Russian Hackers Revamp Malware, Target Governments: ReportTurla Group Targeted Agencies in Eastern Europe, ESET Researchers Say
Turla, a sophisticated hacking group with suspected ties to the Russian government, recently used a revamped version of its malware to target government entities in Eastern Europe, according to new research from the security firm ESET.
Recent attacks using the revised malware have targeted two ministries of foreign affairs in Eastern Europe as well as a national parliament based in the Caucasus region, according to ESET, which did not reveal the names of those targeted. The researchers note that the revamped malware used in these campaigns is designed to exfiltrate sensitive documents from targets, although they have not confirmed whether the campaigns proved successful in stealing information.
Turla is using a new version of a remote access Trojan called ComRAT, which has been associated with the hacking group for several years. This malware, also called Agent.BTZ, works as a backdoor and can exfiltrate data as well as accept commands from its operators, according to the report.
One of the earliest versions of ComRAT was used in an attack against the Pentagon and U.S. military in 2008. Since then, the malware has been revamped several times, the researchers say. It has been detected in various campaigns over the last 12 years that have targeted government agencies and organizations throughout Europe, the Middle East and Africa (see: Researchers: Spies Exploit Microsoft Exchange Backdoor).
This latest version of the Turla malware, called ComRAT v4, first appeared in 2017, but it appears it was first used in the campaigns detected earlier this year against the Eastern European targets, according to ESET.
"The Turla group is still very active and a major threat for diplomats and militaries," the ESET report notes.
Turla uses PowerStallion, a lightweight PowerShell backdoor, as part of the initial attack on a targeted network. Once the hackers gain a foothold, they then plant the ComRAT v4 malware within an infected device, according to the report.
Once installed, ComRAT v4 can also utilize cloud services, such as Microsoft OneDrive, to help exfiltrate data, package it and send it to its operators, according to ESET.
The ESET researchers also found that ComRAT v4 can use two command-and-control infrastructures. The first is a standard method of connecting to the remote server using an HTTP protocol, which bears similarities to earlier versions of the malware. This method is used to communicate with the operators and send data back to them, according to the report.
The second command-and-control infrastructure takes advantage of the Google Gmail web interface to receive commands and exfiltrate data, according to the report.
The ESET researchers found that the malware can take over an infected device's browser and plant a cookie file that will start a Gmail web sessions. From there, the attackers can read a victim's email as well as steal data, which is then sent to the command-and-control server.
"Its most interesting feature is the use of the Gmail web UI to receive commands and exfiltrate data," according to the report. "Thus, it is able to bypass some security controls because it doesn’t rely on any malicious domain. We also noticed that this new version abandoned the use of [Component Object Model] object hijacking for persistence, the method that gave the malware its common name."
Turla, which is also known by the names Waterbug, Venomous Bear, Uroburos and Snake, has reportedly targeted other advanced persistent threat group to co-opt their tools for use in its arsenal. In October 2019, U.K. and U.S. intelligence agencies released a joint report which said that Turla had co-opted cyberattack infrastructure belonging to an Iranian hacking group called OilRig for espionage purposes (see: Russian Hackers Coopted Iranian APT Group's Infrastructure ).
In addition to OilRig's attack infrastructure, Turla also stole the group's toolsets and documentation on implants known as Neuron and Nautilus which have been used by the group in other attacks, the intelligence agencies report.