Turla APT group beefs up cyber attack tool

guest · May 29, 2019

Turla APT group beefs up cyber attack tool
May 29, 2019
https://www.computerweekly.com/news/252464138/Turla-APT-group-beefs-up-cyber-attack-tool

New PowerShell-based tools used by the Turla cyber espionage group improve the group’s persistence and stealth capabilities, according to researchers at cyber security firm Eset.

Recently, Eset researchers detected several attacks against diplomatic entities in Eastern Europe using PowerShell scripts.
“It is likely the same scripts are used globally against other traditional Turla targets,” said Eset researcher Matthieu Faou.

Among the payloads recently used by Turla, he said two stand out. First is a whole set of backdoors relying on the RPC protocol. These backdoors, said Faou, are used to perform lateral movement and take control of other machines in the local network without relying on an external C&C server. Second is PowerStallion, a lightweight PowerShell backdoor using OneDrive as a C&C server.

“We believe this backdoor is a recovery access tool in case the main Turla backdoors are removed and operators can no longer access the compromised computers,” said Faou.
Click to expand...

ESET: A dive into Turla PowerShell usage

guest · Jul 15, 2019

Turla renews its arsenal with Topinambour
July 15, 2019
https://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/

2019 has seen the Turla actor actively renew its arsenal. Its developers are still using a familiar coding style, but they’re creating new tools.
The new modules were used in an active campaign that started at the beginning of 2019. As usual, the actor targeted governmental entities. The role of the .NET module is to deliver the known KopiLuwak JavaScript Trojan. Moreover, this actor now also has a heavily obfuscated PowerShell Trojan that is similar to KopiLuwak.
How Topinambour spreads
To deliver all this to targets, the operators use legitimate software installers infected with the Topinambour dropper. These could be tools to circumvent internet censorship, such as “Softether VPN 4.12” and “psiphon3”, or Microsoft Office “activators”.

Using the Windows system registry to store encrypted data that is later used by the malware also seems to be aimed at minimizing detection and reducing the digital footprint on any victim’s computer, where only a tiny starter would be left.
The usage of KopiLuwak, a well-known and exclusive artefact previously used by the Turla group, makes us attribute this campaign to this actor with high confidence.
Click to expand...

guest · May 14, 2020

Russian hacker group using HTTP status codes to control malware implants
New Turla cyber-espionage operation targets diplomatic entities in Europe with new COMpfun malware
May 14, 2020
https://www.zdnet.com/article/russi...ttp-status-codes-to-control-malware-implants/

Security researchers from Kaspersky have identified a new version of the COMpfun malware that controls infected hosts using a mechanism that relies on HTTP status codes.

Responsible for the attacks is a group known as Turla, a state-sponsored Russian threat actor that has historically engaged in cyber-espionage operations.
Turla has a long history of using non-standard and innovative methods to build malware and carry out stealthy attacks.

In a report published today, Kaspersky has revealed another of Turla's novel techniques -- namely malware that receives instructions from command and control (C&C) servers in the form of HTTP status codes.
Click to expand...

NEW COMPFUN VERSION
This particular malware is named COMpfun, and is a classic remote access trojan (RAT) that infects victims and then collects system data, logs keystrokes, and takes screenshots of the user's desktop. All collected data is exfiltrated to a remote C&C server.
NEW HTTP STATUS CODE-BASED C&C PROTOCOL
The second addition is a new C&C communications system. According to Kaspersky, this new C&C malware protocol doesn't use a classic pattern where commands are sent directly to the infected hosts (the COMpfun malware implants) as HTTP or HTTPS requests carrying clearly-defined commands.

Security researchers and security products often scan HTTP/HTTPS traffic for patterns that look like malware commands.
To avoid this type of detection, the Turla group developed a new server-client C&C protocol that relies on HTTP status codes.
Click to expand...

The COMpfun report shows once again why Turla is considered one of the most sophisticated cyber-espionage group today.
Click to expand...

