Russian Hacking Group Upgrades Malicious Toolset'Turla' Recently Targeted a European Government Agency for Espionage
Turla, a hacking group based in Russia, is deploying a revamped set of customized tools to target potential victims, including a European government agency, for its espionage campaigns, according to research from Accenture.
The hacking group, which is also known as Belugasturgeon, Ouroboros, Snake, Venomous Bear and Waterbug, has carried out a series of operations, usually targeting government or military agencies, in at least 35 countries since at least 2008. In May, the security firm ESET tied Turla hackers to hacking campaigns against two ministries of foreign affairs in Eastern Europe (see: Russian Hackers Revamp Malware, Target Governments: Report).
Turla is known for its ability to hide its activities from government investigators and security analysts. It’s believed to have co-opted toolsets that belonged to other advanced persistent threat groups to create a smokescreen for some of its campaigns (see: Russian Hackers Co-Opted Iranian APT Group's Infrastructure).
Recently, Accenture researchers found Turla deploying several updated tools, including a backdoor as well as a pair of remote access Trojans, or RATs.
Accenture examined one incident that targeted the unnamed European government agency to exfiltrate data as part of an espionage campaign. The researchers note that the latest Turla campaign using the revamped toolset is ongoing.
Turla is now deploying a revamped version of HyperStack, a remote procedure call-based custom backdoor, as well as two RATs called Kazuar and Carbon.
In the attack against the government agency, Turla used the HyperStack remote procedure call backdoor to manipulate a Windows API within a compromised device to gain persistence within the network environment, the report notes.
While security researchers first spotted HyperStack in the wild in 2018, Accenture notes this is the first time the backdoor has been tied to Turla.
HyperStack appears to have had a significant makeover in September. It now uses name pipes for inter-process communication between the operating system and shared resources to execute calls between the controller and the compromised devices that are hosting the malware, according to the report. This allows the hacking group to send instructions between the command-and-control server and the compromised device.
Kazuar and Carbon
The Accenture researchers also found upgrades to the Kazuar and Carbon RATs used in this latest campaign.
The Turla operators appear to have reconfigured Kazuar to receive commands through uniform resource identifiers - a sequence of characters that identifies a logical or physical resource - that point to internal command-and-control nodes attached to the victim's network, according to the report. This allows for remote communication between the hackers and the malware.
"This set-up allows Turla operators to communicate with Kazuar-infected machines in the victim network that are not accessible remotely," according to Accenture.
The researchers also note that starting in June, the Carbon RAT began receiving instructions from Pastebin, a legitimate cloud service. These instructions, however, are encrypted with an RSA private key, so the analysts were unable to read the content contained in the Pastebin page.
Nation-state actors are increasingly using compromised web pages and services such as Pastebin as part of their command-and-control infrastructure to better blend the attack traffic with legitimate traffic, Accenture notes. This also helps hacking groups easily switch or create new infrastructure, making it difficult for defenders to shut down or sinkhole their infrastructure.