Security Experts:

Connect with us

Hi, what are you looking for?



Newly Discovered Turla Backdoor Used in Government Attacks

ESET’s security researchers have discovered yet another piece of malware that Russian cyber-espionage group Turla has been using in its attacks.

ESET’s security researchers have discovered yet another piece of malware that Russian cyber-espionage group Turla has been using in its attacks.

Active since at least 2006 and also referred to as Belugasturgeon, KRYPTON, Snake, Venomous Bear, and Waterbug, Turla was recently observed targeting a European government with a cocktail of backdoors.

Dubbed Crutch, the recently identified backdoor too was found on the network of a Ministry of Foreign Affairs, in a European Union country. According to ESET, the malware might be used only against very specific targets, a common feature for many Turla tools.

The Crutch backdoor appears to have been in use since 2015, until at least early 2020. ESET was able to find a link between a 2016 dropper for this malware and Gazer (WhiteBear), a second-stage backdoor that the cyber-espionage group was using in 2016-2017.

In September 2017, both samples were dropped in the same location on the same machine, only five days apart, both dropped malware components packed within CAB files, and the loaders dropped by them shared clearly related PDB paths and used the same RC4 key to decrypt their payloads.

“Given these elements and that Turla malware families are not known to be shared among different groups, we believe that Crutch is a malware family that is part of the Turla arsenal,” ESET says.

The security researchers also discovered that both Crutch and FatDuke (a third-stage payload associated with Dukes/APT29) were present on the same machine at the same time, but did not find evidence of interaction between the two malware families.

Designed to exfiltrate documents and other data of interest to attacker-controlled Dropbox accounts, the Crutch toolset was found on multiple machines within the aforementioned network of a Ministry of Foreign Affairs.

The operators appear to have been focused on performing reconnaissance, some of the commands they sent to the malware suggest. The researchers observed staging, compression, and exfiltration of data, with all operations performed based on manually executed commands.

ESET also notes that Crutch does not appear to be a first-stage backdoor: in one case, the malware was deployed months after the victim network was compromised. The researchers also identified several versions of the malware, showing its operators’ focus on investing in the threat’s evolution.

“In the past few years, we have publicly documented multiple malware families operated by Turla. Crutch shows that the group is not short of new or currently undocumented backdoors. This discovery further strengthens the perception that the Turla group has considerable resources to operate such a large and diverse arsenal,” ESET concludes.

Related: Turla Cyber-Spies Target European Government With Multiple Backdoors

Related: Turla’s Updated ComRAT Malware Uses Gmail for C&C Communication

Related: Mysterious ‘AcidBox’ Malware Used Turla Exploit to Target Russian Organizations

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...