Kaspersky: COMpfun authors spoof visa application with HTTP status-based Trojan

Who is the author?
We should mention here once again that the COMPfun malware was initially documented by G-DATA in 2014; and although the company did not identify which APT was using the malware. Based mostly on victimology, we were able to associate it with the Turla APT with medium-to-low level of confidence.
So what did the COMPFun authors achieve?
The malware operators retained their focus on diplomatic entities and the choice of a visa-related application – stored on a directory shared within the local network – as the initial infection vector worked in their favor. The combination of a tailored approach to their targets and the ability to generate and execute their ideas certainly makes the developers behind COMPFun a strong offensive team.
Click to expand...

guest · May 26, 2020

Russian cyberspies use Gmail to control updated ComRAT malware
May 26, 2020
https://www.bleepingcomputer.com/ne...-use-gmail-to-control-updated-comrat-malware/

ESET security researchers have discovered a new version of the ComRAT backdoor controlled using the Gmail web interface and used by the state-backed Russian hacker group Turla for harvesting and stealing in attacks against governmental institutions.

Using Gmail for command-and-control purposes fits right in with other exploits of the Russian-speaking Turla group (also tracked as Waterbug, Snake, or VENOMOUS BEAR) seeing that they are known for using unorthodox methods of achieving their cyber-espionage goals.
Abusing Gmail for cyber-espionage
The ComRAT (also known as Agent.BTZ and Chinch) remote access trojan (RAT) is one of the oldest tools in Turla's arsenal and it has been deployed in attacks going back to at least 2007.
Click to expand...

Since 2017, when the current ComRAT version was first seen by ESET, Turla used it in attacks against two Ministries of Foreign Affairs and a national parliament.

"ESET has found indications that this latest version of ComRAT was still in use at the beginning of 2020, showing that the Turla group is still very active and a major threat for diplomats and militaries.
A Turla exclusive
While the backdoor upgrade features an entirely new codebase and shows a lot more complexity when compared to previous versions, it still uses the Chinch internal name, it has the old HTTP C&C protocol enabled, and it shares some of the network infrastructure with Turla's Mosquito malware.
Designed to bypass security software

"This shows the level of sophistication of this group and its intention to stay on the same machines for a long time," ESET malware researcher Matthieu Faou explained.
"Additionally, the latest version of the ComRAT malware family, thanks to its use of the Gmail web interface, is able to bypass some security controls because it doesn’t rely on any malicious domain.
Click to expand...

ZDNet: Turla hacker group steals antivirus logs to see if its malware was detected

ESET: From Agent.BTZ to ComRAT v4: A ten‑year journey

Turla has updated its ComRAT backdoor and now uses the Gmail web interface for Command and Control
Click to expand...

guest · Oct 28, 2020

Russian Turla hackers breach European government organization
October 28, 2020
https://www.bleepingcomputer.com/ne...kers-breach-european-government-organization/

Russian-speaking hacking group Turla has hacked into the systems of an undisclosed European government organization according to a new Accenture Cyber Threat Intelligence (ACTI) report.

This attack perfectly lines up with Turla's information theft and espionage motivation and its persistent targeting of government-related entities from a wide range of countries.
Attackers used combo of backdoors and RATs
To compromise the organization's network, the attackers used a combination of recently updated remote administration trojans (RATs) and remote procedure call (RPC)-based backdoors including HyperStack, analyzed by ACTI between June and October 2020.

"Notably, Accenture researchers recently identified novel command and control (C&C) configurations for Turla’s Carbon and Kazuar backdoors on the same victim network," ACTI researchers said.
Click to expand...

"Turla will likely continue to use its legacy tools, albeit with upgrades, to compromise and maintain long-term access to its victims because these tools have proven successful against Windows-based networks," Accenture said.
Government entities are advised by ACTI to check network logs for indicators of compromise included at the end of the report and to build detections capable of blocking future Turla attacks.
Click to expand...

Accenture: Turla uses HyperStack, Carbon, and Kazuar to compromise government entity

Turla, identified internally by Accenture Cyber Threat Intelligence as Belugasturgeon, continues to target government organizations using custom malware, including updated legacy tools, designed to maintain persistence through overlapping backdoor access while evading their victim’s defenses.

