Malware
Attor
Attor is a cyberespionage platform used in targeted attacks against diplomatic missions and governmental institutions since at least 2013.
Attor is a Windows malware family.
Background
Attor is a cyberespionage platform that has been deployed in targeted operations against diplomatic missions and government bodies since at least 2013. What makes it stand out is its intricate modular design, its sophisticated network communications, and a one-of-a-kind plugin for fingerprinting GSM/GPRS devices.
At the heart of Attor is a dispatcher that acts as a controller for additional plugins, which together deliver all of the malware's primary functionality, letting the operators tailor the platform to each individual victim. The plugins are tightly synchronized with one another, and network traffic runs over Tor to preserve anonymity and avoid being traced.
Its most remarkable plugin can identify attached GSM/GPRS modems or mobile devices. Attor communicates with them directly via the AT command set to gather sensitive details such as IMEI, IMSI, or MSISDN numbers, potentially identifying both the device and its subscriber. Further plugins handle persistence, exfiltration, C&C communication, and various other spying tasks. The screen-capture plugin specifically focuses on social networks and blogging sites, email services, office applications, archiving tools, and file-sharing and messaging services.
Source: Malpedia (Fraunhofer FKIE).