, and one from 2013, which is likely to have been the first use of this malware family. Due to the low infection count and covert actions of the group's members, it is difficult to determine the infection vectors used to reach the Attor's targets. However, the complexity of the infrastructure, the modular design of the threat, and the carefully selected target is a guarantee that this is the product of a high-profile threat actor.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.