One such tool, the HyperStack backdoor (named after its filename on one identified sample), has seen significant updates that appear to be inspired by the group’s Carbon backdoor and the RPC backdoor described by ESET researchers.
[...]
The similarities between the updated functionality in the HyperStack implementation found in September 2020, the RPC backdoor, and the Carbon malware suggest these HyperStack updates were inspired by Turla’s other malware operations, potentially in response to remediation activity taken by the victim.
Click to expand...

guest · Dec 2, 2020

Russian hacking group uses Dropbox to store malware-stolen data
December 2, 2020
https://www.bleepingcomputer.com/ne...up-uses-dropbox-to-store-malware-stolen-data/

Russian-backed hacking group Turla has used a previously undocumented malware toolset to deploy backdoors and steal sensitive documents in targeted cyber-espionage campaigns directed at high-profile targets such as the Ministry of Foreign Affairs of European Union countries.

Turla's Crutch malware was designed to help harvest and exfiltrate sensitive documents and various other files of interest to Dropbox accounts controlled by the Russian hacking group.

"The sophistication of the attacks and technical details of the discovery further strengthen the perception that the Turla group has considerable resources to operate such a large and diverse arsenal," ESET researcher Matthieu Faou said in a report published today and shared in advance with BleepingComputer.
"Furthermore, Crutch is able to bypass some security layers by abusing legitimate infrastructure — here, Dropbox — in order to blend into normal network traffic while exfiltrating stolen documents and receiving commands from its operators."
Click to expand...

Early versions of Crutch (between 2015 to mid-2019) used backdoor channels to communicate with hardcoded Dropbox account via the official HTTP API and drive monitoring tools without network capabilities that searched for and archived interesting documents as encrypted archives.

An updated version (tracked as 'version 4' by ESET) added a removable-drive monitor with networking capabilities and removed the backdoor capabilities.

"Crutch shows that the group is not short of new or currently undocumented backdoors," Faou concluded.
Click to expand...

ESET: Turla Crutch: Keeping the “back door” open

ESET researchers discover a new backdoor used by Turla to exfiltrate stolen documents to Dropbox
Click to expand...

guest · Sep 21, 2021

Turla APT Plants Novel Backdoor In Wake of Afghan Unrest
September 21, 2021
https://threatpost.com/turla-apt-backdoor-afghanistan/174858/

The Turla advanced persistent threat (APT) group is back with a new backdoor used to infect systems in Afghanistan, Germany and the U.S., researchers have reported.

On Tuesday, Cisco Talos researchers said that they’ve spotted infections they attributed to the Turla group (aka Snake, Venomous Bear, Uroburos and WhiteBear) – a Russian-speaking APT. Those attacks are “likely” using a stealthy, “second-chance” backdoor to maintain access to infected devices, they noted.
“Second-chance,” as in, it’s sticky: Even if an infected machine supposedly gets wiped clean of the primary malware, the attackers can maintain access to the system.
Click to expand...

The novel backdoor, dubbed TinyTurla, can be used to drop payloads and to upload and/or execute files, according to the writeup. It could also be used as a second-stage dropper to infect the system with additional malware.

“The backdoor code is quite simple but is efficient enough that it will usually fly under the radar,” according to the report.
How TinyTurla Tiptoes
Cisco Talos said that the attackers have installed TinyTurla as a service disguised as “Windows Time Service,” mimicking the legitimate Windows service that’s used to synchronize the date and time for systems running in Active Directory Domain Services (AD DS).
TinyTurla also mimics the legitimate Windows Time service in its ability to upload, execute or exfiltrate files.
Click to expand...

How TinyTurla Twirls
The attackers used a .BAT file that installs TinyTurla as an innocent-looking, fake Microsoft Windows Time service and which also sets the configuration parameters in the registry used by the backdoor.

The researchers noted that while Turla often uses sophisticated malware, the group also uses “good enough” malware like this to fly under the radar.
Click to expand...

Cisco Talos: TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines

NEWS SUMMARY

Cisco Talos recently discovered a new backdoor used by the Russian Turla APT group.

We have seen infections in the U.S., Germany and, more recently, in Afghanistan.

It is likely used as a stealth second-chance backdoor to keep access to infected devices

It can be used to download, upload and/or execute files.

