Turla backdoors compromise European government foreign offices
The backdoor is the work of an advanced persistent threat (APT) group known as Turla. Turla has previously been linked to the Gazer malware family, which has been used against various government and diplomatic bodies in Europe before.
Gazer was connected to watering hole attacks and spear-phishing campaigns targeting government entities and diplomats for the purpose of cyberespionage.
In 2017, Turla was also connected to a backdoor implanted in Germany's Federal Foreign Office, where it was used to siphon confidential government information over the majority of the year.
Turla is believed to originate from Russia and has been active since at least 2008. Now, it seems the APT is ramping up its efforts and has leveraged the same backdoor against the foreign offices of two other European countries.
In addition, an unnamed major defense contractor has also become a victim of the threat actors.
The backdoor used in these campaigns was created in 2009 and since then has undergone a number of radical changes. Stealthy, able to avoid detection for long periods of time, and recently upgraded to execute malicious PowerShell scripts directly in computer memory, the malware has now earned a "rare degree of stealth and resilience," according to ESET.
Turla's malware, which is a Dynamic Link Library (DLL) module, maintains persistence by tampering with the Windows registry. In a technique known as "COM object hijacking," the backdoor will automatically respawn when Microsoft Outlook is opened.
The malware has most recently targeted users of Microsoft Outlook. However, the software itself is not used as an attack vector; rather, the malware attempts to subvert Microsoft Outlook's legitimate Messaging Application Programming Interface (MAPI) to infiltrate victim inboxes.
An interesting element of this backdoor is how Turla chooses to control it. The majority of malware makes use of command-and-control (C&C) centers to issue commands, but in this case, crafted .PDF files sent to compromised email inboxes send the operational commands.
When a victim receives an email, the malware generates a log which contains information about the message, including the sender, recipient, subject, and attachment names. This data is then regularly bundled up and sent to the Turla APT via a .PDF document.
However, the threat group is careful to only send these emails during standard working hours to prevent arousing suspicion. All email notifications are also blocked from view.
"The compromised machine can be instructed to carry out a range of commands," ESET researchers said. "Most importantly, these include data exfiltration, as well as the downloading of additional files and the execution of additional programs and commands. Data exfiltration itself also takes place via .PDF files."
The backdoor is what the researchers call "operator-agnostic," which means that the malicious code will accept commands from anyone able to encode them into a crafted .PDF.
This may be a technique used to prevent the collapse of malware operations in cases where malicious C&C centers are seized by cybersecurity teams or law enforcement.
Turla is the only group known to the researchers which use email-based command systems and the case reveals just how innovative APT groups can be when valuable political information is up-for-grabs.
ZDNet has reached out to ESET with additional queries and will update if we hear back.
Müəllif
Metbuat.az
Qaynar xətt
0552252950
Həmçinin oxu
Süni intellekt üçün internet “Bakcell”dən
en.ictnews.az
DİGƏR XƏBƏRLƏR
Daha çox »Top xəbərlər
Layihələr
Son xəbərlər
Əli Əsədov Ümumdünya Gömrük Təşkilatının baş katibi ilə görüşdü
Bu gün
·
20:14
Bu 4 bürc üçün şanslı dövr başlayır
Bu gün
·
19:42
Hikmət Hacıyev Aİ ilə əməkdaşlıqdan danışdı
Bu gün
·
19:27
Türkiyə nəhəngi dünya çempionatının ulduzunu transfer edir
Bu gün
·
19:05
Nazir ona vəzifə verdi
Bu gün
·
18:18
Milli Məclisin növbədənkənar sessiyasının son iclası keçiriləcək - YENİLƏNİB
Bu gün
·
17:28
Hərbçimiz vəfat etdi
Bu gün
·
17:08
Hasil Abbasov üç nəfərə yüksək vəzifə verdi
Bu gün
·
17:06
Şimşək çaxacaq, dolu düşəcək - XƏBƏRDARLIQ
Bu gün
·
17:04
Əli Əsədov Rusiyanın səhiyyə naziri ilə görüşdü
Bu gün
·
16:47
Rafael Ağayevə ağır itki üz verdi
Bu gün
·
16:35
Paytaxtda maşından meyit tapıldı
Bu gün
·
16:25
Azərbaycanda bank kartları ilə bağlı mühüm açıqlama
Bu gün
·
16:08
“Azərsun Holdinq” şəkər çuğunduru emalı həcmini 800 min tona qaldıracaq
Bu gün
·
15:54
Moda dizayneri Kamilla Məmmədzadə "Yes Couture"brendi ilə birlikdə Azərbaycan xalçalarından ilhamlanan kolleksiyasını təqdim etdi – FOTO
Bu gün
·
15:50