ATTOR is a previously unreported espionage platform used in targeted attacks, focusing on diplomatic missions and governmental institutions. Its most interesting features are a complex modular architecture, elaborate network communication and a unique plugin to fingerprint GSM devices.

Highly targeted, with only a few dozen victims affected, ATTOR specifically searches for TrueCrypt-protected hard drives and the processes of specific VPN applications. This suggests the attackers have a special interest in privacy-conscious users. ATTOR is also apparently focused on Russian targets.

The malware's core – its dispatcher – serves as a management unit for additional plugins, and provides an interface for the plugins to call Windows API and cryptographic functions indirectly.

Plugins themselves are heavily synchronized, with network communication alone being spread across four different components, each implementing a different layer, allowing ATTOR to communicate with its FTP C&C server residing in an onion domain. A customized TOR is used for communication, and the overall setup makes it impossible to analyze the communication unless all pieces of the puzzle have been collected.

The capabilities of ATTOR rely on the plugins, which allow the attackers to customize the platform per victim. The most notable plugin is able to detect connected GSM/GPRS modems or mobile devices; this allows ATTOR to speak to them directly using the AT command set, in order to collect sensitive information such as the IMEI, IMSI or MSISDN numbers, possibly identifying both the device and its subscriber.​

In this presentation we will dissect this espionage platform, focusing on its GSM fingerprinting capability. We will look into the affected devices and explore further implications of misusing AT commands. We will document the platform architecture, especially the network communication workflow. We will also discuss the campaign, and its focus on high-profile and privacy-conscious users.