Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Turla Cyber-Spies Target European Government With Multiple Backdoors

The Russia-linked cyber-espionage group known as Turla was recently observed targeting a European government organization with a combination of backdoors, security researchers at Accenture reveal.

The Russia-linked cyber-espionage group known as Turla was recently observed targeting a European government organization with a combination of backdoors, security researchers at Accenture reveal.

Also known as Snake, Waterbug, Venomous Bear, Belugasturgeon, and KRYPTON, Turla is believed to have been active since at least 2006. Earlier this year, the threat actor updated ComRAT, one of its oldest malware families, to ensure it remains efficient.

In a report published this week, Accenture notes that the hackers continue to update legacy tools and to employ custom malware in attacks targeting government organizations.

In fact, in a recent attack on such an organization in Europe, Turla was observed employing a combination of remote procedure call (RPC)-based backdoors, including the HyperStack backdoor, and Kazuar and Carbon remote administration Trojans (RATs).

“The RATs transmit the command execution results and exfiltrate data from the victim’s network while the RPC-based backdoors use the RPC protocol to perform lateral movement and issue and receive commands on other machines in the local network. These tools often include several layers of obfuscation and defense evasion techniques,” Accenture explains.

Given the success registered using this combination of tools, Turla is expected to continue employing the ecosystems for the targeting of Windows-based networks. The threat actor was also observed employing various command and control (C&C) implementations for each compromise, to ensure it can regain access if discovered.

The HyperStack backdoor, which was initially identified in 2018, features updated functionality, and employs named pipes for RPC execution. For lateral movement, it attempts to connect to a remote device’s IPC$ share to forward RPC commands.

As part of the campaign, however, Turla was also observed using a variant of HyperStack containing simpler functionality, enabling operators to run commands via a named pipe without IPC$ enumeration.

Advertisement. Scroll to continue reading.

The malware employed in this campaign revealed the use of traditional C&C implementations, such as compromised web servers and legitimate web services, including Pastebin. One Kazuar variant could receive commands sent via internal nodes in compromised network, while others employed external nodes.

“Turla will likely continue to use its legacy tools, albeit with upgrades, to compromise and maintain long term access to its victims because these tools have proven successful against windows-based networks. Government entities, in particular, should check network logs for indicators of compromise and build detections aimed at thwarting this threat actor,” Accenture concludes.

Related: Turla’s Updated ComRAT Malware Uses Gmail for C&C Communication

Related: Mysterious ‘AcidBox’ Malware Used Turla Exploit to Target Russian Organizations

Related: Turla Uses Sophisticated Backdoor to Hijack Exchange Mail Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...