At the beginning of the year, a curious piece of malware came to our attention. An analyst in our virus laboratory noticed that it was communicating with a domain belonging to the government of Georgia1 to retrieve updates.
Analysis revealed that this malware is an information stealing trojan and is being used to target Georgian nationals in particular. We were also able to gain access to the control panel of the threat, revealing the extent and the intent of this operation.
We present our findings in this document. It should be also noted that the Data Exchange Agency of the Ministry of Justice of Georgia and its national CERT were fully aware of the situation as early as 2011 and, parallel to its own – still ongoing – monitoring, have cooperated with ESET on this matter.
The Win32/Georbot malware has the following functionalities for stealing information from an infected system:
- Send any file from the local hard drive to the remote server.
- Steal certificates
- Search the hard drive for Microsoft Word documents
- Search the hard drive for remote desktop configuration files
- Take screenshots
- Record audio using the microphone
- Record video using the webcam
- Scan the local network to identify other hosts on the same network
- Execute arbitrary commands on the infected system
ESET's conclusion that unsophisticated attacks must not be state-sponsored misses the point, I think. Given the cyber activities of pro-Kremlin young groups in Russia, I wouldn't be surprised if this were conducted by a similar group. Are they military trained cyber warriors? No, but they are pro-state and are supported in a number of ways.