The backdoor code is quite simple but is efficient enough that it will usually fly under the radar.

Click to expand...

itman · Sep 21, 2021

mood said: ↑

Turla APT Plants Novel Backdoor In Wake of Afghan Unrest
Click to expand...

Err ........ The .dll was first uploaded to VT on 7/14/2021. And Cicso states they "just discovered" it.

guest · Jul 19, 2022

Russian hackers use fake DDoS app to infect pro-Ukrainian activists
July 19, 2022

Google's Threat Analysis Group (TAG), whose primary goal is to defend Google users from state-sponsored attacks, said today that Russian-backed threat groups are still focusing their attacks on Ukrainian organizations.

In a report regarding recent cyber activity in Eastern Europe, Google TAG security engineer Billy Leonard revealed that hackers part of the Turla Russian APT group have also been spotted deploying their first Android malware.
Click to expand...

Google TAG's analysts believe Turla's operators used the StopWar Android app developed by pro-Ukrainian developers (hosted at stopwar[.]pro) when creating their own fake 'Cyber Azov' DDoS application.

"Join the Cyber Azov and help stop russian aggression against Ukraine! We are a community of free people around the world who are fighting against russia's aggression," the attackers prodded potential targets on the app's download page (still up when the article was published).
"We recruit motivated people who are ready to help us in our cause. We have developed an Android application that attacks the Internet infrastructure of russia."
Click to expand...

"This is the first known instance of Turla distributing Android-related malware. The apps were not distributed through the Google Play Store, but hosted on a domain controlled by the actor and disseminated via links on third party messaging services," Leonard explained.

Leonard added that Google TAG believes there was no major impact on Android users so far and that the actual number of times the malicious Cyber Azov app was installed is minuscule.
Click to expand...

guest · Jan 7, 2023

Russian Turla Cyberspies Leveraged Other Hackers' USB-Delivered Malware
By Ionut Arghire - January 6, 2023

In a recent attack against a Ukrainian organization, Russian state-sponsored threat actor Turla leveraged legacy Andromeda malware likely deployed by other hackers via an infected USB drive, Mandiant reports.
Click to expand...

Active since at least 2006 and linked to the Russian government, the cyberespionage group is also tracked as Snake, Venomous Bear, Krypton, and Waterbug, and has been historically associated with the use of the ComRAT malware.

Also known as Wauchos or Gamarue, Andromeda has been active since at least September 2011, ensnaring infected machines into a botnet that was disrupted in December 2017. The widely used threat was mainly leveraged for credential theft and malware delivery.
Click to expand...

While analyzing a Turla-suspected operation tracked as UNC4210, Mandiant discovered that at least three expired Andromeda command and control (C&C) domains have been reregistered and used for victim profiling.

The cyberthreat intelligence firm says this is the first suspected Turla attack targeting Ukraine that it has observed since the Russian invasion of the country started. The tactics are consistent with known Turla activity, although some other elements represent a departure from historical Turla operations.

“Both Kopiluwak and Quietcanary were downloaded in succession at various times, which may suggest the group was operating with haste or less concern for operational security, experiencing some aspect of operational deficiency, or using automated tools,” Mandiant concludes.
Click to expand...

Mandiant: Turla: A Galaxy of Opportunity

By Sarah Hawley, Gabby Roncone, Tyler McLellan, Eduardo Mattos, John Wolfram - January 5, 2023
In September 2022, Mandiant discovered a suspected Turla Team operation, currently tracked as UNC4210, distributing the KOPILUWAK reconnaissance utility and QUIETCANARY backdoor to ANDROMEDA malware victims in Ukraine. Mandiant discovered that UNC4210 re-registered at least three expired ANDROMEDA command and control (C2) domains and began profiling victims to selectively deploy KOPILUWAK and QUIETCANARY in September 2022.
Click to expand...

Log in or Sign up

Turla APT group beefs up cyber attack tool

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

itman Registered Member

guest Guest

guest Guest

Log in or Sign up

Turla APT group beefs up cyber attack tool

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

itman Registered Member

guest Guest

guest Guest

Useful Searches