Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Malware & Threats

Researchers Dissect PowerShell Scripts Used by Russia-Linked Hackers

Security researchers from ESET have analyzed several PowerShell scripts used by the Russia-linked Turla threat group in recent attacks. 

Security researchers from ESET have analyzed several PowerShell scripts used by the Russia-linked Turla threat group in recent attacks. 

Operating since at least 2008, the group is also known as Snake, Waterbug, KRYPTON and Venomous Bear, and has attacked various diplomatic organizations, including the U.S. military, the German Foreign Office, and the French military.

The group recently began using PowerShell scripts for the in-memory loading and execution of malware in an effort to bypass detection. Previously observed using a loader based on the open-source project Posh-SecMod, Turla has perfected their PowerShell scripts, ESET says. 

The security researchers observed the hacking group using these scripts in attacks targeting diplomatic entities in Eastern Europe, but they likely used the tools against traditional targets in Western Europe and the Middle East as well. 

The group’s PowerShell loader was designed to achieve persistence, decrypt code, and load into memory the embedded executable or library. 

For persistence, Turla uses a Windows Management Instrumentation (WMI) event subscription or alteration of the PowerShell profile, the researchers explain

The first method relies on the creation of two WMI event filters and two WMI event consumers to launch PowerShell commands and load a script stored in the Windows registry. The second technique involves altering the PowerShell profile, which is a script that runs when PowerShell starts, and results in the execution of a PowerShell command very similar to the one used in the WMI consumers.

The payload in the Windows registry is another PowerShell script, a reflective loader that loads a hardcoded executable directly into the memory of a randomly chosen process already running on the system. In some samples, the researchers found a list of executables the script avoids injecting into (such as Kaspersky software). 

Advertisement. Scroll to continue reading.

Some samples deployed since March 2019 feature modifications to bypass the Antimalware Scan Interface (AMSI), an interface that allows Windows applications to integrate with the installed antimalware product. For that, the attackers re-use a technique presented at Black Hat Asia 2018. 

The PowerShell scripts, ESET reveals, were used to load various payloads, including an RPC backdoor and a PowerShell backdoor.

Turla is known for the use of numerous backdoors that rely on the RPC protocol and which allow the group to move laterally and take control of other machines on the local network even when an external command and control (C&C) server is not available. 

Available features in the RPC backdoor include file upload, file download, and command execution via cmd.exe or PowerShell, but the malware’s functionality could be expanded via plugins. The backdoor is split into two, with a client that allows attackers to execute commands on systems where a server is installed. 

One of the PowerShell backdoors deployed by Turla is PowerStallion, a lightweight tool that uses Microsoft’s online storage service OneDrive as a C&C server. Turla was also observed leveraging the free email provider GMX in this backdoor, as was employed in last year’s Outlook Backdoor and the recently detailed LightNeuron

The malware, ESET says, is likely a recovery access tool in case main backdoors such as Carbon or Gazer are cleaned and access to the compromised computers is no longer available. So far, the backdoor has been used to monitor antimalware logs and the Windows process list, and to install ComRAT version 4, one of the Turla second-stage backdoors.

“The usage of open-source tools does not mean Turla has stopped using its custom tools. The payloads delivered by the PowerShell scripts, the RPC backdoor and PowerStallion, are actually very customized. Our recent analysis of Turla LightNeuron is additional proof that this group is still developing complex, custom malware,” ESET says. 

Related: Turla Uses Sophisticated Backdoor to Hijack Exchange Mail Servers

Related: Turla Backdoor Controlled via Email Attachments

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights