Skipper

Skipper is a backdoor Trojan that sees deployment in attacks by the Turla APT, a threat actor with supposed Russian sponsorship. Its roles include reconnoitering of the compromised PC and dropping other threats if it's applicable. Automated defenses such as anti-malware products are critical to deleting Skipper safely since the Trojan operates in stealth and will not display any files or processes openly.

Trojans Skipping through Security with a Browser's Help

The Turla APT is a group of hackers that's unlikely of going away soon, and its Russia-based espionage campaigns are of particular concern to anyone working at a diplomatic embassy or related governmental affair. In state-sponsored cyber-warfare, the attacks tend towards segregation into multiple steps, which include various stages of compromise before unloading a threat like PowerStallion, the Microsoft Exchange-exploitin LightNeuron or Gazer. These threats are some of the possibilities arising from infections with Skipper, a first-stage backdoor Trojan.

Skipper differentiates itself from Gazer, another backdoor Trojan in the same hacking group's kit, by being one of the first programs that an attack installs. These infection strategies, like most espionage-related activities, employ either spear-phishing through e-mail attachments and links, or 'watering hole' attacks on compromised websites for infiltrating targeted traffic. One of Skipper's most memorable installer exploits used a Firefox 'HTML Encoding' extension in 2016.

After gaining persistence, Skipper collects some system information and uploads it over to the threat actor's server. At that point, they make their decisions on escalating the infection, such as by using Skipper for dropping other Trojans like Gazer, Carbon, or Kazuar, or ignoring the target as unwanted. Thus, Skipper's ultimate payload and consequences for infection encompass giving remote attackers control over the system's files and settings, as well as possibilities like collecting information.

A Skip Away from Adequate Online Safety

While some state-sponsored hacking tools experience leaks into the wild that give them up to other threat actors, Skipper is, so far, uniquely held within the Turla APT's grasp. This history makes its infection methods somewhat predictable, since reliable strategies for compromising targets like NGOs and government servers centralize on the e-mail or website-based ones, as noted previously. Malware analysts suggest following these security guidelines, if you're not, already:

• While browsing the Web, disabling some types of exploitable content will render your browser less at risk from attacks. Such features include Java, JavaScript, Flash, pop-ups and advertisements.
• Workers should strive for identifying possible phishing templates and evading the links and attached files that they carry. Most of them will use content that's relevant to the industry or mission scope of the target entity and may include articles that the threat actors collect from other sources, such as military contractors.
• Networks should use appropriate configuration options, such as up-to-date software and non-default, complex passwords. These choices will remove many exploits from the range of the Turla APT's tools and keep brute-force attempts from succeeding.

Threats related to Skipper infections will use techniques such as memory injection for hiding themselves from any attentive users. Automated anti-malware products may delete Skipper, but their databases should be up-to-date, first – since Skipper sees regular re-deployment and may receive updates in accompaniment.

There is a reasonable degree of complete information about both Skipper and the Trojans it enables available to the public at large. However, knowing what's compromising your security isn't the same as undoing any theft or any other injury that Skipper infections can cause, purely due to one worker's absentminded click.