Latest Turla backdoor leverages email PDF attachments as C&C mechanism

Pierluigi Paganini August 23, 2018

Malware researchers from ESET have published a detailed report on the latest variant of the Turla backdoor that leverages email PDF attachments as C&C.

Malware researchers from ESET have conducted a new analysis of a backdoor used by the Russia-linked APT Turla in targeted espionage operations.

The new analysis revealed a list of high-profile victims that was previously unknown.

Turla is the name of a Russian cyber espionage APT group (also known as Waterbug, Venomous Bear and KRYPTON) that has been active since at least 2007 targeting government organizations and private businesses.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

The Turla’s arsenal is composed of sophisticated hacking tools and malware tracked as Turla (Snake and Uroburos rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla. In June 2016, researchers from Kaspersky reported that the Turla APT had started using rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla.

The new analysis conducted by ESET revealed that hackers breached Germany’s Federal Foreign Office, Turla infected several computers and used the backdoor to syphon data for almost the whole of 2017.

The cyberspies first compromised the network of the country’s Federal College of Public Administration, then breached into the network of the Foreign Office in March 2017, the hack was discovered by German authorities at the end of the year and publicly disclosed in March 2018. ESET explained that the most important aspect of the new analysis is the discovery of a covert access channel used by Turla to hit foreign offices of another two European countries.

“Importantly, our own investigation has determined that, beyond this much-publicized security breach, the group has leveraged the same backdoor to open a covert access channel to the foreign offices of another two European countries, as well as to the network of a major defense contractor.” reads the analysis published by ESET.

“These organizations are the latest known additions to the list of victims of this APT group that has been targeting governments, state officials, diplomats, and military authorities since at least 2008.”

The Turla backdoor has been used since at least 2009 and was continuously improved across the years.  The most recent samples appear very sophisticated and implement a rare degree of stealth and resilience. The last analyzed variant is dated back April 2018 and implements the ability to execute malicious PowerShell scripts directly in computer memory.

turla backdoor

The malware analyzed by ESET does not use a classic command and control server, instead, it receives updates and instructions via PDF files delivered via email.

“Rather than using a conventional command-and-control (C&C) infrastructure, such as one based on HTTP(S), the backdoor is operated via email messages; more specifically, through specially crafted PDF files in email attachments.” continues the analysis.

“The compromised machine can be instructed to carry out a range of commands. Most importantly, these include data exfiltration, as well as the downloading of additional files and the execution of additional programs and commands. Data exfiltration itself also takes place via PDF files.”

Information is exfiltrated by generating a PDF with the siphoned data and sent out via emails and message metadata.

“From the PDF documents, the backdoor is able to recover what attackers call a container in the logs. This is a binary blob with a special format that contains encrypted commands for the backdoor,” reads the report released by ESET.

“Technically, the attachment does not have to be a valid PDF document. The only requirement is that it includes a container in the right format.”

The Turla backdoor deletes the messages sent to or received from the attacker to remain stealth.

The backdoor is a standalone DLL (dynamic link library) that interacts with Outlook and The Bat! email clients, it gains persistence by using COM object hijacking. With this trick, the malicious DLL could be loaded each time Outlook loads the COM object.

Differently from other backdoors, the Turla sample subverts Microsoft Outlook’s legitimate Messaging Application Programming Interface (MAPI) to access the targets’ mailboxes and avoid being detected.

The backdoor implements several commands, below the full list:

Turla backdoor

ESET experts did not detect any PDF sample including the commands for the backdoor, but they were able to create such a document.

The full list of Indicators Of Compromise (IoCs) and samples can be found on GitHub.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Turla backdoor, cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]


you might also like

leave a comment