ESET’s security researchers have discovered yet another piece of malware that Russian cyber-espionage group Turla has been using in its attacks.
Active since at least 2006 and also referred to as Belugasturgeon, KRYPTON, Snake, Venomous Bear, and Waterbug, Turla was recently observed targeting a European government with a cocktail of backdoors.
Dubbed Crutch, the recently identified backdoor too was found on the network of a Ministry of Foreign Affairs, in a European Union country. According to ESET, the malware might be used only against very specific targets, a common feature for many Turla tools.
The Crutch backdoor appears to have been in use since 2015, until at least early 2020. ESET was able to find a link between a 2016 dropper for this malware and Gazer (WhiteBear), a second-stage backdoor that the cyber-espionage group was using in 2016-2017.
In September 2017, both samples were dropped in the same location on the same machine, only five days apart, both dropped malware components packed within CAB files, and the loaders dropped by them shared clearly related PDB paths and used the same RC4 key to decrypt their payloads.
“Given these elements and that Turla malware families are not known to be shared among different groups, we believe that Crutch is a malware family that is part of the Turla arsenal,” ESET says.
The security researchers also discovered that both Crutch and FatDuke (a third-stage payload associated with Dukes/APT29) were present on the same machine at the same time, but did not find evidence of interaction between the two malware families.
Designed to exfiltrate documents and other data of interest to attacker-controlled Dropbox accounts, the Crutch toolset was found on multiple machines within the aforementioned network of a Ministry of Foreign Affairs.
The operators appear to have been focused on performing reconnaissance, some of the commands they sent to the malware suggest. The researchers observed staging, compression, and exfiltration of data, with all operations performed based on manually executed commands.
ESET also notes that Crutch does not appear to be a first-stage backdoor: in one case, the malware was deployed months after the victim network was compromised. The researchers also identified several versions of the malware, showing its operators’ focus on investing in the threat’s evolution.
“In the past few years, we have publicly documented multiple malware families operated by Turla. Crutch shows that the group is not short of new or currently undocumented backdoors. This discovery further strengthens the perception that the Turla group has considerable resources to operate such a large and diverse arsenal,” ESET concludes.
Related: Turla Cyber-Spies Target European Government With Multiple Backdoors
Related: Turla’s Updated ComRAT Malware Uses Gmail for C&C Communication
Related: Mysterious ‘AcidBox’ Malware Used Turla Exploit to Target Russian Organizations

More from Ionut Arghire
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Florida Hospital Cancels Procedures, Diverts Patients Following Cyberattack
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
Latest News
- Comcast Wants a Slice of the Enterprise Cybersecurity Business
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Cyber Insights 2023 | Zero Trust and Identity and Access Management
- Cyber Insights 2023 | The Coming of Web3
- European Police Arrest 42 After Cracking Covert App
