Security researchers from ESET have analyzed several PowerShell scripts used by the Russia-linked Turla threat group in recent attacks.
Operating since at least 2008, the group is also known as Snake, Waterbug, KRYPTON and Venomous Bear, and has attacked various diplomatic organizations, including the U.S. military, the German Foreign Office, and the French military.
The group recently began using PowerShell scripts for the in-memory loading and execution of malware in an effort to bypass detection. Previously observed using a loader based on the open-source project Posh-SecMod, Turla has perfected their PowerShell scripts, ESET says.
The security researchers observed the hacking group using these scripts in attacks targeting diplomatic entities in Eastern Europe, but they likely used the tools against traditional targets in Western Europe and the Middle East as well.
The group’s PowerShell loader was designed to achieve persistence, decrypt code, and load into memory the embedded executable or library.
For persistence, Turla uses a Windows Management Instrumentation (WMI) event subscription or alteration of the PowerShell profile, the researchers explain.
The first method relies on the creation of two WMI event filters and two WMI event consumers to launch PowerShell commands and load a script stored in the Windows registry. The second technique involves altering the PowerShell profile, which is a script that runs when PowerShell starts, and results in the execution of a PowerShell command very similar to the one used in the WMI consumers.
The payload in the Windows registry is another PowerShell script, a reflective loader that loads a hardcoded executable directly into the memory of a randomly chosen process already running on the system. In some samples, the researchers found a list of executables the script avoids injecting into (such as Kaspersky software).
Some samples deployed since March 2019 feature modifications to bypass the Antimalware Scan Interface (AMSI), an interface that allows Windows applications to integrate with the installed antimalware product. For that, the attackers re-use a technique presented at Black Hat Asia 2018.
The PowerShell scripts, ESET reveals, were used to load various payloads, including an RPC backdoor and a PowerShell backdoor.
Turla is known for the use of numerous backdoors that rely on the RPC protocol and which allow the group to move laterally and take control of other machines on the local network even when an external command and control (C&C) server is not available.
Available features in the RPC backdoor include file upload, file download, and command execution via cmd.exe or PowerShell, but the malware’s functionality could be expanded via plugins. The backdoor is split into two, with a client that allows attackers to execute commands on systems where a server is installed.
One of the PowerShell backdoors deployed by Turla is PowerStallion, a lightweight tool that uses Microsoft’s online storage service OneDrive as a C&C server. Turla was also observed leveraging the free email provider GMX in this backdoor, as was employed in last year’s Outlook Backdoor and the recently detailed LightNeuron.
The malware, ESET says, is likely a recovery access tool in case main backdoors such as Carbon or Gazer are cleaned and access to the compromised computers is no longer available. So far, the backdoor has been used to monitor antimalware logs and the Windows process list, and to install ComRAT version 4, one of the Turla second-stage backdoors.
“The usage of open-source tools does not mean Turla has stopped using its custom tools. The payloads delivered by the PowerShell scripts, the RPC backdoor and PowerStallion, are actually very customized. Our recent analysis of Turla LightNeuron is additional proof that this group is still developing complex, custom malware,” ESET says.