Newly Discovered Turla Backdoor Used in Government Attacks

ESET’s security researchers have discovered yet another piece of malware that Russian cyber-espionage group Turla has been using in its attacks.

Active since at least 2006 and also referred to as Belugasturgeon, KRYPTON, Snake, Venomous Bear, and Waterbug, Turla was recently observed targeting a European government with a cocktail of backdoors.

Dubbed Crutch, the recently identified backdoor too was found on the network of a Ministry of Foreign Affairs, in a European Union country. According to ESET, the malware might be used only against very specific targets, a common feature for many Turla tools.

The Crutch backdoor appears to have been in use since 2015, until at least early 2020. ESET was able to find a link between a 2016 dropper for this malware and Gazer (WhiteBear), a second-stage backdoor that the cyber-espionage group was using in 2016-2017.

In September 2017, both samples were dropped in the same location on the same machine, only five days apart, both dropped malware components packed within CAB files, and the loaders dropped by them shared clearly related PDB paths and used the same RC4 key to decrypt their payloads.

“Given these elements and that Turla malware families are not known to be shared among different groups, we believe that Crutch is a malware family that is part of the Turla arsenal,” ESET says.

The security researchers also discovered that both Crutch and FatDuke (a third-stage payload associated with Dukes/APT29) were present on the same machine at the same time, but did not find evidence of interaction between the two malware families.

Designed to exfiltrate documents and other data of interest to attacker-controlled Dropbox accounts, the Crutch toolset was found on multiple machines within the aforementioned network of a Ministry of Foreign Affairs.

The operators appear to have been focused on performing reconnaissance, some of the commands they sent to the malware suggest. The researchers observed staging, compression, and exfiltration of data, with all operations performed based on manually executed commands.

ESET also notes that Crutch does not appear to be a first-stage backdoor: in one case, the malware was deployed months after the victim network was compromised. The researchers also identified several versions of the malware, showing its operators’ focus on investing in the threat’s evolution.

“In the past few years, we have publicly documented multiple malware families operated by Turla. Crutch shows that the group is not short of new or currently undocumented backdoors. This discovery further strengthens the perception that the Turla group has considerable resources to operate such a large and diverse arsenal,” ESET concludes.

Related: Turla Cyber-Spies Target European Government With Multiple Backdoors

Related: Turla’s Updated ComRAT Malware Uses Gmail for C&C Communication

Related: Mysterious ‘AcidBox’ Malware Used Turla Exploit to Target Russian Organizations