Turla Backdoor Controlled via Email Attachments
24.8.18 securityweek APT
ESET security researchers have analyzed a new backdoor used by the Russian-speaking advanced persistent threat (APT) group known as Turla.
Also known as Snake, or Uroburos, Turla has been active since at least 2007, targeting governments, state officials, diplomats, and military authorities, including Swiss defense firm RUAG and the U.S. Central Command, among others.
Last year, security researchers discovered a link between the group and one of the earliest known state-sponsored cyberespionage operations carried out in the ‘90s.
In 2017, Turla targeted Germany’s Federal Foreign Office to implant a backdoor on several computers and steal data almost the entire 2017. The hackers first compromised the network of the country’s Federal College of Public Administration and leveraged it to breach the network of the Foreign Office in March 2017.
Now, ESET reveals that the backdoor used in this attack was also used to “open a covert access channel to the foreign offices of another two European countries, as well as to the network of a major defense contractor.”
The backdoor was supposedly created as far back as 2009 and has received numerous updates over time, getting new functionality, including stealth and resilience. A version discovered in April 18 can execute malicious PowerShell scripts directly in memory, a tactic many actors have been adopting over the past few years.
The malware now targets Microsoft Outlook, subverting the application’s legitimate Messaging Application Programming Interface (MAPI) to access the targets’ mailboxes. Previously, it was observed targeting The Bat! email client, ESET notes.
The backdoor doesn’t use a conventional command-and-control (C&C) infrastructure, being operated via specially crafted PDF files in email attachments instead. The malware is delivered in the form of a Dynamic Link Library (DLL) module and is installed using a legitimate Windows utility (RegSvr32.exe).
For persistence, the threat modifies Windows registry entries. Specifically, it leverages the “COM object hijacking” technique, which ensures that the backdoor is activated each time Microsoft Outlook is launched.
The backdoor generates logs on every sent or received email message (with information on sender, recipient, subject, and attachment name), and regularly bundles the logs together with other data and sends them to Turla’s operators via a PDF attached to an email message.
For each incoming email, the malware checks for the presence of a PDF that may contain commands and accepts commands from anyone able to encode them into a PDF document. This means that Turla’s operators can regain control of an infected machine by sending commands from any email address.
“The backdoor’s level of resilience to takedowns is almost on a par with that of a rootkit that, in inspecting inbound network traffic, listens for commands from its operators,” ESET notes.
On compromised machines, the malware goes to lengths to stay undetected and no email received by the attacker ever appears in the mailbox. Moreover, the backdoor also blocks all of the notifications of incoming email messages that have been sent by its operators.
The malware includes support for a broad range of commands, including file manipulation, shell command execution, process creation, directory manipulation, and more, ESET reveals in a technical analysis (PDF). The main purpose of the malware is data exfiltration and the download and execution of additional programs or commands.
“The Turla backdoor is a fully-fledged backdoor that uses customized and proprietary techniques, can work independently of any other Turla component, and is fully controlled by email. In fact, ESET researchers are not aware of any other espionage group currently utilizing a backdoor that is entirely controlled by emails, and specifically through PDF attachments,” ESET concludes.