Examining the Activities of the Turla APT Group

Techniques:

While the previous Turla campaigns were designed to target Windows-based machines, the campaign in August 2014  was the first instance where Turla targeted the Linux operating system. Dubbed as Penguin Turla, the group used a Linux Turla module with a C/C++ executable statically linked against multiple libraries, greatly increasing its file size for this campaign.

A group of threat actors named Waterbug (alleged to be a state-sponsored group) used variants of Trojan.Turla and Trojan.Wipbot to exploit a zero-day vulnerability, specifically the Windows Kernel NDProxy.sys local privilege escalation vulnerability CVE-2013-5065. A research entry suggested that the attackers used specially crafted emails with malicious attachments and a set of compromised websites to deliver malicious payloads.

In 2017, ESET published a research entry on a sophisticated variant of the Turla malware, a second-stage backdoor known as Carbon. A Carbon attack initially involves the victim either receiving a spear-phishing email or visiting a compromised website, also known as a watering hole.

This is then followed by the installation of a first-stage backdoor such as Tavdig or Skipper. The second-stage backdoor Carbon is then installed on key systems after renaissance activities are completed. The Carbon framework consists of a dropper to install its configuration file, a component to communicate with the C&C server, an orchestrator to handle tasks and move them laterally over the network, and a loader to execute the orchestrator.

In May 2017, a new backdoor trojan by the name Kazuar was linked to the Turla group. Written using the Microsoft .NET Framework, Kazuar contains highly functional command sets that are capable of remotely loading additional plug-ins.

Kazuar gathers system and malware file name information and creates a mutex to ensure that only one instance of the malware executes on the system at a time. It then adds an LNK file to the Windows startup folder.

Majority of the commands set in Kazuar share similar attributes with other backdoor Trojans. For example, the tasklist command uses a Windows Management Instrumentation (WMI) query to obtain running process from Windows while the info command is used to gather information about opened windows. Meanwhile, Kazuar’s cmd command will run commands using cmd.exe for Windows systems and /bin/bash for Unix systems. These commands strongly suggests that Kazuar was built to be a cross-platform malware targeting both Windows and Unix systems.

Research conducted in early 2021 revealed several similarities between the Sunburst and Kazuar backdoors.

Techniques:

In August, Turla unveiled a new second-stage backdoor written in C++ known as Gazer, which relied on watering-hole attacks and spear-phishing campaigns for more precise targeting of victims.

Aside from being stealthier, Gazer was found to have plenty of similarities with the previously used second-stage backdoors such as Carbon and Kazuar. The defining characteristic of this campaign was the insertion of “video-game-relate” sentences throughout the code. Turla encrypts Gazer’s C&C server using its own library for 3DES and RSA.

Techniques:

An intelligence report from 2018 suggested that Turla used new malicious tools known as Neuron and Nautilus in conjunction with the Snake rootkit to target Windows machines, focusing on mail and web servers in particular. Turla made use of existing Snake victims to scan for ASPX shell, with the commands being passed using encrypted HTTP cookie values. The entry also mentioned that Turla used ASPX shells to gain a foothold into the target system to deploy additional tools.

Turla targeted the foreign offices of European governments via a backdoor, with the intention of accessing highly sensitive information. The campaign targeted Microsoft Outlook and The Bat! (a popular mail client primarily used in Eastern Europe) by forwarding all outgoing emails to the attackers. The backdoor used email messages to exfiltrate data, employing specially crafted PDF documents. It also used email messages as a transport layer for its C&C server.

OilRig is an Iran-linked APT group that usually targets government agencies and organizations in the Middle East. Previous research suggests that the Turla group compromised a target using OilRig’s infrastructure. The campaign saw the use of a heavily modified, custom variant of the Mimikatz tool, plus a  new set of tools involving several new backdoors. In the later stages of the campaign, Turla group used a different remote procedure call (RPC) backdoor, which included code from the publicly available PowerShell Runner tool to execute PowerShell scripts (without using powershell.exe).

In March 2020, security researchers observed Turla targeted multiple Armenian websites using watering-hole attacks. These websites were implanted with malicious JavaScript code, although the access methods used in attack are unknown.

The compromised webpage then delivered the second-stage malicious JavaScript code to fingerprint victim browser and trick them into installing a malicious flash installer. Turla then used NetFlash (a .NET downloader) and PyFlash for its second-stage malware.

Techniques:

ComRAT v4, also known as Agent.BTZ, is a remote access trojan (RAT) used by Turla and developed using C++ and employing a virtual FAT16 file system that is often used to exfiltrate sensitive documents. It is deployed using existing access methods, such as the PowerStallion PowerShell backdoor. Furthermore, it uses HTTP and emails as C&C channels. 

Techniques:

In December 2020,  a previously undocumented backdoor and document stealer named Crutch was attributed to the Turla group. Apparently, older versions of Crutch included a backdoor that communicated with a hard-coded Dropbox account using the official HTTP API.

It had the ability to execute commands related to the reading and writing of files, executing additional processes, and setting persistence via DLL hijacking on Google Chrome, Mozilla Firefox, or Microsoft OneDrive. One major feature of Crutch v4 is that it can automatically upload the files found on local and removable drives to Dropbox storage by using the Windows version of the Wget utility (unlike the previous versions that relied on the backdoor commands).

Techniques:

The new Turla backdoor known as TinyTurla was likely used as a failover option to maintain access to the system even when the primary malware is removed. The backdoor is installed using a batch file and comes in the form of a service DLL called w64time.dll that tries to impersonate the legitimate w32time.dll file on Windows systems.

Turla’s May 2022 campaign was used for the sole purpose of reconnaissance and did not involve any use of malicious code. Security researchers discovered a document that performed requests via HTTP to its own controlled server, with the purpose of capturing the version and type of Microsoft Word application used by the victim. The information can later be used to craft a specific exploit based on the Microsoft Word version.

Techniques:

A July 2023 announcement from the Computer Emergency Response Team of Ukraine (CERT-UA) revealed that Turla was using the Capibar malware and Kazuar backdoor for espionage attacks on Ukrainian defensive assets. In this campaign, Capibar was used for intelligence gathering while Kazuar performed credential theft. This attack targeted diplomatic and military organizations by leveraging phishing attacks. 

Techniques:

The Turla group is a persistent adversary with a long history of activities. Their origins, tactics, and targets all indicate a well-funded operation with highly skilled operatives. Turla has continuously developed its tools and techniques over years and will likely keep on refining them.

The threat posed by groups such as Turla underscores the importance for organizations and governments to remain vigilant by staying informed, sharing intelligence, and implementing security measures that can allow both groups and individuals to better protect themselves against these kinds of threat actors.

The indicators of compromise for the various Turla campaigns can be found here.