Security Experts:

Russia-Linked "Turla" Group Uses New JavaScript Malware

The Russia-linked cyber espionage group known as Turla has been using a new piece of JavaScript malware to profile victims, Kaspersky Lab reported on Thursday.

Turla, an advanced persistent threat (APT) actor that has been active since at least 2007, is believed to be responsible for several high-profile attacks, including the ones aimed at Swiss defense firm RUAG and the U.S. Central Command. The group is also known as Waterbug, Venomous Bear and KRYPTON, and some of its primary tools are tracked as Turla (Snake and Uroburos), Epic Turla (Wipbot and Tavdig) and Gloog Turla.

The cyberspies have been mainly interested in organizations located in Europe and the United States. Recent attacks observed by researchers at Kaspersky Lab appear to have targeted organizations in Greece, Qatar and Romania.

In a report sent out to customers in June 2016, Kaspersky revealed that Turla had started using Icedcoffee, a JavaScript payload delivered via macro-enabled Office documents. In late November, the security firm spotted a new JavaScript payload designed mainly to avoid detection. Microsoft researchers have also been monitoring the threat.

The new malware, dubbed KopiLuwak, has been delivered to at least one victim using a document containing an official letter from the Qatar Embassy in Cyprus to the Ministry of Foreign Affairs in Cyprus. Since the document appears to have been sent by the Qatar ambassador’s secretary, experts believe the attackers may have breached the diplomatic organization’s network.

The final KopiLuwak payload is hidden under several JavaScript layers. Once it becomes persistent by creating a registry key, the malware executes a series of commands in an effort to collect information about the infected system. The harvested data is stored in a temporary file that is deleted after it’s encrypted and stored in memory.

KopiLuwak then attempts to contact its command and control (C&C) servers. These are compromised websites whose address has been hardcoded into the malware.

The C&C can instruct the malware to sleep, exit and terminate C&C communications until the next reboot, uninstall itself, and run arbitrary commands on the infected system using

One of the C&C domains had expired, allowing Kaspersky to acquire it and use it as a sinkhole. Several systems connected to this domain, but the most interesting IP was one associated with the Greek Parliament.

For the time being, Kaspersky says KopiLuwak is less popular than Icedcoffee, but the company believes the new malware will be used more in the future as a first-stage delivery mechanism and victim profiler.

“Currently, it seems the Turla actors continue to rely heavily on embedded macros in Office documents,” explained Kaspersky’s Brian Bartholomew. “While this may appear to be an elementary technique to use for such a sophisticated actor, they are repeatedly successful in compromising high value targets with this method.”

Related Reading: False Flags and Misdirection in Hacker Attribution

Related Reading: State-Sponsored Attackers Use Web Analytics for Reconnaissance

Related Reading: Russian-Speaking Turla Attackers Hijacking Satellite Internet Links

view counter
Eduard Kovacs is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.