Detected the first samples of Penquin Turla for Linux systems

Security experts at Kaspersky Lab have detected the first strain of Turla malware that was designed to infect Linux system and so called Penquin Turla.

Security Experts at Kaspersky have discovered a new variant of Turla malware which was designed to hit Linux systems and for this reason, it was called the Penquin Turla.

The investigation started after that apparently a new strain of malware was uploaded to a multi-scanner service. The malware was a previously unknown piece of a government malware, Turla, considered by the experts one of the most complex APTs in the history.

Turla was detected for the first time by researchers at BAE, which believe that the malware was developed by Russian cyber specialists, probably all these instances are part of a cyber weapon program of the Government of Moscow.

The experts at BAE Systems Applied Intelligence, who discovered the Snake campaign, have linked the platform to the Uroburos rootkit, which is another malware used for cyber espionage and discovered by the German firm G Data.

“This newly found Turla component supports Linux for broader system support at victim sites. The attack tool takes us further into the set alongside the Snake rootkit and components first associated with this actor a couple years ago. We suspect that this component was running for years at a victim site, but do not have concrete data to support that statement just yet.” states blog post published on Securelist.com.

The Penquin Turla is written in C/C++ and link multiple libraries that increase its file size, the authors have stripped the code of symbol information, probably to increase the difficulty of analysis by security experts.Its functionality includes hidden network communications, arbitrary remote command execution, and remote management. Much of its code is based on public sources.

Like other variants of Turla, also the Penquin Turla implements functionalities like hidden network communications, remote control of the infected machine and arbitrary remote command execution.

The Penquin Turla doesn’t  require elevated privileges for its execution and it is hard to detect.

“It uses techniques that don’t require root access, which allows it to be more freely run on more victim hosts. Even if a regular user with limited privileges launches it, it can continue to intercept incoming packets and run incoming commands on the system.” states the post.

The experts discovered in the code of the Penquin Turla the hard coded address of the C&C used by the attackers, news-bbc.podzone[.]org, which responds to the IP address 80.248.65.183 and that is currently sinkholed by Kaspersky Lab.

The command and control mechanism used by the Penquin Turla is based on TCP/UDP packets and the C&C hostname “fits previously known Turla activity”.

The experts highlighted that this variant of Turla appears to have been put together from public sources, the attackers have integrated it adding other functionalities and leaving inactive older stubs of code from older versions of the malware.

Experts atKaspersky have discovered also another Penquin Turla sample, which apparently represents a different malware generation than the previously known instances.

The experts have no doubts, there are many instances of Turla in the wild still unknown.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  Penquin Turla, cyber espionage)

[adrotate banner=”13″]