A newly detailed threat actor has been observed employing various techniques borrowed from multiple advanced persistent threat (APT) actors, PwC’s cyber threat intelligence team reports.
Dubbed White Tur, the adversary hasn’t been attributed to a specific geography, although it appears to have been active since at least 2017.
As part of an attack identified in January 2021, the group registered the subdomain mail[.]mod[.]qov[.]rs to phish for the login credentials of Serbian Ministry of Defence employees.
The phishing domain had a TLS certificate using the term ‘qov’, which spoofs the word ‘gov’. The .gov spoofing technique was previously employed by APT actors such as Russia-linked Sofacy (also known as APT28).
The adversary was also observed abusing the open source project OpenHardwareMonitor for payload execution. For that, it injected code into the legitimate tool, using a technique previously employed by North Korea-based threat actor ZINC.
“As part of the attack, PowerShell code retrieves environmental information from the victim using PowerShell WMI objects and utilises the BitsTransfer Module available in PowerShell to download a payload,” PwC says.
White Tur’s portfolio also includes macro-enabled documents containing various exploits and governmental, defense, R&D, and telecoms themes; HTA and XSL scripts; PowerShell scripts; and a Jscript backdoor.
The threat actor was also observed employing a backdoor packaged as a DLL, which allows it to manage files, upload and download files, execute commands, and set malware sleep time. This, PwC says, is “the most functional backdoor” in White Tur’s arsenal.
In the backdoor’s PDB path, the researchers also found the name Storm Kitty, which is an open-source malware project designed to capture credentials and log keystrokes.
PwC says attributing the activity of White Tur to a specific adversary is difficult because the target region doesn’t have much coverage in threat intelligence blogs: “from our assessment, this particular threat actor has a range of motivations with no clear links to well-known threat actors which are attributed to a government or organisation.”