Connect with us

Hi, what are you looking for?



‘White Tur’ Hacking Group Borrows Techniques From Multiple APTs

A newly detailed threat actor has been observed employing various techniques borrowed from multiple advanced persistent threat (APT) actors, PwC’s cyber threat intelligence team reports.

A newly detailed threat actor has been observed employing various techniques borrowed from multiple advanced persistent threat (APT) actors, PwC’s cyber threat intelligence team reports.

Dubbed White Tur, the adversary hasn’t been attributed to a specific geography, although it appears to have been active since at least 2017.

As part of an attack identified in January 2021, the group registered the subdomain mail[.]mod[.]qov[.]rs to phish for the login credentials of Serbian Ministry of Defence employees.

The phishing domain had a TLS certificate using the term ‘qov’, which spoofs the word ‘gov’. The .gov spoofing technique was previously employed by APT actors such as Russia-linked Sofacy (also known as APT28).

The adversary was also observed abusing the open source project OpenHardwareMonitor for payload execution. For that, it injected code into the legitimate tool, using a technique previously employed by North Korea-based threat actor ZINC.

“As part of the attack, PowerShell code retrieves environmental information from the victim using PowerShell WMI objects and utilises the BitsTransfer Module available in PowerShell to download a payload,” PwC says.

White Tur’s portfolio also includes macro-enabled documents containing various exploits and governmental, defense, R&D, and telecoms themes; HTA and XSL scripts; PowerShell scripts; and a Jscript backdoor.

Advertisement. Scroll to continue reading.

The threat actor was also observed employing a backdoor packaged as a DLL, which allows it to manage files, upload and download files, execute commands, and set malware sleep time. This, PwC says, is “the most functional backdoor” in White Tur’s arsenal.

In the backdoor’s PDB path, the researchers also found the name Storm Kitty, which is an open-source malware project designed to capture credentials and log keystrokes.

PwC says attributing the activity of White Tur to a specific adversary is difficult because the target region doesn’t have much coverage in threat intelligence blogs: “from our assessment, this particular threat actor has a range of motivations with no clear links to well-known threat actors which are attributed to a government or organisation.”

Related: Sophisticated Threat Actor Targets Governments, Defense Industry in Western Asia

Related: Russian Cyberspy Groups Start Exploiting Log4Shell Vulnerability

Related: North Korean Hackers Abuse Windows Update Client in Attacks on Defense Industry

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.