Turla group improves its tools in persistence and stealth, ESET discovers
By: ESET Middle East
Turla is an infamous espionage group recognized for its complex malware. It is believed to have been operating since at least 2008, when it successfully breached the US military. It has also been involved in major attacks against many government entities in Europe and the Middle East – among them the German Foreign Office and the French military.
Recently, ESET researchers detected several attacks against diplomatic entities in Eastern Europe using PowerShell scripts. "It is likely the same scripts are used globally against other traditional Turla targets," says Matthieu Faou, ESET researcher who conducted the investigation.
ESET researchers have published a blogpost with the results of their analysis of Turla's PowerShell scripts to help defenders counter them. "Along with Turla's new PowerShell loader, we've discovered and analyzed several interesting payloads, including an RPC-based backdoor and a PowerShell backdoor leveraging Microsoft's cloud storage service,OneDrive, as its Command and Control server," says Faou.
The PowerShell loaders, detected by ESET under the umbrella name PowerShell/Turla, differ from simple droppers in their ability to persist on the system as they regularly load into memory only the embedded executables. In some samples, Turla developers modified their PowerShell scripts in order to bypass the Antimalware Scan Interface (AMSI). This technique, which was first disclosed at the Black Hat Asia 2018 conference, leads to the antimalware product being unable to receive data from the AMSI interface for scanning.
"However, these techniques do not prevent the detection of the actual malicious payloads in memory." explains Matthieu Faou.
Among the payloads recently used by Turla, two stand out. One is a whole set of backdoors relying on the RPC protocol. These backdoors are used to perform lateral movement and take control of other machines in the local network without relying on an external C&C server. Also, of interest is PowerStallion, a lightweight PowerShell backdoor using the above-mentioned Microsoft cloud storage service, OneDrive, as a Command & Control server.
"We believe this backdoor is a recovery access tool in case the main Turla backdoors are removed and operators can no longer access the compromised computers," comments Matthieu Faou.
ESET researchers are committed to closely following the Turla APT group and other key threat actors, and to monitoring their techniques, tactics and procedures to help defenders protect the networks they are responsible for.